diff --git a/devices/surface-hub/images/room-control-wiring-diagram.png b/devices/surface-hub/images/room-control-wiring-diagram.png new file mode 100644 index 0000000000..5a2ecf613e Binary files /dev/null and b/devices/surface-hub/images/room-control-wiring-diagram.png differ diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md index 70f4344966..447edd18aa 100644 --- a/devices/surface-hub/use-room-control-system-with-surface-hub.md +++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md @@ -13,14 +13,9 @@ Room control systems can be used with your Microsoft Surface Hub. Using a room control system with your Surface Hub involves connecting room control hardware to the Surface Hub, usually through the RJ11 serial port on the bottom of the Surface Hub. -## Debugging +## Terminal settings - -You can use the info in this section for debugging scenarios. You shouldn't need it for a typical installation. - -### Terminal settings - -To connect to a room control system control panel, you don't need to connect to the Surface Hub, or to configure any terminal settings. For debugging purposes, if you want to connect a PC or laptop to your Surface Hub and send commands from the Surface Hub, you can use a terminal emulator program like Tera Term or PuTTY. These are the terminal settings you'll need: +To connect to a room control system control panel, you don't need to configure any terminal settings on the Surface Hub. If you want to connect a PC or laptop to your Surface Hub and send serial commands from the Surface Hub, you can use a terminal emulator program like Tera Term or PuTTY. @@ -54,20 +49,24 @@ To connect to a room control system control panel, you don't need to connect to + + + +

Flow control

none

Line feed

every carriage return
  -### Wiring diagram +## Wiring diagram -You can use a standard RJ-11 (6P6C) connector to connect the Surface Hub serial port to a room control system. This is the recommended method. +You can use a standard RJ-11 (6P6C) connector to connect the Surface Hub serial port to a room control system. This is the recommended method. You can also use an RJ-11 4-conductor cable, but we do not recommend this method. -You can also use an RJ-11 4-conductor cable, but we do not recommend this method. You'll need to convert pin numbers to make sure it's wired correctly. The following diagram shows how to convert the pin numbers. +This diagram shows the correct pinout used for an RJ-11 (6P6C) to DB9 cable. -![image showing the wiring diagram. ](images/roomcontrolwiring.png) +![image showing the wiring diagram.](images/room-control-wiring-diagram.png) -### Command sets +## Command sets Room control systems use common meeting-room scenarios for commands. Commands originate from the room control system, and are communicated over a serial connection to a Surface Hub. Commands are ASCII based, and the Surface Hub will acknowledge when state changes occur. @@ -106,7 +105,7 @@ The following command modifiers are available. Commands terminate with a new lin   -### Power +## Power Surface Hub can be in one of these power states. @@ -157,9 +156,72 @@ Surface Hub can be in one of these power states. -  +In Replacement PC mode, the power states are only Ready and Off and only change the display. The management port can't be used to power on the replacement PC. -### Brightness + +++++ + + + + + + + + + + + + + + + + + + + +
StateEnergy Star stateDescription

0

S5

Off

5

50

Ready

+ +For a control device, anything other than 5 / Ready should be considered off. Each PowerOn command results in two state changes and reponses. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + +
CommandState changeResponse

PowerOn

Device turns on (display + PC).

PC service notifies SMC that the PC is ready.

Power=0

Power=5

PowerOff

Device transitions to ambient state (PC on, display dim).

Power=0

Power?

SMC reports the last-known power state.

Power=<#>

+ + +## Brightness The current brightness level is a range from 0 to 100. @@ -191,18 +253,10 @@ Changes to brightness levels can be sent by a room control system, or other syst

PC service notifies SMC of new brightness level.

Brightness = 50

- -

Brightness?

-

SMC sends a message over the control channel to request brightness.

-

PC service notifies SMC of new brightness level.

-

Brightness = 50

- - +  -  - -### Volume +## Volume The current volume level is a range from 0 to 100. @@ -234,47 +288,14 @@ Changes to volume levels can be sent by a room control system, or other system.

PC service notifies SMC of new volume level.

Volume = 50

- -

Volume?

-

SMC sends a message over the control channel to request volume.

-

PC service notifies SMC of new volume level.

-

Volume = 50

-   -### Mute for audio and microphone +## Mute for audio -Audio and microphone can be muted. - - ---- - - - - - - - - - - - - - - - - -
StateDescription

0

Source is not muted.

1

Source is muted.

- -  - -Changes to microphone or audio can be sent by a room control system, or other system. +Audio can be muted. @@ -294,32 +315,14 @@ Changes to microphone or audio can be sent by a room control system, or other sy - - - - - - - - - - - - - - - - +

AudioMute+

SMC sends the audio mute command.

PC service notifies SMC that audio is muted.

AudioMute=<#>

MicMute+

SMC sends the microphone mute command.

-

PC service notifies SMC that microphone is muted.

MicMute=<#>

AudioMute?

SMC queries PC service for the current audio state.

-

PC service notifies SMC that audio is muted.

AudioMute=<#>

MicMute?

SMC queries PC service for the current microphone state.

-

PC service notifies SMC that the microphone is muted.

MicMute=<#>

none
  -### Video source +## Video source Several display sources can be used. @@ -351,10 +354,6 @@ Several display sources can be used.

3

VGA

- -

4

-

Wireless

- @@ -377,7 +376,7 @@ Changes to display source can be sent by a room control system, or other system. -

Source=<#>

+

Source=#

SMC changes to the desired source.

PC service notifies SMC that the display source has switched.

Source=<#>

@@ -389,7 +388,7 @@ Changes to display source can be sent by a room control system, or other system.

Source=<#>

-

Source+

+

Source-

SMC cycles to the previous active input source.

PC service notifies SMC of the current input source.

Source=<#>

@@ -403,101 +402,7 @@ Changes to display source can be sent by a room control system, or other system. -  - -### Starting apps - -Surface Hub keyboard supports starting apps with special keys. Room control systems can invoke those keys through the management port. There is no expected response for these commands. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
StateDescription

0

Start large-screen experience (LSX)

1

Start LSX custom app 1

2

Start LSX custom app 2

3

Start LSX custom app 3

- -  - -Changes to display source can be sent by a room control system, or other system. - - ----- - - - - - - - - - - - - - - -
CommandState changeResponse

AppKey=<#>

Send a command to

-

PC service notifies SMC that the display source has switched.

Source=<#>

- -  - -### I'm done - -People will be able to start the I'm done feature on a Surface Hub from a room control system. I'm done removes any work that was displayed on the Surface Hub before ending the meeting. No information or files are saved on Surface Hub. - - ----- - - - - - - - - - - - - - - -
CommandState changeResponse

I'm done

Start I'm done activity on Surface Hub.

none

- -  - -### Errors +## Errors Errors are returned following the format in this table. diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index f7e3191aa7..77680e7199 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -1,5 +1,5 @@ # [Surface](index.md) -## [Advanced UEFI security features for Surface](advanced-uefi-security-features-for-surface.md) +## [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md) ## [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md) ## [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) ## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) diff --git a/devices/surface/advanced-uefi-security-features-for-surface.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md similarity index 86% rename from devices/surface/advanced-uefi-security-features-for-surface.md rename to devices/surface/advanced-uefi-security-features-for-surface-pro-3.md index 9eb6cc703e..c90f8d9b3a 100644 --- a/devices/surface/advanced-uefi-security-features-for-surface.md +++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md @@ -1,15 +1,16 @@ --- -title: Advanced UEFI security features for Surface (Surface) +title: Advanced UEFI security features for Surface Pro 3 (Surface) description: This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices. ms.assetid: 90F790C0-E5FC-4482-AD71-60589E3C9C93 -keywords: ["Surface, Surface Pro 3, security, features, configure, hardware, device, custom, script, update"] -ms.prod: W10 +keywords: security, features, configure, hardware, device, custom, script, update +ms.prod: w10 ms.mktglfcycl: manage +ms.pagetype: surface, devices, security ms.sitesec: library author: miladCA --- -# Advanced UEFI security features for Surface +# Advanced UEFI security features for Surface Pro 3 This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices. @@ -19,7 +20,9 @@ To address more granular control over the security of Surface devices, the v3.11 ## Manually install the UEFI update -Before you can configure the advanced security features of your Surface device, you must first install the v3.11.760.0 UEFI update. This update is installed automatically if you receive your updates from Windows Update. For more information about how to configure Windows to update automatically using Windows Update, see [How to configure and use Automatic Updates in Windows]( http://go.microsoft.com/fwlink/p/?LinkID=618030). Otherwise, you can download the UEFI update from the Microsoft Download Center; see [SurfacePro3\_ 150326.msi (105 MB)](http://go.microsoft.com/fwlink/p/?LinkID=618033) or [SurfacePro3\_ 150326.zip (156 MB)](http://go.microsoft.com/fwlink/p/?LinkID=618035). +Before you can configure the advanced security features of your Surface device, you must first install the v3.11.760.0 UEFI update. This update is installed automatically if you receive your updates from Windows Update. For more information about how to configure Windows to update automatically by using Windows Update, see [How to configure and use Automatic Updates in Windows]( http://go.microsoft.com/fwlink/p/?LinkID=618030). + +To update the UEFI on Surface Pro 3, you can download and install the Surface UEFI updates as part of the Surface Pro 3 Firmware and Driver Pack. These firmware and driver packs are available from the [Surface Pro 3 page](https://www.microsoft.com/en-us/download/details.aspx?id=38826) on the Microsoft Download Center. You can find out more about the firmware and driver packs at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/en-us/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). The firmware and driver packs are available as both self-contained Windows Installer (.msi) and archive (.zip) formats. You can find out more about these two formats and how you can use them to update your drivers at [Manage Surface driver and firmware updates](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-pro-3-firmware-updates). ## Manually configure additional security settings diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md index 1985b76438..3c18712be2 100644 --- a/devices/surface/customize-the-oobe-for-surface-deployments.md +++ b/devices/surface/customize-the-oobe-for-surface-deployments.md @@ -2,9 +2,10 @@ title: Customize the OOBE for Surface deployments (Surface) description: This article will walk you through the process of customizing the Surface out-of-box experience for end users in your organization. ms.assetid: F6910315-9FA9-4297-8FA8-2C284A4B1D87 -keywords: ["deploy, customize, automate, deployment, network, Pen, pair, boot"] -ms.prod: W10 +keywords: deploy, customize, automate, network, Pen, pair, boot +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: surface, devices ms.sitesec: library author: jobotto --- diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index 61d56fa1b9..b2a06e1583 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -2,9 +2,10 @@ title: Download the latest firmware and drivers for Surface devices (Surface) description: This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device. ms.assetid: 7662BF68-8BF7-43F7-81F5-3580A770294A -keywords: ["update Surface, newest, latest, download, firmware, driver, tablet, hardware, device"] -ms.prod: W10 +keywords: update Surface, newest, latest, download, firmware, driver, tablet, hardware, device +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: surface, devices ms.sitesec: library author: jobotto --- diff --git a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md index df0f2600d3..e562f5599b 100644 --- a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md +++ b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md @@ -2,9 +2,10 @@ title: Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices (Surface) description: Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. ms.assetid: A281EFA3-1552-467D-8A21-EB151E58856D -keywords: ["network", "wireless", "device", "deploy", "authenticaion", "protocol"] +keywords: network, wireless, device, deploy, authentication, protocol ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: surface, devices ms.sitesec: library author: miladCA --- diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md index fb580c032f..0addf8e26a 100644 --- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md +++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md @@ -2,9 +2,10 @@ title: Ethernet adapters and Surface deployment (Surface) description: This article provides guidance and answers to help you perform a network deployment to Surface devices. ms.assetid: 5273C59E-6039-4E50-96B3-426BB38A64C0 -keywords: ["ethernet, deploy, removable, network, connectivity, boot, firmware, device, adapter, PXE boot, USB"] -ms.prod: W10 +keywords: ethernet, deploy, removable, network, connectivity, boot, firmware, device, adapter, PXE boot, USB +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: surface, devices ms.sitesec: library author: jobotto --- diff --git a/devices/surface/index.md b/devices/surface/index.md index 2a2598a5cd..447cdeea27 100644 --- a/devices/surface/index.md +++ b/devices/surface/index.md @@ -2,8 +2,9 @@ title: Surface (Surface) description: . ms.assetid: 2a6aec85-b8e2-4784-8dc1-194ed5126a04 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage +ms.pagetype: surface, devices ms.sitesec: library author: heatherpoulsen --- @@ -34,7 +35,7 @@ For more information on planning for, deploying, and managing Surface devices in -

[Advanced UEFI security features for Surface](advanced-uefi-security-features-for-surface.md)

+

[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)

Find out how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.

diff --git a/devices/surface/manage-surface-dock-firmware-updates.md b/devices/surface/manage-surface-dock-firmware-updates.md index 758f8027ea..9428200756 100644 --- a/devices/surface/manage-surface-dock-firmware-updates.md +++ b/devices/surface/manage-surface-dock-firmware-updates.md @@ -2,8 +2,10 @@ title: Manage Surface Dock firmware updates (Surface) description: Read about the different methods you can use to manage the process of Surface Dock firmware updates. ms.assetid: 86DFC0C0-C842-4CD1-A2D7-4425471FFE3F -ms.prod: W10 +keywords: firmware, update, install, drivers +ms.prod: w10 ms.mktglfcycl: manage +ms.pagetype: surface, devices ms.sitesec: library author: jobotto --- diff --git a/devices/surface/manage-surface-pro-3-firmware-updates.md b/devices/surface/manage-surface-pro-3-firmware-updates.md index fac455f9ac..3bc069e706 100644 --- a/devices/surface/manage-surface-pro-3-firmware-updates.md +++ b/devices/surface/manage-surface-pro-3-firmware-updates.md @@ -2,9 +2,10 @@ title: Manage Surface driver and firmware updates (Surface) description: This article describes the available options to manage firmware and driver updates for Surface devices. ms.assetid: CD1219BA-8EDE-4BC8-BEEF-99B50C211D73 -keywords: ["Surface, Surface Pro 3, firmware, update, device, manage, deploy, driver, USB"] -ms.prod: W10 +keywords: Surface, Surface Pro 3, firmware, update, device, manage, deploy, driver, USB +ms.prod: w10 ms.mktglfcycl: manage +ms.pagetype: surface, devices ms.sitesec: library author: jobotto --- @@ -33,7 +34,7 @@ For details about Group Policy for client configuration of WSUS or Windows Updat **Windows Installer Package** -The firmware and driver downloads for Surface devices now include MSI installation files for firmware and driver updates. These MSI packages can be deployed with utilities that support application deployment, including the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. This solution allows for centralized deployment and for administrators to test and review firmware updates before they are deployed. For more information about the MSI package delivery method for firmware and driver updates, including details on what drivers are updated by the package and why certain drivers and firmware are not updated by the MSI package, see the [Surface Pro 3 MSI Now Available](http://go.microsoft.com/fwlink/p/?LinkId=618173) blog post. +The firmware and driver downloads for Surface devices now include Windows Installer files for firmware and driver updates. These Windows Installer packages can be deployed with utilities that support application deployment, including the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. This solution allows for centralized deployment and for administrators to test and review firmware updates before they are deployed. For more information about the Windows Installer package delivery method for firmware and driver updates, including details on what drivers are updated by the package and why certain drivers and firmware are not updated by the Windows Installer package, see the [Surface Pro 3 MSI Now Available](http://go.microsoft.com/fwlink/p/?LinkId=618173) blog post. For instructions on how to deploy with System Center Configuration Manager, refer to [How to Deploy Applications in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=618175). For deployment of applications with MDT, see [Step 4: Add an application in the Deploy a Windows 8.1 Image Using MDT 2013](http://go.microsoft.com/fwlink/p/?LinkId=618176). Note that you can deploy applications separately from an operating system deployment through MDT by using a Post OS Installation task sequence. diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index e35e41bbf8..6f76da2a15 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -2,9 +2,10 @@ title: Microsoft Surface Data Eraser (Surface) description: Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. ms.assetid: 8DD3F9FE-5458-4467-BE26-E9200341CF10 -keywords: ["tool", "USB", "data", "erase"] -ms.prod: W10 +keywords: tool, USB, data, erase +ms.prod: w10 ms.mktglfcycl: manage +ms.pagetype: surface, devices, security ms.sitesec: library author: miladCA --- diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md index e38d23d94b..8b9b17335c 100644 --- a/devices/surface/microsoft-surface-deployment-accelerator.md +++ b/devices/surface/microsoft-surface-deployment-accelerator.md @@ -2,9 +2,10 @@ title: Microsoft Surface Deployment Accelerator (Surface) description: Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices. ms.assetid: E7991E90-4AAE-44B6-8822-58BFDE3EADE4 -keywords: ["deploy", "install", "tool"] -ms.prod: W10 +keywords: deploy, install, tool +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: surface, devices ms.sitesec: library author: miladCA --- diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md index b04c37e9b5..07c32b693b 100644 --- a/devices/surface/step-by-step-surface-deployment-accelerator.md +++ b/devices/surface/step-by-step-surface-deployment-accelerator.md @@ -2,9 +2,10 @@ title: Step by step Surface Deployment Accelerator (Surface) description: This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices. ms.assetid: A944FB9C-4D81-4868-AFF6-B9D1F5CF1032 -keywords: ["deploy, configure"] -ms.prod: W10 +keywords: deploy, configure +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: surface, devices ms.sitesec: library author: miladCA --- diff --git a/devices/surface/surface-diagnostic-toolkit.md b/devices/surface/surface-diagnostic-toolkit.md index 61e867468f..bcea29785f 100644 --- a/devices/surface/surface-diagnostic-toolkit.md +++ b/devices/surface/surface-diagnostic-toolkit.md @@ -2,9 +2,10 @@ title: Microsoft Surface Diagnostic Toolkit (Surface) description: Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device. ms.assetid: FC4C3E76-3613-4A84-A384-85FE8809BEF1 -keywords: ["hardware, device, tool, test, component"] -ms.prod: W8 +keywords: hardware, device, tool, test, component +ms.prod: w10 ms.mktglfcycl: manage +ms.pagetype: surface, devices ms.sitesec: library author: miladCA --- @@ -18,19 +19,19 @@ The [Microsoft Surface Diagnostic Toolkit](http://go.microsoft.com/fwlink/p/?Lin >**Note:**  A Surface device must boot into Windows to run the Microsoft Surface Diagnostic Toolkit. The Microsoft Surface Diagnostic Toolkit will run only on the following Surface devices: -- Surface Book +- Surface Book -- Surface Pro 4 +- Surface Pro 4 -- Surface 3 LTE +- Surface 3 LTE -- Surface 3 +- Surface 3 -- Surface Pro 3 +- Surface Pro 3 -- Surface Pro 2 +- Surface Pro 2 -- Surface Pro +- Surface Pro >**Note:**  Security software and built-in security measures in many email applications and services will block executable files that are transferred through email. To email the Surface Diagnostic Toolkit, attach the .zip archive file as downloaded from the Surface Tools for IT page without extracting it first. You can also create a custom .zip archive that contains the .exe file. (For example, if you want to localize the text as described in the [Localization](#localization) section of this article.) @@ -38,299 +39,265 @@ Running the Microsoft Surface Diagnostic Toolkit is a hands-on activity. The tes To run a full set of tests with the Microsoft Surface Diagnostic Toolkit, you should be prepared with the following items: -- An external display with the appropriate HDMI or DisplayPort connection +- An external display with the appropriate HDMI or DisplayPort connection -- A Bluetooth device that can be put into pairing mode +- A Bluetooth device that can be put into pairing mode -- A MicroSD or SD card that is compatible with your Surface device +- A MicroSD or SD card that is compatible with your Surface device -- A Surface Pen +- A Surface Pen -- Room to move the Surface device around +- Room to move the Surface device around -- External speakers or headphones +- External speakers or headphones >**Note:**  The Microsoft Surface Diagnostic Toolkit tests verify only the hardware of a Surface device and do not test or resolve issues with the operating system or software.   -## The tests +## The tests The Microsoft Surface Diagnostic Toolkit runs several individual tests on a Surface device. Not all tests are applicable to every device. For example, the Home button test is not applicable to Surface Pro 4 where there is no Home button. You can specify which tests to run, or you can choose to run all tests. For tests that require external devices (such as testing output to an external display) but you do not have the required external device at the time of the test, you are given the option to skip the test. If a test fails, you are prompted to continue or stop testing at that time. -### Windows Update +#### Windows Update This test checks for any outstanding Windows updates and will prompt you to install those updates before you proceed to other tests. It is important to keep a Surface device up to date with the latest Windows updates, including drivers and firmware for the Surface device. The success of some of the tests that are performed later in the task sequence depend on these updated drivers and firmware. You will be prompted to restart the device if required by Windows Update. If you must restart the device, you will need to start the Microsoft Surface Diagnostic Toolkit again. -### Device information +#### Device information This test reads the Device ID and serial number in addition to basic system information such as device model, operating system version, processor, memory, and storage. The Device ID is recorded in the name of the log file and can be used to identify a log file for a specific device. Several system log files are also collected, including update and rollback logs, and output from several Windows built-in tools, such as [DirectX Diagnostics](http://go.microsoft.com/fwlink/p/?LinkId=746476) and [System Information](http://go.microsoft.com/fwlink/p/?LinkId=746477), power configuration, disk health, and event logs. See the following list for a full set of collected log files: -- Output of **Get-WindowsUpdateLog** if the operating system is Windows 10 +- Output of **Get-WindowsUpdateLog** if the operating system is Windows 10 -- **%windir%\\Logs** +- **%windir%\\Logs** -- **%windir%\\Panther** +- **%windir%\\Panther** -- **%windir%\\System32\\sysprep\\Panther** +- **%windir%\\System32\\sysprep\\Panther** -- **%windir%\\System32\\WinEvt\\Logs** +- **%windir%\\System32\\WinEvt\\Logs** -- **$windows.~bt\\Sources\\Panther** +- **$windows.~bt\\Sources\\Panther** -- **$windows.~bt\\Sources\\Rollback** +- **$windows.~bt\\Sources\\Rollback** -- **%windir%\\System32\\WinEvt\\Logs** +- **%windir%\\System32\\WinEvt\\Logs** -- Output of **dxdiag.exe /t** +- Output of **dxdiag.exe /t** -- Output of **msinfo32.exe /report** +- Output of **msinfo32.exe /report** -- Output of **powercfg.exe /batteryreport** +- Output of **powercfg.exe /batteryreport** -- Output of **powercfg.exe /sleepstudy** +- Output of **powercfg.exe /sleepstudy** -- Output of **wevtutil.exe epl System** +- Output of **wevtutil.exe epl System** -- Events from: +- Events from: - - **Chkdsk** + - **Chkdsk** - - **Microsoft-Windows-Ntfs** + - **Microsoft-Windows-Ntfs** - - **Microsoft-Windows-WER-SystemErrorReporting** + - **Microsoft-Windows-WER-SystemErrorReporting** - - **Microsoft-Windows-Startuprepair** + - **Microsoft-Windows-Startuprepair** - - **Microsoft-Windows-kernel-Power** + - **Microsoft-Windows-kernel-Power** -- Output of **powercfg.exe /q** +- Output of **powercfg.exe /q** -- Output of **powercfg.exe /qh** +- Output of **powercfg.exe /qh** -- **%windir%\\Inf\\SetupApi\*.log** +- **%windir%\\Inf\\SetupApi\*.log** These files and logs are stored in a .zip file saved by the Microsoft Surface Diagnostic Toolkit when all selected tests have completed alongside the Microsoft Surface Diagnostic Toolkit log file. -### Type Cover test +#### Type Cover test >**Note:**  A Surface Type Cover is required for this test. -  If a Surface Type Cover is not detected, the test prompts you to connect the Type Cover. When a Type Cover is detected the test prompts you to use the keyboard and touchpad. The cursor should move while you swipe the touchpad, and the keyboard Windows key should bring up the Start menu or Start screen to successfully pass this test. You can skip this test if a Type Cover is not used with the Surface device. -### Integrated keyboard test +#### Integrated keyboard test >**Note:**  This test is only applicable to Surface Book and requires that the Surface Book be docked to the keyboard. -  +This test is essentially the same as the Type Cover test, except the integrated keyboard in the Surface Book base is tested rather than the Type Cover. During the first stage of this test a diagram of the keyboard is displayed. When you press a key, the corresponding key will be marked on the diagram. The test will proceed when every key in the diagram is marked. In the second stage of this test, you are prompted to make several gestures on the keypad. As you perform each gesture (for example, a three finger tap), the gesture will be marked on the screen. When you have performed all gestures, the test will automatically complete. -This test is essentially the same as the Type Cover test, except the integrated keyboard in the Surface Book base is tested rather than the Type Cover. Move the cursor and use the Windows key to bring up the Start menu to confirm that the touchpad and keyboard are operating successfully. This test will display the status of cursor movement and keyboard input for you to verify. Press **ESC** to complete the test. +>**Note:**  The F-keys on the diagram require that you press the Function (FN) key simultaneously to activate them. By default, these keys perform other actions. For the Home and End keys, you must press the same keys as F8 and F9, but without the Function (FN) key pressed. -### Canvas mode battery test +#### Canvas mode battery test >**Note:**  This test is only applicable to Surface Book. -  - Depending on which mode Surface Book is in, different batteries are used to power the device. When Surface Book is in clipboard mode (detached form the keyboard) it uses an internal battery, and when it is connected in either laptop mode or canvas mode it uses different connections to the battery in the keyboard. In canvas mode, the screen is connected to the keyboard so that when the device is closed, the screen remains face-up and visible. Connect the Surface Book to the keyboard in this manner for the test to automatically proceed. -### Clipboard mode battery test +#### Clipboard mode battery test >**Note:**  This test is only applicable to Surface Book. -  - Disconnect the Surface Book from the keyboard to work in clipboard mode. In clipboard mode the Surface Book operates from an internal battery that is tested when the Surface Book is disconnected from the keyboard. Disconnecting the Surface Book from the keyboard will also disconnect the Surface Book from power and will automatically begin this test. -### Laptop mode battery test +#### Laptop mode battery test >**Note:**  This test is only applicable to Surface Book. -  - Connect the Surface Book to the keyboard in the opposite fashion to canvas mode in laptop mode. In laptop mode the screen will face you when the device is open and the device can be used in the same way as any other laptop. Disconnect AC Power from the laptop base when prompted for this test to check the battery status. -### Battery test +#### Battery test In this test the battery is discharged for a few seconds and tested for health and estimated runtime. You are prompted to disconnect the power adapter and then to reconnect the power adapter when the test is complete. -### Discrete graphics (dGPU) test +#### Discrete graphics (dGPU) test >**Note:**  This test is only applicable to Surface Book models with a discrete graphics processor. -  - This test will query the device information of current hardware to check for the presence of both the Intel integrated graphics processor in the Surface Book and the NVIDIA discrete graphics processor in the Surface Book keyboard. The keyboard must be attached for this test to function. -### Discrete graphics (dGPU) fan test +#### Discrete graphics (dGPU) fan test >**Note:**  This test is only applicable to Surface Book models with a discrete graphics processor. -  - The discrete graphics processor in the Surface Book includes a separate cooling fan. The fan is turned on automatically by the test for 5 seconds. Listen for the sound of the fan in the keyboard and report if the fan is working correctly when prompted. -### Muscle wire test +#### Muscle wire test >**Note:**  This test is only applicable to Surface Book. -  - To disconnect the Surface Book from the keyboard, software must instruct the muscle wire latch mechanism to open. This is typically accomplished by pressing and holding the undock key on the keyboard. This test sends the same signal to the latch, which unlocks the Surface Book from the Surface Book keyboard. Remove the Surface Book from the keyboard when you are prompted to do so. -### Dead pixel and display artifacts tests +#### Dead pixel and display artifacts tests >**Note:**  Before you run this test, be sure to clean the screen of dust or smudges. -  - This test prompts you to view the display in search of malfunctioning pixels. The test displays full-screen, single-color images including black, white, red, green, and blue. Pixels that remain bright or dark when the screen displays an image of a different color indicate a failed test. You should also look for distortion or variance in the color of the screen. -### Digitizer edges +#### Digitizer edges The touchscreen of a Surface device should detect when a user swipes in from the left or right side of the screen. This test prompts you to swipe in from the edges of the screen to bring up the Action Center and Task View. Both Action Center and Task View should launch to pass this test. -### Digitizer pinch +#### Digitizer pinch The pinch gesture (when you bring two fingers closer together or farther apart) is used to manipulate zoom and to position content through the touchscreen. This test displays an image in Windows Picture Viewer and prompts you to zoom in, move, and zoom out of the picture. The picture should zoom in, move, and zoom out as the gestures are performed. -### Digitizer touch +#### Digitizer touch The Surface touchscreen should detect input across the entire screen of the device equally. To perform this test a series of lines are displayed on the screen for you to trace with a finger in search of unresponsive areas. The lines traced across the screen should appear continuous for the length of the line as drawn with your finger. -### Digitizer pen test +#### Digitizer pen test >**Note:**  A Microsoft Surface Pen is required for this test. -  - This test displays the same lines as those that are displayed during the Digitizer Touch test, but your input is performed with a Surface Pen instead of your finger. The lines should remain unbroken for as long as the Pen is pressed to the screen. Trace all of the lines in the image to look for unresponsive areas across the entire screen of the Surface device. -### Digitizer multi touch +#### Digitizer multi touch The Surface touchscreen is capable of detecting 10 fingers simultaneously. Place all of your fingers on the screen simultaneously to perform this test. The screen will show the number of points detected, which should match the number of fingers you have on the screen. -### Home button test +#### Home button test The Home button or Windows button on your Surface device is used to bring up the Start screen or Start menu. This test is successful if the Start screen or Start menu is displayed when the Windows button is pressed. This test is not displayed on Surface Pro 4 because no Windows button exists. -### Volume rocker test +#### Volume rocker test This test prompts you to use the volume rocker to turn the volume all the way up, all the way down, and then all the way up again. To pass this test, the volume slider should move up and down as the rocker is pressed. -### Micro SD or SD slot test +#### Micro SD or SD slot test >**Note:**  This test requires a micro SD or SD card that is compatible with the slot in your Surface device. -  - Insert a micro SD or SD card when you are prompted. When the SD card is detected, the test prompts you to remove the SD card to ensure that the card is not left in the device. During this test a small file is written to the SD card and then verified. Detection and verification of the SD card automatically passes this test without additional input. -### Microphone test +#### Microphone test This test displays the **Recording** tab of the Sound item in Control Panel. The test prompts you to monitor the meter that is displayed next to the **Microphone Array** recording device. A recommended test is to speak and watch for your speech to be detected in the meter. If the meter moves when you speak, the microphone is working correctly. For Surface Book you will be prompted to tap locations near the microphones. This tapping should produce noticeable spikes in the audio meter. -### Video out test +#### Video out test >**Note:**  This test requires an external display with the applicable connection for your Surface device. -  - Surface devices provide a Mini DisplayPort connection for connecting to an external display. Connect your display through the Mini DisplayPort on the device when prompted. The display should be detected automatically and an image should appear on the external display. -### Bluetooth test +#### Bluetooth test >**Note:**  This test requires a Bluetooth device. The device must be set to pairing mode or made discoverable to perform this test. -  - After you receive a prompt to put the device in pairing mode, the test opens the **Add a device** window and begins to search for discoverable Bluetooth devices. Watch the **Add a device** window to verify that your Bluetooth device is detected. Select your Bluetooth device from the list and connect to the device to complete the test. -### Camera test +#### Camera test Use this test to verify that the cameras on your Surface device are operating properly. Images will be displayed from both the front and rear cameras, and the infrared camera on a Surface Pro 4. Continuous autofocus can be enabled on the rear camera. Move the device closer and farther away from an object to verify the operation of continuous autofocus. -### Speaker test +#### Speaker test >**Note:**  Headphones or external speakers are required to test the headphone jack in this test. -  - This test plays audio over left and right channels respectively, both for the internal speakers and for speakers or headphones connected to the headphone jack. Mark each channel as a pass or fail as you hear the audio play. -### Network test +#### Network test >**Note:**  Connect the Surface device to a Wi-Fi network before you run this test. Connections that are made during the test are removed when the test is completed. -  - This test uses the Windows Network Diagnostics built in troubleshooter to diagnose potential issues with network connectivity, including proxy configuration, DNS problems, and IP address conflicts. An event log is saved by this test in Windows logs and is visible in the Windows Event Viewer. The Event ID is 6100. -### Power test +#### Power test Settings such as display brightness, the elapsed time until the screen sleeps, and the elapsed time until device sleeps, are checked against default values with the Power built-in troubleshooter. The troubleshooter will automatically correct settings that may prevent the device from conserving power or entering sleep mode. -### Mobile broadband test +#### Mobile broadband test This test prompts you to enable mobile broadband and attempts to browse to http://www.bing.com. This test is only applicable to Surface devices that come equipped with mobile broadband, such as Surface 3 LTE. -### Accelerometer test +#### Accelerometer test The accelerometer detects lateral, longitudinal, and vertical movements of the Surface device. This test prompts you to pick up and move the Surface device forward and backward, to the left and to the right, and up and down, to test the sensor for directional movement. The test automatically passes when movement is detected. -### Gyrometer test +#### Gyrometer test The gyrometer detects pitch, roll, and yaw movements. This test prompts you to pick up and rotate the Surface device to test the sensors for angular movement. The test automatically passes when movement is detected. -### Compass test +#### Compass test The compass detects which direction the Surface device is facing relative to north, south, east, and west. Turn the Surface device to face in different directions to test the sensor. The test automatically passes when a change in direction is detected. -### Ambient light test +#### Ambient light test The ambient light sensor is used to automatically adjust screen brightness relative to the ambient lighting in the environment. Turn the device toward or away from a light source to cause the screen to dim or brighten in response increased or decreased light. The test automatically passes when the screen brightness automatically changes. -### Device orientation test +#### Device orientation test >**Note:**  Before you run this test, disable rotation lock from the Action Center if enabled. -  - The device orientation sensor determines what the angle of the Surface device is, relative to the ground. Rotate the display 90 degrees or 180 degrees to cause the screen orientation to switch between portrait and landscape mode. The test automatically passes when the screen orientation switches. -### Brightness test +#### Brightness test This test cycles the screen through brightness levels from 0 percent to 100 percent, and then a message is displayed to confirm if the brightness level changed accordingly. You are then prompted to disconnect the power adapter. The screen should automatically dim when power is disconnected. -### System assessment +#### System assessment >**Note:**  The Surface device must be connected to AC power before you can run this test. -  - The Windows System Assessment Tool (WinSAT) runs a series of benchmarks against the processor, memory, video adapter, and storage devices. The results include the processing speed of various algorithms, read and write performance of memory and storage, and performance in several Direct3D graphical tests. -### Performance Monitor test +#### Performance Monitor test Performance and diagnostic trace logs are recorded from Performance Monitor for 30 seconds and collected in the .zip file output of the Microsoft Surface Diagnostic Toolkit by this test. You can analyze these trace logs with the [Windows Performance Analyzer](http://go.microsoft.com/fwlink/p/?LinkId=746486) to identify causes of application crashes, performance issues, or other undesirable behavior in Windows. -### Crash dump collection +#### Crash dump collection If your Surface device has encountered an error that caused the device to fail or produce a blue screen error, this stage of the Microsoft Surface Diagnostic Toolkit records the information from the automatically recorded crash dump files in the diagnostic log. You can use these crash dump files to identify a faulty driver, hardware component, or application through analysis. Use the [Windows Debugging Tool](http://go.microsoft.com/fwlink/p/?LinkId=746488) to analyze these files. If you are not familiar with the analysis of crash dump files, you can describe your issue and post a link to your crash dump files (uploaded to OneDrive or another file sharing service) in the [Windows TechNet Forums](http://go.microsoft.com/fwlink/p/?LinkId=746489). -## Command line - +## Command line You can run the Microsoft Surface Diagnostic Toolkit from the command line or as part of a script. The tool supports the following arguments: >**Note:**  Many of the tests performed by the Microsoft Surface Diagnostic Toolkit require technician interaction. The Microsoft Surface Diagnostic Toolkit cannot run unattended. -  - -### exclude +#### exclude Use this argument to exclude specific tests. @@ -424,7 +391,7 @@ See the following list for test names: - WindowsUpdateCheckTest -### forceplatformsupport +#### forceplatformsupport Use this argument to force tests to run when the make and model of the device is not properly detected by Windows. Surface Diagnostic Toolkit is intended to run only on Surface devices. @@ -434,7 +401,7 @@ Example: Surface_Diagnostic_Toolkit_1.0.60.0.exe forceplatformsupport ``` -### include +#### include Use this argument to include tests when you run Microsoft Surface Diagnostic Toolkit from the command line. Tests specified by the **Include** command will be run even if the test is not supported on the model of Surface device. In the following example, the Surface Book specific tests for the latch mechanism and discrete graphics will be run, even if the command is run on a Surface Pro 4 or other Surface model. @@ -444,7 +411,7 @@ Example: Surface_Diagnostic_Toolkit_1.0.60.0.exe “include=DualGraphicsTest,FanTest,MuscleWireTest” ``` -### logpath +#### logpath Use this argument to specify the path for the log file. diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md index 38115ae721..ea56c4cc95 100644 --- a/devices/surface/surface-dock-updater.md +++ b/devices/surface/surface-dock-updater.md @@ -2,8 +2,10 @@ title: Microsoft Surface Dock Updater (Surface) description: This article provides a detailed walkthrough of Microsoft Surface Dock Updater. ms.assetid: 1FEFF277-F7D1-4CB4-8898-FDFE8CBE1D5C -ms.prod: W10 +keywords: install, update, firmware +ms.prod: w10 ms.mktglfcycl: manage +ms.pagetype: surface, devices ms.sitesec: library author: jobotto --- diff --git a/education/windows/TOC.md b/education/windows/TOC.md new file mode 100644 index 0000000000..9e07262fa7 --- /dev/null +++ b/education/windows/TOC.md @@ -0,0 +1,10 @@ +# [Windows 10 for education](index.md) +## [Change history for Windows 10 for Education](change-history-edu.md) +## [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) +## [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md) +## [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md) +### [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md) +### [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md) +### [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) +## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) +## [Chromebook migration guide](chromebook-migration-guide.md) \ No newline at end of file diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md new file mode 100644 index 0000000000..49e7b6303a --- /dev/null +++ b/education/windows/change-history-edu.md @@ -0,0 +1,22 @@ +--- +title: Change history for Windows 10 for Education (Windows 10) +description: New and changed topics in Windows 10 for Education +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +--- + +# Change history for Windows 10 for Education + +This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation. + +## May 2016 + +| New or changed topic | Description | +|----------------------|-------------| +| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | New | +| [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New | +| [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md)
[Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md)
[Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md)
[Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New | +| [Chromebook migration guide](chromebook-migration-guide.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in November 2015 | +| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in May 2016 | \ No newline at end of file diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md new file mode 100644 index 0000000000..e56979fdef --- /dev/null +++ b/education/windows/chromebook-migration-guide.md @@ -0,0 +1,962 @@ +--- +title: Chromebook migration guide (Windows 10) +description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. +ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA +keywords: ["migrate", "automate", "device"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: craigash +--- + +# Chromebook migration guide + + +**Applies to** + +- Windows 10 + +In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools. + +## Plan Chromebook migration + + +Before you begin to migrate Chromebook devices, plan your migration. As with most projects, there can be an urge to immediately start doing before planning. When you plan your Chromebook migration before you perform the migration, you can save countless hours of frustration and mistakes during the migration process. + +In the planning portion of this guide, you will identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you will have a list of information you need to collect and what you need to do with the information. You will be ready to perform your Chromebook migration. + +## Plan for app migration or replacement + + +App migration or replacement is an essential part of your Chromebook migration. In this section you will plan how you will migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you will have a list of the active Chrome OS apps and the Windows app counterparts. + +**Identify the apps currently in use on Chromebook devices** + +Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio). + +**Note**   +The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section. + +  + +You can divide the apps into the following categories: + +- **Apps installed and managed by the institution.** These apps are typically managed in the Apps section in the Google Admin Console. You can record the list of these apps in your app portfolio. + +- **Apps installed by faculty or students.** Faculty or students might have installed these apps as a part of a classroom curriculum. Obtain the list of these apps from faculty or students. Ensure you only record apps that are legitimately used as a part of classroom curriculum (and not for personal entertainment or use). + +Record the following information about each app in your app portfolio: + +- App name + +- App type (such as offline app, online app, web app, and so on) + +- App publisher or developer + +- App version currently in use + +- App priority (how necessary is the app to the day-to-day process of the institution or a classroom? Rank as high, medium, or low) + +Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you have determined what you will do with the higher priority apps. + +### + +**Select Google Apps replacements** + +Table 1 lists the Windows device app replacements for the common Google Apps on Chromebook devices. If your users rely on any of these Google Apps, use the corresponding app on the Windows device. Use the information in Table 1 to select the Google App replacement on a Windows device. + +Table 1. Google App replacements + +| If you use this Google app on a Chromebook | Use this app on a Windows device | +|--------------------------------------------|--------------------------------------| +| Google Docs | Word 2016 or Word Online | +| Google Sheets | Excel 2016 or Excel Online | +| Google Slides | PowerPoint 2016 or PowerPoint Online | +| Google Apps Gmail | Outlook 2016 or Outlook Web App | +| Google Hangouts | Microsoft Skype for Business | +| Chrome | Microsoft Edge | +| Google Drive | Microsoft OneDrive for Business | + +  + +It may be that you will decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide. + +**Find the same or similar apps in the Windows Store** + +In many instances, software vendors will create a version of their app for multiple platforms. You can search the Windows Store to find the same or similar apps to any apps not identified in the [Select Google Apps replacements](#select-googleapps) section. + +In other instances, the offline app does not have a version written for the Windows Store or is not a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher does not have a version for Windows devices. Search the Windows Store for a graphing calculator app that provides similar features and functionality. Use that Windows Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS. + +Record the Windows app that replaces the Chromebook app in your app portfolio. + +### + +**Perform app compatibility testing for web apps** + +The majority of Chromebook apps are web apps. Because you cannot run native offline Chromebook apps on a Windows device, there is no reason to perform app compatibility testing for offline Chromebook apps. However, you may have a number of web apps that will run on both platforms. + +Ensure that you test these web apps in Microsoft Edge. Record the level of compatibility for each web app in Microsoft Edge in your app portfolio. + +## Plan for migration of user and device settings + + +Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You have also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console. + +However, in addition to your centralized configuration in the Google Admin Console, Chromebook users have probably customized their device. In some instances, users may have changed the web content that is displayed when the Chrome browser starts. Or they may have bookmarked websites for future reference. Or users may have installed apps for use in the classroom. + +In this section, you will identify the user and device configuration settings for your Chromebook users and devices. Then you will prioritize these settings to focus on the configuration settings that are essential to your educational institution. + +At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you have few or no higher priority settings to be migrated. If this is the case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide. + +**Identify Google Admin Console settings to migrate** + +You use the Google Admin Console (as shown in Figure 1) to manage user and device settings. These settings are applied to all the Chromebook devices in your institution that are enrolled in the Google Admin Console. Review the user and device settings in the Google Admin Console and determine which settings are appropriate for your Windows devices. + +![figure 1](images/chromebook-fig1-googleadmin.png) + +Figure 1. Google Admin Console + +Table 2 lists the settings in the Device Management node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows. + +Table 2. Settings in the Device Management node in the Google Admin Console + + ++++ + + + + + + + + + + + + + + + + + + + + +
SectionSettings
Network

These settings configure the network connections for Chromebook devices and include the following settings categories:

+
    +

  • Wi-Fi. Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.

    • +

  • Ethernet. Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.

    • +

  • VPN. Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.

    • +

  • Certificates. Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.

    • +
Mobile

These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:

+
    +

  • Device management settings. Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.

    • +

  • Device activation. Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.

    • +

  • Managed devices. Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.

    • +

  • Set Up Apple Push Certificate. Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.

    • +

  • Set Up Android for Work. Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider.

    • +
Chrome management

These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:

+
    +

  • User settings. Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.

    • +

  • Public session settings. Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.

    • +

  • Device settings. Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.

    • +

  • Devices. Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices.

    • +

  • App Management. Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices.

    • +
+ +  + +Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows. + +Table 3. Settings in the Security node in the Google Admin Console + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SectionSettings

Basic settings

These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.

+

Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.

Password monitoring

This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section.

API reference

This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section.

Set up single sign-on (SSO)

This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.

Advanced settings

This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.

+ +  + +**Identify locally-configured settings to migrate** + +In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2). + +![figure 2](images/fig2-locallyconfig.png) + +Figure 2. Locally-configured settings on Chromebook + +Table 4. Locally-configured settings + +| Section | Settings | +|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Internet connections | These settings configure the Internet connection for the devices, such as Wi-Fi and VPN connections. Record the network connection currently in use and configure the Windows device to use the same network connection settings. | +| Appearances | These settings affect the appearance of the desktop. Record the wallpaper image file that is used. Migrate the image file to the Windows device and configure as the user’s wallpaper to maintain similar user experience. | +| Search | These settings configure which search engine is used to search for content. Record this setting so that you can use as the search engine on the Windows device. | +| Advanced sync settings | These settings configure which user settings are synchronized with the Google cloud, such as Apps, Extensions, History, Passwords, Settings, and so on. Record these settings and configure the Windows device with the same settings if you decide to continue to use Google Apps and other cloud services after you migrate to Windows devices. | +| Date and time | These settings configure the time zone and if 24-hour clock time should be used. Record these settings and configure the Windows device to use these settings. | +| Privacy | These settings configure Google Chrome web browser privacy settings (such as prediction service, phishing and malware protection, spelling errors, resource pre-fetch, and so on). Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | +| Bluetooth | This setting configures whether or not Bluetooth is enabled on the device. Record this setting and configure the Windows device similarly. | +| Passwords and forms | These settings configure Google Chrome web browser to enable autofill of web forms and to save web passwords. Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | +| Smart lock | These settings configure the Chromebook when the user’s Android phone is nearby and unlocked, which eliminates the need to type a password. You don’t need to migrate settings in this section. | +| Web content | These settings configure how the Chrome web browser displays content (such as font size and page zoom). Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | +| Languages | These settings configure the language in use for the Chromebook. Record these settings and configure the Windows device to support the same language. | +| Downloads | These settings configure the default folder for file download, if the user should be prompted where to save files, and if the Google Drive account should be disconnected. Record these settings and configure the Windows device with similar settings. | +| HTTPS/SSL | These settings configure client-side certificates that are used to authenticate the device. Depending on the services or apps that use these certificates, you may need to export and then migrate these certificates to the Windows device. Contact the service or app provider to determine if you can use the existing certificate or if a new certificate needs to be issued. Record these settings and migrate the certificate to the Windows device or enroll for a new certificate as required by the service or app. | +| Google Cloud Print | These settings configure the printers that are available to the user. Record the list of printers available to the user and configure the Windows device to have the same printers available. Ensure that the user-friendly printer names in Windows are the same as for the Chromebook device. For example, if the Chromebook device has a printer named “Laser Printer in Registrar’s Office”, use that same name in Windows. | +| On startup | These settings configure which web pages are opened when the Chrome web browser starts. Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | +| Accessibility | These settings configure the Chromebook ease of use (such as display of large mouse cursor, use of high contrast mode, enablement of the screen magnifier, and so on). Record these settings and configure the Windows device with similar settings. | +| Powerwash | This action removes all user accounts and resets the Chromebook device back to factory settings. You don’t have to migrate any settings in this section. | +| Reset settings | This action retains all user accounts, but restores all settings back to their default values. You don’t have to migrate any settings in this section. | + +  + +Determine how many users have similar settings and then consider managing those settings centrally. For example, a large number of users may have many of the same Chrome web browser settings. You can centrally manage these settings in Windows after migration. + +Also, as a part of this planning process, consider settings that may not be currently managed centrally, but should be managed centrally. Record the settings that are currently being locally managed, but you want to manage centrally after the migration. + +**Prioritize settings to migrate** + +After you have collected all the Chromebook user, app, and device settings that you want to migrate, you need to prioritize each setting. Evaluate each setting and assign a priority to the setting based on the levels of high, medium, and low. + +Assign the setting-migration priority based on how critical the setting is to the faculty performing their day-to-day tasks and how the setting affects the curriculum in the classrooms. Focus on the migration of higher priority settings and put less effort into the migration of lower priority settings. There may be some settings that are not necessary at all and can be dropped from your list of settings entirely. Record the setting priority in the list of settings you plan to migrate. + +## Plan for email migration + + +Many of your users may be using Google Apps Gmail to manage their email, calendars, and contacts. You need to create the list of users you will migrate and the best time to perform the migration. + +Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information, see [Migrate Google Apps mailboxes to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690252). + +**Identify the list of user mailboxes to migrate** + +In regards to creating the list of users you will migrate, it might seem that the answer “all the users” might be the best one. However, depending on the time you select for migration, only a subset of the users may need to be migrated. For example, you may not persist student email accounts between semesters or between academic years. In this case you would only need to migrate faculty and staff. + +Also, when you perform a migration it is a great time to verify that all user mailboxes are active. In many environments there are a significant number of mailboxes that were provisioned for users that are no longer a part of the institution (such as interns or student assistants). You can eliminate these users from your list of user mailboxes to migrate. + +Create your list of user mailboxes to migrate in Excel 2016 based on the format described in step 7 in [Create a list of Gmail mailboxes to migrate](http://go.microsoft.com/fwlink/p/?LinkId=690253). If you follow this format, you can use the Microsoft Excel spreadsheet to perform the actual migration later in the process. + +**Identify companion devices that access Google Apps Gmail** + +In addition to Chromebook devices, users may have companion devices (smartphones, tablets, desktops, laptops, and so on) that also access the Google Apps Gmail mailbox. You will need to identify those companion devices and identify the proper configuration for those devices to access Office 365 mailboxes. + +After you have identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox. + +In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify this on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690254). + +**Identify the optimal timing for the migration** + +Typically, the best time to perform the migration is between academic years or during semester breaks. Select the time of least activity for your institution. And during that time, the optimal time to perform the migration might be during an evening or over a weekend. + +Ensure that you communicate the time the migration will occur to your users well in advance. Also, ensure that users know how to access their Office 365 email after the migration is complete. Finally, ensure that your users know how to perform the common tasks they performed in Google Apps Gmail in Office 365 and/or Outlook 2016. + +## Plan for cloud storage migration + + +Chromebook devices have limited local storage. So, most of your users will store data in cloud storage, such as Google Drive. You will need to plan how to migrate your cloud storage as a part of the Chromebook migration process. + +In this section, you will create a list of the existing cloud services, select the Microsoft cloud services that best meet your needs, and then optimize your cloud storage services migration plan. + +**Identify cloud storage services currently in use** + +Typically, most Chromebook users use Google Drive for cloud storage services because your educational institution purchased other Google cloud services and Google Drive is a part of those services. However, some users may use cloud storage services from other vendors. For each member of your faculty and staff and for each student, create a list of cloud storage services that includes the following: + +- Name of the cloud storage service + +- Cloud storage service vendor + +- Associated licensing costs or fees + +- Approximate storage currently in use per user + +Use this information as the requirements for your cloud storage services after you migrate to Windows devices. If at the end of this discovery you determine there is no essential data being stored in cloud storage services that requires migration, then you can skip to the [Plan for cloud services migration](#plan-cloud-services) section. + +**Optimize cloud storage services migration plan** + +Now that you know the current cloud storage services configuration, you need to optimize your cloud storage services migration plan for Microsoft OneDrive for Business. Optimization helps ensure that your use only the cloud storage services resources that are necessary for your requirements. + +Consider the following to help optimize your cloud storage services migration plan: + +- **Eliminate inactive user storage.** Before you perform the cloud storage services migration, identify cloud storage that is currently allocated to inactive users. Remove this storage from your list of cloud storage to migrate. + +- **Eliminate or archive inactive files.** Review cloud storage to identify files that are inactive (have not been accessed for some period of time). Eliminate or archive these files so that they do not consume cloud storage. + +- **Consolidate cloud storage services.** If multiple cloud storage services are in use, reduce the number of cloud storage services and standardize on one cloud storage service. This will help reduce management complexity, support time, and typically will reduce cloud storage costs. + +Record your optimization changes in your cloud storage services migration plan. + +## Plan for cloud services migration + + +Many of your users may use cloud services on their Chromebook device, such as Google Apps, Google Drive, or Google Apps Gmail. You have planned for these individual cloud services in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. + +In this section, you will create a combined list of these cloud services and then select the appropriate strategy to migrate these cloud services. + +### + +**Identify cloud services currently in use** + +You have already identified the individual cloud services that are currently in use in your educational institution in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. Create a unified list of these cloud services and record the following about each service: + +- Cloud service name + +- Cloud service provider + +- Number of users that use the cloud service + +**Select cloud services to migrate** + +One of the first questions you should ask after you identify the cloud services currently in use is, “Why do we need to migrate from these cloud services?” The answer to this question largely comes down to finances and features. + +Here is a list of reasons that describe why you might want to migrate from an existing cloud service to Microsoft cloud services: + +- **Better integration with Office 365.** If your long-term strategy is to migrate to Office 365 apps (such as Word 2016 or Excel 2016) then a migration to Microsoft cloud services will provide better integration with these apps. The use of existing cloud services may not be as intuitive for users. For example, Office 365 apps will integrate better with OneDrive for Business compared to Google Drive. + +- **Online apps offer better document compatibility.** Microsoft Office online apps (such as Word Online and Excel Online) provide the highest level of compatibility with Microsoft Office documents. The Office online apps allow you to open and edit documents directly from SharePoint or OneDrive for Business. Users can access the Office online app from any device with Internet connectivity. + +- **Reduce licensing costs.** If you pay for Office 365 licenses, then Office 365 apps and cloud storage are included in those licenses. Although you could keep existing cloud services, you probably would pay more to keep those services. + +- **Improve storage capacity and cross-platform features.** Microsoft cloud services provide competitive storage capacity and provide more Windows-centric features than other cloud services providers. While the Microsoft cloud services user experience is highly optimized for Windows devices, Microsoft cloud services are also highly optimized for companion devices (such as iOS or Android devices). + +Review the list of existing cloud services that you created in the [Identify cloud services currently in use](#identify-cloud-services-inuse) section and identify the cloud services that you want to migrate to Microsoft cloud services. If you determine at the end of this task that there are no cloud services to be migrated, then skip to the [Plan for Windows device deployment](#plan-windevice-deploy) section. Also, skip the [Perform cloud services migration](#perform-cloud-services-migration) section later in this guide. + +**Prioritize cloud services** + +After you have created your aggregated list of cloud services currently in use by Chromebook users, prioritize each cloud service. Evaluate each cloud service and assign a priority based on the levels of high, medium, and low. + +Assign the priority based on how critical the cloud service is to the faculty and staff performing their day-to-day tasks and how the cloud service affects the curriculum in the classrooms. Also, make cloud services that are causing pain for the users a higher priority. For example, if users experience outages with a specific cloud service, then make migration of that cloud service a higher priority. + +Focus on the migration of higher priority cloud services first and put less effort into the migration of lower priority cloud services. There may be some cloud services that are unnecessary and you can remove them from your list of cloud services to migrate entirely. Record the cloud service migration priority in the list of cloud services you plan to migrate. + +### + +**Select cloud services migration strategy** + +When you deploy the Windows devices, should you migrate the faculty, staff, and students to the new cloud services? Perhaps. But, in most instances you will want to select a migration strategy that introduces a number of small changes over a period of time. + +Consider the following when you create your cloud services migration strategy: + +- **Introduce small changes.** The move from Chrome OS to Windows will be simple for most users as most will have exposure to Windows from home, friends, or family. However, users may not be as familiar with the apps or cloud services. Consider the move to Windows first, and then make other changes as time progresses. + +- **Start off by using existing apps and cloud services.** Immediately after the migration to Windows devices, you may want to consider running the existing apps and cloud services (such Google Apps, Google Apps Gmail, and Google Drive). This gives users a familiar method to perform their day-to-day tasks. + +- **Resolve pain points.** If some existing apps or cloud services cause problems, you may want to migrate them sooner rather than later. In most instances, users will be happy to go through the learning curve of a new app or cloud service if it is more reliable or intuitive for them to use. + +- **Migrate classrooms or users with common curriculum.** Migrate to Windows devices for an entire classroom or for multiple classrooms that share common curriculum. You must ensure that the necessary apps and cloud services are available for the curriculum prior to the migration of one or more classrooms. + +- **Migrate when the fewest number of active users are affected.** Migrate your cloud services at the end of an academic year or end of a semester. This will ensure you have minimal impact on faculty, staff, and students. Also, a migration during this time will minimize the learning curve for users as they are probably dealing with new curriculum for the next semester. Also, you may not need to migrate student apps and data because many educational institutions do not preserve data between semesters or academic years. + +- **Overlap existing and new cloud services.** For faculty and staff, consider overlapping the existing and new cloud services (having both services available) for one business cycle (end of semester or academic year) after migration. This allows you to easily recover any data that might not have migrated successfully from the existing cloud services. At a minimum, overlap the user of existing and new cloud services until the user can verify the migration. Of course, the tradeoff for using this strategy is the cost of the existing cloud services. However, depending on when license renewal occurs, the cost may be minimal. + +## Plan for Windows device deployment + + +You need to plan for Windows device deployment to help ensure that the devices are successfully installed and configured to replace the Chromebook devices. Even if the vendor that provides the devices pre-loads Windows 10 on them, you still will need to perform other tasks. + +In this section you will select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation. + +### + +**Select a Windows device deployment strategy** + +What decisions need to be made about Windows device deployment? You just put the device on a desk, hook up power, connect to Wi-Fi, and then let the users operate the device, right? That is essentially correct, but depending on the extent of your deployment and other factors, you need to consider different deployment strategies. + +For each classroom that has Chromebook devices, select a combination of the following device deployment strategies: + +- **Deploy one classroom at a time.** In most cases you will want to perform your deployment in batches of devices and a classroom is an excellent way to batch devices. You can treat each classroom as a unit and check each classroom off your list after you have deployed the devices. + +- **Deploy based on curriculum.** Deploy the Windows devices after you have confirmed that the curriculum is ready for the Windows devices. If you deploy Windows devices without the curriculum installed and tested, you could significantly reduce the ability for students and teachers to perform effectively in the classroom. Also, deployment based on curriculum has the advantage of letting you move from classroom to classroom quickly if multiple classrooms use the same curriculum. + +- **Deploy side-by-side.** In some instances you may need to have both the Chromebook and Windows devices in one or more classrooms. You can use this strategy if some of the curriculum only works on Chromebook and other parts of the curriculum works on Windows devices. This is a good method to help prevent delays in Windows device deployment, while ensuring that students and teachers can make optimal use of technology in their curriculum. + +- **Deploy after apps and cloud services migration.** If you deploy a Windows device without the necessary apps and cloud services to support the curriculum, this provides only a portion of your complete solution. Ensure that the apps and cloud services are tested, provisioned, and ready for use prior to the deployment of Windows devices. + +- **Deploy after the migration of user and device settings.** Ensure that you have identified the user and device settings that you plan to migrate and that those settings are ready to be applied to the new Windows devices. For example, you would want to create Group Policy Objects (GPOs) to apply the user and device settings to Windows devices. + + If you ensure that Windows devices closely mirror the Chromebook device configuration, you will ease user learning curve and create a sense of familiarity. Also, when you have the settings ready to be applied to the devices, it helps ensure you will deploy your new Windows devices in a secure configuration. + +Record the combination of Windows device deployment strategies that you selected. + +### + +**Plan for AD DS and Azure AD services** + +The next decision you will need to make concerns AD DS and Azure AD services. You can run AD DS on-premises, in the cloud by using Azure AD, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you will manage your users, apps, and devices and if you will use Office 365 and other Azure-based cloud services. + +In the hybrid configuration, your on-premises AD DS user and group objects are synchronized with Azure AD (including passwords). The synchronization happens both directions so that changes are made in both your on-premises AD DS and Azure AD. + +Table 5 is a decision matrix that helps you decide if you can use only on-premises AD DS, only Azure AD, or a combination of both (hybrid). If the requirements you select from the table require on-premises AD DS and Azure AD, then you should select hybrid. For example, if you plan to use Office 365 and use Group Policy for management, then you would select hybrid. However, if you plan to use Office 365 and use Intune for management, then you would select only Azure AD. + +Table 5. Select on-premises AD DS, Azure AD, or hybrid + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
If you plan to...On-premises AD DSAzure ADHybrid
Use Office 365XX
Use Intune for managementXX
Use System Center 2012 R2 Configuration Manager for managementXX
Use Group Policy for managementXX
Have devices that are domain-joinedXX
Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joinedXX
+ +  + +### + +**Plan device, user, and app management** + +You may ask the question, “Why plan for device, user, and app management before you deploy the device?” The answer is that you will only deploy the device once, but you will manage the device throughout the remainder of the device's lifecycle. + +Also, planning management before deployment is essential to being ready to support the devices as you deploy them. You want to have your management processes and technology in place when the first teachers, facility, or students start using their new Windows device. + +Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, System Center Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan. + +Table 6. Device, user, and app management products and technologies + + +++++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Desired featureWindows provisioning packagesGroup PolicyConfiguration ManagerIntuneMDTWindows Software Update Services
Deploy operating system imagesXXX
Deploy apps during operating system deploymentXXX
Deploy apps after operating system deploymentXXX
Deploy software updates during operating system deploymentXX
Deploy software updates after operating system deploymentXXXXX
Support devices that are domain-joinedXXXXX
Support devices that are not domain-joinedXXX
Use on-premises resourcesXXXX
Use cloud-based servicesX
+ +  + +You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution. + +Record the device, user, and app management products and technologies that you selected. + +### + +**Plan network infrastructure remediation** + +In addition to AD DS, Azure AD, and management components, there are other network infrastructure services that Windows devices need. In most instances, Windows devices have the same network infrastructure requirements as the existing Chromebook devices. + +Examine each of the following network infrastructure technologies and services and determine if any remediation is necessary: + +- **Domain Name System (DNS)** provides translation between a device name and its associated IP address. For Chromebook devices, public facing, Internet DNS services are the most important. For Windows devices that only access the Internet, they have the same requirements. + + However, if you intend to communicate between Windows devices (peer-to-peer or client/server) then you will need local DNS services. Windows devices will register their name and IP address with the local DNS services so that Windows devices can locate each other. + +- **Dynamic Host Configuration Protocol (DHCP)** provides automatic IP configuration for devices. Your existing Chromebook devices probably use DHCP for configuration. If you plan to immediately replace the Chromebook devices with Windows devices, then you only need to release all the DHCP reservations for the Chromebook devices prior to the deployment of Windows devices. + + If you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your DHCP service has adequate IP addresses available for both sets of devices. + +- **Wi-Fi.** Chromebook devices are designed to connect to Wi-Fi networks. Windows devices are the same. Your existing Wi-Fi network for the Chromebook devices should be adequate for the same number of Windows devices. + + If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that Wi-Fi network can support the number of devices. + +- **Internet bandwidth.** Chromebook devices consume more Internet bandwidth (up to 700 times more) than Windows devices. This means that if your existing Internet bandwidth is adequate for the Chromebook devices, then the bandwidth will be more than adequate for Windows devices. + + However, if you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your Internet connection can support the number of devices. + + For more information that compares Internet bandwidth consumption for Chromebook and Windows devices, see the following resources: + + - [Chromebook vs. Windows Notebook Network Traffic Analysis](http://go.microsoft.com/fwlink/p/?LinkId=690255) + + - [Hidden Cost of Chromebook Deployments](http://go.microsoft.com/fwlink/p/?LinkId=690256) + + - [Microsoft Windows 8.1 Notebook vs. Chromebooks for Education](http://go.microsoft.com/fwlink/p/?LinkId=690257) + +- **Power.** Although not specifically a network infrastructure, you need to ensure your classrooms have adequate power. Chromebook and Windows devices should consume similar amounts of power. This means that your existing power outlets should support the same number of Windows devices. + + If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, you need to ensure that the power outlets, power strips, and other power management components can support the number of devices. + +At the end of this process, you may determine that no network infrastructure remediation is necessary. If so, you can skip the [Perform network infrastructure remediation](#network-infra-remediation) section of this guide. + +## Perform Chromebook migration + + +Thus far, planning has been the primary focus. Believe it or not most of the work is now done. The rest of the Chromebook migration is just the implementation of the plan you have created. + +In this section you will perform the necessary steps for the Chromebook device migration. You will perform the migration based on the planning decision that you made in the [Plan Chromebook migration](#plan-migration) section earlier in this guide. + +You must perform some of the steps in this section in a specific sequence. Each section has guidance about when to perform a step. You can perform other steps before, during, or after the migration. Again, each section will tell you if the sequence is important. + +## Perform network infrastructure remediation + + +The first migration task is to perform any network infrastructure remediation. In the [Plan network infrastructure remediation](#plan-network-infra-remediation) section, you determined the network infrastructure remediation (if any) that you needed to perform. + +It is important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each. + +Table 7. Network infrastructure products and technologies and deployment resources + + ++++ + + + + + + + + + + + + + + + + +
Product or technologyResources
DHCP
    +

  • [Core Network Guide](http://go.microsoft.com/fwlink/p/?LinkId=733920)

    • +

  • [DHCP Deployment Guide](http://go.microsoft.com/fwlink/p/?LinkId=734021)

    • +
DNS
    +

  • [Core Network Guide](http://go.microsoft.com/fwlink/p/?LinkId=733920)

    • +

  • [Deploying Domain Name System (DNS)](http://go.microsoft.com/fwlink/p/?LinkId=734022)

    • +
+ +  + +If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section. + +## Perform AD DS and Azure AD services deployment or remediation + + +It is important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations. + +In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both. + +Table 8. AD DS, Azure AD and deployment resources + + ++++ + + + + + + + + + + + + + + + + +
Product or technologyResources
AD DS
    +

  • [Core Network Guide](http://go.microsoft.com/fwlink/p/?LinkId=733920)

    • +

  • [Active Directory Domain Services Overview](http://go.microsoft.com/fwlink/p/?LinkId=733909)

    • +
Azure AD
    +

  • [Azure Active Directory documentation](http://go.microsoft.com/fwlink/p/?LinkId=690258)

    • +

  • [Manage and support Azure Active Directory Premium](http://go.microsoft.com/fwlink/p/?LinkId=690259)

    • +

  • [Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](http://go.microsoft.com/fwlink/p/?LinkId=690260)

    • +
+ +  + +If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps. + +## Prepare device, user, and app management systems + + +In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you will use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You will use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings. + +Table 9 lists the Microsoft management systems and the deployment resources for each. Use the resources in this table to prepare (deploy or remediate) these management systems. + +Table 9. Management systems and deployment resources + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Management systemResources
Windows provisioning packages
    +

  • [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkId=733918)

    • +

  • [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911)

    • +

  • [Step-By-Step: Building Windows 10 Provisioning Packages](http://go.microsoft.com/fwlink/p/?LinkId=690261)

    • +
Group Policy
    +

  • [Core Network Companion Guide: Group Policy Deployment](http://go.microsoft.com/fwlink/p/?LinkId=733915)

    • +

  • [Deploying Group Policy](http://go.microsoft.com/fwlink/p/?LinkId=734024)

    • +
Configuration Manager
    +

  • [Site Administration for System Center 2012 Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733914)

    • +

  • [Deploying Clients for System Center 2012 Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733919)

    • +
Intune
    +

  • [Set up and manage devices with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=690262)

    • +

  • [Smoother Management Of Office 365 Deployments with Windows Intune](http://go.microsoft.com/fwlink/p/?LinkId=690263)

    • +

  • [System Center 2012 R2 Configuration Manager & Windows Intune](http://go.microsoft.com/fwlink/p/?LinkId=690264)

    • +
MDT
    +

  • [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](http://go.microsoft.com/fwlink/p/?LinkId=690324)

    • +

  • [Step-By-Step: Installing Windows 8.1 From A USB Key](http://go.microsoft.com/fwlink/p/?LinkId=690265)

    • +
+ +  + +If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps. + +## Perform app migration or replacement + + +In the [Plan for app migration or replacement](#plan-app-migrate-replace) section, you identified the apps currently in use on Chromebook devices and selected the Windows apps that will replace the Chromebook apps. You also performed app compatibility testing for web apps to ensure that web apps on the Chromebook devices would run on Microsoft Edge and Internet Explorer. + +In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Table 10 lists the Microsoft management systems and the app deployment resources for each. Use the resources in this table to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide. + +Table 10. Management systems and app deployment resources + + ++++ + + + + + + + + + + + + + + + + + + + + +
Management systemResources
Group Policy
    +

  • [Editing an AppLocker Policy](http://go.microsoft.com/fwlink/p/?LinkId=734025)

    • +

  • [Group Policy Software Deployment Background](http://go.microsoft.com/fwlink/p/?LinkId=734026)

    • +

  • [Assigning and Publishing Software](http://go.microsoft.com/fwlink/p/?LinkId=734027)

    • +
Configuration Manager
    +

  • [How to Deploy Applications in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733917)

    • +

  • [Application Management in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733907)

    • +
Intune
    +

  • [Deploy apps to mobile devices in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=733913)

    • +

  • [Manage apps with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=733910)

    • +
+ +  + +If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps. + +## Perform migration of user and device settings + + +In the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, you determined the user and device settings that you want to migrate. You selected settings that are configured in the Google Admin Console and locally on the Chromebook device. + +Perform the user and device setting migration by using the following steps: + +1. From the list of institution-wide settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure as many as possible in your management system (such as Group Policy, Configuration Manager, or Intune). + +2. From the list of device-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure device-specific setting for higher priority settings. + +3. From the list of user-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure user-specific setting for higher priority settings. + +4. Verify that all higher-priority user and device settings have been configured in your management system. + +If you do no want to migrate any user or device settings from the Chromebook devices to the Windows devices, you can skip this section. + +## Perform email migration + + +In the [Plan for email migration](#plan-email-migrate) section, you identified the user mailboxes to migrate, identified the companion devices that access Google Apps Gmail, and identified the optimal timing for migration. You can perform this migration before or after you deploy the Windows devices. + +Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information on how to automate the migration from Google Apps Gmail to Office 365, see [Migrate Google Apps mailboxes to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690252). + +Alternatively, if you want to migrate to Office 365 from: + +- **On-premises Microsoft Exchange Server.** Use the following resources to migrate to Office 365 from an on-premises Microsoft Exchange Server: + + - [Cutover Exchange Migration and Single Sign-On](http://go.microsoft.com/fwlink/p/?LinkId=690266) + + - [Step-By-Step: Migration of Exchange 2003 Server to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690267) + + - [Step-By-Step: Migrating from Exchange 2007 to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690268) + +- **Another on-premises or cloud-based email service.** Follow the guidance from that vendor. + +## Perform cloud storage migration + + +In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you will use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices. + +Manually migrate the cloud storage migration by using the following steps: + +1. Install both Google Drive app and OneDrive for Business or OneDrive app on a device. + +2. Sign in as the user in the Google Drive app. + +3. Sign in as the user in the OneDrive for Business or OneDrive app. + +4. Copy the data from the Google Drive storage to the OneDrive for Business or OneDrive storage. + +5. Optionally uninstall the Google Drive app. + +There are also a number of software vendors who provide software that helps automate the migration from Google Drive to OneDrive for Business, Office 365 SharePoint, or OneDrive. For more information about these automated migration tools, contact the vendors. + +## Perform cloud services migration + + +In the [Plan for cloud services migration](#plan-cloud-services)section, you identified the cloud services currently in use, selected the cloud services that you want to migrate, prioritized the cloud services to migrate, and then selected the cloud services migration strategy. You can perform the cloud services migration before or after you deploy the Windows devices. + +Migrate the cloud services that you currently use to the Microsoft cloud services that you selected. For example, you could migrate from a collaboration website to Office 365 SharePoint. Perform the cloud services migration based on the existing cloud services and the Microsoft cloud services that you selected. + +There are also a number of software vendors who provide software that helps automate the migration from other cloud services to Microsoft cloud services. For more information about these automated migration tools, contact the vendors. + +## Perform Windows device deployment + + +In the [Select a Windows device deployment strategy](#select-windows-device-deploy) section, you selected how you wanted to deploy Windows 10 devices. The other migration task that you designed in the [Plan for Windows device deployment](#plan-windevice-deploy) section have already been performed. Now it's time to deploy the actual devices. + +For example, if you selected to deploy Windows devices by each classroom, start with the first classroom and then proceed through all of the classrooms until you’ve deployed all Windows devices. + +In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager and/or MDT. For information on how to deploy Windows 10 images to the devices, see the following resources: + +- [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911) + +- [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkId=733918) + +- [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](http://go.microsoft.com/fwlink/p/?LinkId=690324) + +- [Step-By-Step: Installing Windows 8.1 From A USB Key](http://go.microsoft.com/fwlink/p/?LinkId=690265) + +- [Operating System Deployment in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733916) + +In addition to the Windows 10 image deployment, you may need to perform the following tasks as a part of device deployment: + +- Enroll the device with your management system. + +- Ensure that Windows Defender is enabled and configured to receive updates. + +- Ensure that Windows Update is enabled and configured to receive updates. + +- Deploy any apps that you want the user to immediately be able to access when they start the device (such as Word 2016 or Excel 2016). + +After you complete these steps, your management system should take over the day-to-day maintenance tasks for the Windows 10 devices. Verify that the user and device settings migrated correctly as you deploy each batch of Windows 10 devices. Continue this process until you deploy all Windows 10 devices. + +## Related topics + + +[Try it out: Windows 10 deployment (for education)](http://go.microsoft.com/fwlink/p/?LinkId=623254) + +[Try it out: Windows 10 in the classroom](http://go.microsoft.com/fwlink/p/?LinkId=623255) + +  + +  + + + + + diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md new file mode 100644 index 0000000000..2c9039447a --- /dev/null +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -0,0 +1,1264 @@ +--- +title: Deploy Windows 10 in a school (Windows 10) +description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy. +keywords: configure, tools, device, school +ms.prod: w10 +ms.mktglfcycl: plan +ms.pgtyp: edu +ms.sitesec: library +author: craigash +--- + +# Deploy Windows 10 in a school + + +**Applies to** + +- Windows 10 + +This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment as well as the automated tools and built-in features of the operating system. + +## Prepare for school deployment + +Proper preparation is essential for a successful school deployment. To avoid common mistakes, your first step is to plan a typical school configuration. Just as with building a house, you need a blueprint for what your school should look like when it’s finished. The second step in preparation is to learn how you will configure your school. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your school. + +### Plan a typical school configuration + +As part of preparing for your school deployment, you need to plan your configuration—the focus of this guide. Figure 1 illustrates a typical finished school configuration that you can use as a model (the blueprint in our builder analogy) for the finished state. + +![fig 1](images/deploy-win-10-school-figure1.png) + +*Figure 1. Typical school configuration for this guide* + +Figure 2 shows the classroom configuration this guide uses. + +![fig 2](images/deploy-win-10-school-figure2.png) + +*Figure 2. Typical classroom configuration in a school* + +This school configuration has the following characteristics: +- It contains one or more admin devices. +- It contains two or more classrooms. +- Each classroom contains one teacher device. +- The classrooms connect to each other through multiple subnets. +- All devices in each classroom connect to a single subnet. +- All devices have high-speed, persistent connections to each other and to the Internet. +- All teachers and students have access to Windows Store or Windows Store for Business. +- All devices receive software updates from Intune (or another device management system). +- You install a 64-bit version of Windows 10 on the admin device. +- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device. +- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device. +- You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device. + + **Note**  In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2. +- The devices use Azure AD in Office 365 Education for identity management. +- If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/). +- Use [Intune](http://technet.microsoft.com/library/jj676587.aspx), [compliance settings in Office 365](https://support.office.com/en-us/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy](http://technet.microsoft.com/en-us/library/cc725828%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) in AD DS to manage devices. +- Each device supports a one-student-per-device or multiple-students-per-device scenario. +- The devices can be a mixture of different make, model, and processor architecture (32 bit or 64 bit) or be identical. +- To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment Boot (PXE Boot). +- The devices can be a mixture of different Windows 10 editions, such as Windows 10 Home, Windows 10 Pro, and Windows 10 Education. + +Office 365 Education allows: + +- Students and faculty to use Microsoft Office Online to create and edit Microsoft Word, OneNote, PowerPoint, and Excel documents in a browser. +- Teachers to use the [OneNote Class Notebook app](https://www.onenote.com/classnotebook) to share content and collaborate with students. +- Faculty to use the [OneNote Staff Notebooks app](https://www.onenote.com/staffnotebookedu) to collaborate with other teachers, administration, and faculty. +- Teachers to employ Sway to create interactive educational digital storytelling. +- Students and faculty to use email and calendars, with mailboxes up to 50 GB per user. +- Faculty to use advanced email features like email archiving and legal hold capabilities. +- Faculty to help prevent unauthorized users from accessing documents and email by using Azure Rights Management. +- Faculty to use advanced compliance tools on the unified eDiscovery pages in the Office 365 Compliance Center. +- Faculty to host online classes, parent–teacher conferences, and other collaboration in Skype for Business or Skype. +- Students and faculty to access up to 1 TB of personal cloud storage that users inside and outside the educational institution can share through OneDrive for Business. +- Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites. +- Students and faculty to use Office 365 Video to manage videos. +- Students and faculty to use Yammer to collaborate through private social networking. +- Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices). + +For more information about Office 365 Education features and a FAQ, go to [Office 365 Education](https://products.office.com/en-us/academic). + +## How to configure a school + +Now that you have the plan (blueprint) for your classroom, you’re ready to learn about the tools you will use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge. + +The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI). + +You can use MDT as a stand-alone tool or integrate it with Microsoft System Center Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with System Center Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as System Center Configuration Manager) but result in fully automated deployments. + +MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps and migration of user settings on existing devices. + +LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section. + +The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements. + +The configuration process requires the following devices: + +- **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK and MDT on this device. +- **Faculty devices.** These are the devices that the teachers and other faculty use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices. +- **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them. + +The high-level process for deploying and configuring devices within individual classrooms and the school as a whole is as follows and illustrated in Figure 3: + +1. Prepare the admin device for use, which includes installing the Windows ADK and MDT. +2. On the admin device, create and configure the Office 365 Education subscription that you will use for each classroom in the school. +3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration). +4. On the admin device, create and configure a Windows Store for Business portal. +5. On the admin device, prepare for management of the Windows 10 devices after deployment. +6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10. +7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration. + +![fig 3](images/deploy-win-10-school-figure3.png) + +*Figure 3. How school configuration works* + +Each of the steps illustrated in Figure 3 directly correspond to the remaining high-level sections in this guide. + +### Summary + +In this section, you looked at the final configuration of your individual classrooms and the school as a whole upon completion of this guide. You also learned the high-level steps you need to perform to deploy the faculty and student devices in your school. + +## Prepare the admin device + +Now, you’re ready to prepare the admin device for use in the school. This process includes installing the Windows ADK, installing the MDT, and creating the MDT deployment share. + +### Install the Windows ADK + +The first step in preparing the admin device is to install the Windows ADK. The Windows ADK contains the deployment tools that MDT uses, including the Windows Preinstallation Environment (Windows PE), the Windows User State Migration Tool (USMT), and Deployment Image Servicing and Management. + +When you install the Windows ADK on the admin device, select the following features: + +- Deployment tools +- Windows Preinstallation Environment (Windows PE) +- User State Migration Tool (USMT) + +For more information about installing the Windows ADK, see [Step 2-2: Install the Windows ADK](http://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#InstallWindowsADK). + +### Install MDT + +Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment and is a free tool available directly from Microsoft. + +You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems. + +**Note**  If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32 bit versions of the operating system. + +For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/en-us/library/dn759415.aspx#InstallingaNewInstanceofMDT). + +Now, you’re ready to create the MDT deployment share and populate it with the operating system, apps, and device drivers you want to deploy to your devices. + +### Create a deployment share + +MDT includes the Deployment Workbench, a graphical user interface that you can use to manage MDT deployment shares. A deployment share is a shared folder that contains all the MDT deployment content. The LTI Deployment Wizard accesses the deployment content over the network or from a local copy of the deployment share (known as MDT deployment media). + +For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](http://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#CreateMDTDeployShare). + +### Summary + +In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later in the LTI deployment process. + +## Create and configure Office 365 + +Office 365 is one of the core components of your classroom environment. You create and manage student identities in Office 365, and students and teachers use the suite as their email, contacts, and calendar system. Teachers and students use Office 365 collaboration features such as SharePoint, OneNote, and OneDrive for Business. + +As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](http://www.microsoft.com/en-us/education/products/office-365-deployment-resources/default.aspx). + +### Select the appropriate Office 365 Education license plan + +Complete the following steps to select the appropriate Office 365 Education license plan for your school: + +
    +
  1. Determine the number of faculty members and students who will use the classroom.
    Office 365 Education licensing plans are available specifically for faculty and students. You must assign faculty and students the correct licensing plan. +
    2. +
  2. Determine the faculty members and students who need to install Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Office 365 ProPlus plans). Table 1 lists the advantages and disadvantages of standard and Office 365 ProPlus plans.
    3. +
    +*Table 1. Comparison of standard and Microsoft Office 365 ProPlus plans* +
    + +++++ + + + + + + + + + + + + +
    PlanAdvantagesDisadvantages
    Standard
    • Less expensive than Office 365 ProPlus
    • Can be run from any device
    • No installation necessary
    • Must have an Internet connection to use it
    • Does not support all the features found in Office 365 ProPlus
    Office ProPlus
    • Only requires an Internet connection every 30 days (for activation)
    • Supports full set of Office features
    • Requires installation
    • Can be installed on only five devices per user (there is no limit to the number of devices on which you can run Office apps online)
    +
    +The best user experience is to run Office 365 ProPlus or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device. +
    +
  3. Determine whether students or faculty need Azure Rights Management.
    You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see [Azure Rights Management](https://technet.microsoft.com/library/jj585024.aspx).
    4. +
  4. Record the Office 365 Education license plans needed for the classroom in Table 2.

    + +*Table 2. Office 365 Education license plans needed for the classroom* +
    + ++++ + + + + + + + + + + + + +
    QuantityPlan
    Office 365 Education for students
    Office 365 Education for faculty
    Azure Rights Management for students
    Azure Rights Management for faculty
    +
    +You will use the Office 365 Education license plan information you record in Table 2 in the [Create user accounts in Office 365](#create-user-accounts-in-office-365) section of this guide.
+ +### Create a new Office 365 Education subscription + +To create a new Office 365 Education subscription for use in the classroom, use your educational institution’s email account. There are no costs to you or to students for signing up for Office 365 Education subscriptions. + +**Note**  If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Add domains and subdomains](#add-domains-and-subdomains). + +#### To create a new Office 365 subscription + +1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar. + + **Note**  If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window in one of the following: + - Microsoft Edge by opening the Microsoft Edge app, either pressing Ctrl+Shift+P or clicking or tapping **More actions**, and then clicking or tapping **New InPrivate window**. + - Internet Explorer 11 by opening Internet Explorer 11, either pressing Ctrl+Shift+P or clicking or tapping **Settings**, clicking or tapping **Safety**, and then clicking or tapping **InPrivate Browsing**. + +2. On the **Get started** page, type your school email address in the **Enter your school email address** box, and then click **Sign up**. You will receive an email in your school email account. +3. Click the hyperlink in the email in your school email account. +4. On the **One last thing** page, complete your user information, and then click **Start**. The wizard creates your new Office 365 Education subscription, and you are automatically signed in as the administrative user you specified when you created the subscription. + +### Add domains and subdomains + +Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has contoso.edu as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains. + +#### To add additional domains and subdomains + +1. In the Office 365 admin center, in the list view, click **DOMAINS**. +2. In the details pane, above the list of domains, on the menu bar, click **Add domain**. +3. In the Add a New Domain in Office 365 Wizard, on the **Verify domain wizard** page, click **Let’s get started**. +4. On the **Verify domain** wizard page, in the **Enter a domain you already own** box, type your domain name, and then click **Next**. +5. Sign in to your domain name management provider (for example, Network Solutions or GoDaddy), and then complete the steps for your provider. +6. Repeat these steps for each domain and subdomain you want faculty and students to use for your institution. + +### Configure automatic tenant join + +To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant. + +**Note**  By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries require opt-in steps to add new users to existing Office 365 tenants. Check your country requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. + +Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks: + +- If an Office 365 tenant with that domain name (contoso.edu) exists, Office 365 automatically adds the user to that tenant. +- If an Office 365 tenant with that domain name (contoso.edu) does not exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it. + +You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365. + +**Note**  You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. + +All new Office 365 Education subscriptions have automatic tenant join enabled by default, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 3. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins). + +*Table 3. Windows PowerShell commands to enable or disable Automatic Tenant Join* + + +| Action | Windows PowerShell command | +|------- |----------------------------| +| Enable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $true`| +| Disable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $false`| +

+**Note**  If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant. + +### Disable automatic licensing + +To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval. + +**Note**  By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. + +Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 4. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins). + +*Table 4. Windows PowerShell commands to enable or disable automatic licensing* + +| Action | Windows PowerShell command| +| -------| --------------------------| +| Enable |`Set-MsolCompanySettings -AllowAdHocSubscriptions $true`| +|Disable | `Set-MsolCompanySettings -AllowAdHocSubscriptions $false`| +

+### Enable Azure AD Premium + +When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory. Azure AD is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD–integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. + +Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/#step-3-activate-your-azure-active-directory-access). + +The Azure AD Premium features that are not in Azure AD Basic include: + +- Allow designated users to manage group membership +- Dynamic group membership based on user metadata +- Multifactor authentication (MFA) +- Identify cloud apps that your users run +- Automatic enrollment in a mobile device management (MDM) system (such as Intune) +- Self-service recovery of BitLocker +- Add local administrator accounts to Windows 10 devices +- Azure AD Connect health monitoring +- Extended reporting capabilities + +You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users. + +You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process. + +For more information about: + +- Azure AD editions and the features in each, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/). +- How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx#create_tenant3). + +### Summary +You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365. + +## Select an Office 365 user account–creation method + + +Now that you have an Office 365 subscription, you need to determine how you will create your Office 365 user accounts. Use the following methods to create Office 365 user accounts: + +- **Method 1:** Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you have an on-premises AD DS domain. +- **Method 2:** Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain. + +### Method 1: Automatic synchronization between AD DS and Azure AD + +In this method, you have an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD. + +**Note**  Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/en-us/library/dn510997.aspx?f=255&MSPPError=-2147217396). + +![fig 4](images/deploy-win-10-school-figure4.png) + +*Figure 4. Automatic synchronization between AD DS and Azure AD* + +For more information about how to perform this step, see the [Integrate on-premises AD DS with Azure AD](#integrate-on-premises-ad-ds-with-azure-ad) section in this guide. + +### Method 2: Bulk import into Azure AD from a .csv file + +In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies. + +![fig 5](images/deploy-win-10-school-figure5.png) + +*Figure 5. Bulk import into Azure AD from other sources* + +To implement this method, perform the following steps: + +1. Export the student information from the source. Ultimately, you want to format the student information in the format the bulk-import feature requires. +2. Bulk-import the student information into Azure AD. For more information about how to perform this step, see the [Bulk-import user accounts into Office 365](#bulk-import-user-accounts-into-office-365) section. + +### Summary + +In this section, you selected the method for creating user accounts in your Office 365 subscription. Ultimately, these user accounts are in Azure AD (which is the identity management system for Office 365). Now, you’re ready to create your Office 365 accounts. + +## Integrate on-premises AD DS with Azure AD + +You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS. + +**Note**  If your institution does not have an on-premises AD DS domain, you can skip this section. + +### Select synchronization model + +Before you deploy AD DS and Azure AD synchronization, you need to determine where you want to deploy the server that runs Azure AD Connect. + +You can deploy the Azure AD Connect tool by using one of the following methods: + +- **On premises.** As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server. + + ![fig 6](images/deploy-win-10-school-figure6.png) + + *Figure 6. Azure AD Connect on premises* + +- **In Azure**. As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises. + + ![fig 7](images/deploy-win-10-school-figure7.png) + + *Figure 7. Azure AD Connect in Azure* + +This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com/en-us/library/dn635310.aspx). + +### Deploy Azure AD Connect on premises + +In this synchronization model (illustrated in Figure 6), you run Azure AD Connect on premises on a physical device or VM. Azure AD Connect synchronizes AD DS user and group accounts with Azure AD. Azure AD Connect includes a wizard that helps you configure Azure AD Connect for your AD DS domain and Office 365 subscription. First, you install Azure AD Connect; then, you run the wizard to configure it for your institution. + +#### To deploy AD DS and Azure AD synchronization + +1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-prerequisites/). +2. On the VM or physical device that will run Azure AD Connect, sign in with a domain administrator account. +3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#install-azure-ad-connect). +4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure features](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#configure-sync-features). + +Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. + +### Verify synchronization + +Azure AD Connect should start synchronization immediately. Depending on the number of users in your AD DS domain, the synchronization process can take some time. To monitor the process, view the number of AD DS users and groups the tool has synchronized with Azure AD in the Office 365 admin console. + +#### To verify AD DS and Azure AD synchronization + +1. Open https://portal.office.com in your web browser. +2. Using the administrative account that you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section, sign in to Office 365. +3. In the list view, expand **USERS**, and then click **Active Users**. +4. In the details pane, view the list of users. The list of users should mirror the users in AD DS. +5. In the list view, click **GROUPS**. +6. In the details pane, view the list of security groups. The list of users should mirror the security groups in AD DS. +7. In the details pane, double-click one of the security groups. +8. The list of security group members should mirror the group membership for the corresponding security group in AD DS. +9. Close the browser. + +Now that you have verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium. + +### Summary + +In this section, you selected your synchronization model, deployed Azure AD Connect, and verified that Azure AD is synchronizing properly. + +## Bulk-import user and group accounts into AD DS + +You can bulk-import user and group accounts into your on-premises AD DS domain. Bulk-importing accounts helps reduce the time and effort needed to create users compared to creating the accounts manually in the Office 365 Admin portal. First, you select the appropriate method for bulk-importing user accounts into AD DS. Next, you create the .csv file that contains the user accounts. Finally, you use the selected method to import the .csv file into AD DS. + +**Note**  If your institution doesn’t have an on-premises AD DS domain, you can skip this section. + +### Select the bulk import method + +Several methods are available to bulk-import user accounts into AD DS domains. Table 5 lists the methods that the Windows Server operating system supports natively. In addition, you can use partner solutions to bulk-import user and group accounts into AD DS. + +*Table 5. AD DS bulk-import account methods* + +|Method | Description and reason to select this method | +|-------| ---------------------------------------------| +|Ldifde.exe |This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| +|VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/en-us/scriptcenter/dd939958.aspx).| +|Windows PowerShell| This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).| +

+### Create a source file that contains the user and group accounts + +After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods. + +*Table 6. Source file format for each bulk import method* + +| Method | Source file format | +|--------| -------------------| +|Ldifde.exe|Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| +|VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx).| +| Windows PowerShell| Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).| +

+### Import the user accounts into AD DS + +With the bulk-import source file finished, you’re ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method. + +**Note**  Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts. + +For more information about how to import user accounts into AD DS by using: + +- Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx). +- VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx). +- Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). + +### Summary + +In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts in to AD DS. If you have Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide. + +## Bulk-import user accounts into Office 365 + +You can bulk-import user and group accounts directly into Office 365, reducing the time and effort required to create users. First, you bulk-import the user accounts into Office 365. Then, you create the security groups for your institution. Finally, you create the email distribution groups your institution requires. + +### Create user accounts in Office 365 + +Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. + +You can use the Office 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users). + +The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 2. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts. + +For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US). + +**Note**  If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process. + +The email accounts are assigned temporary passwords upon creation. You must communicate these temporary passwords to your users before they can sign in to Office 365. + +### Create Office 365 security groups + +Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources. + +**Note**  If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. + +For information about creating security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US). + +You can add and remove users from security groups at any time. + +**Note**  Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may need to sign out, and then sign in again for the change to take effect. + +### Create email distribution groups + +Microsoft Exchange Online uses an email distribution group as a single email recipient for multiple users. For example, you could create an email distribution group that contains all students. Then, you could send a message to the email distribution group instead of individually addressing the message to each student. + +You can create email distribution groups based on job role (such as teachers, administration, or students) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group. + +**Note**  Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps. + +For information about how to create security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US). + +### Summary + +Now, you have bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium. + +## Assign user licenses for Azure AD Premium + +Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. Educational institutions can obtain Azure AD Basic licenses at no cost and Azure AD Premium licenses at a reduced cost. + +You can assign Azure AD Premium licenses to the users who need the features this edition offers. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium only to those users. + +For more information about: + +- Azure AD editions, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/). +- How to assign user licenses for Azure AD Premium, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts). + +## Create and configure a Windows Store for Business portal + +Windows Store for Business allows you to create your own private portal to manage Windows Store apps in your institution. With Windows Store for Business, you can do the following: + +- Find and acquire Windows Store apps. +- Manage apps, app licenses, and updates. +- Distribute apps to your users. + +For more information about Windows Store for Business, see [Windows Store for Business overview](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview). + +The following section shows you how to create a Windows Store for Business portal and configure it for your school. + +### Create and configure your Windows Store for Business portal + +To create and configure your Windows Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Windows Store for Business. Windows Store for Business automatically creates a portal for your institution and uses your account as its administrator. + +#### To create and configure a Windows Store for Business portal + +1. In Microsoft Edge or Internet Explorer, type `http://microsoft.com/business-store` in the address bar. +2. On the **Windows Store for Business** page, click **Sign in with an organizational account**.

**Note**  If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. +3. On the Windows Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in. +4. On the **Windows Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept** +5. In the **Welcome to the Windows Store for Business** dialog box, click **OK**. + +After you create the Windows Store for Business portal, configure it by using the commands in the settings menu listed in Table 7. Depending on your institution, you may (or may not) need to change these settings to further customize your portal. + +*Table 7. Menu selections to configure Windows Store for Business settings* + +| Menu selection | What you can do in this menu | +|---------------| -------------------| +|Account information|Displays information about your Windows Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Portal. For more information, see [Update Windows Store for Business account settings](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings).| +|Device Guard signing|Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide).| +|LOB publishers| Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps).| +|Management tools| Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool).| +|Offline licensing|Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see [Licensing model: online and offline licenses](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).| +|Permissions|Allows you to grant other users in your organization the ability to buy, manage, and administer your Windows Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business).| +|Private store|Allows you to change the organization name used in your Windows Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).| +

+### Find, acquire, and distribute apps in the portal + +Now that you have created your Windows Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Windows Store for Business. + +**Note**  Your educational institution can now use a credit card or purchase order to pay for apps in Windows Store for Business. + +You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users. + +For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business). + +### Summary + +At the end of this section, you should have a properly configured Windows Store for Business portal. You have also found and acquired your apps from Windows Store. Finally, you should have deployed all your Windows Store apps to your users. Now, you’re ready to deploy Windows Store apps to your users. + +## Plan for deployment + +You will use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you will use, the approach you will use to create your Windows 10 images, and the method you will use to initiate the LTI deployment process. + +### Select the operating systems + +Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of: + +- New devices or refreshing existing devices, you will complete replace the existing operating system on a device with Windows 10. +- Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10. + +Depending on your school’s requirements, you may need any combination of the following Windows 10 editions: + +- **Windows 10 Home**. Use this operating system to upgrade existing eligible institution-owned and personal devices that are running Windows 8.1 Home or Windows 7 Home to Windows 10 Home. +- **Windows 10 Pro**. Use this operating system to: + - Upgrade existing eligible institution-owned and personal devices running Windows 8.1 Pro or Windows 7 Professional to Windows 10 Pro. + - Deploy new instances of Windows 10 Pro to devices so that new devices have a known configuration. +- **Windows 10 Education**. Use this operating system to: + - Upgrade institution-owned devices to Windows 10 Education. + - Deploy new instances of Windows 10 Education so that new devices have a known configuration. + +**Note**  Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Windows Store for Business. These features are not available in Windows 10 Home. + +One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32 bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. + +**Note**  On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. + +Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture. + +### Select an image approach + +A key operating system image decision is whether to use a “thin” or “thick” image. *Thin images* contain only the operating system, and MDT installs the necessary device drivers and apps after the operating system has been installed. *Thick images* contain the operating system, “core” apps (such as Office), and device drivers. With thick images, MDT installs any device drivers and apps not included in the thick image after the operating system has been installed. + +The advantage to a thin image is that the final deployment configuration is dynamic, and you can easily change the configuration without having to capture another image. The disadvantage of a thin image is that it takes longer to complete the deployment. + +The advantage of a thick image is that the deployment takes less time than it would for a thin image. The disadvantage of a thick image is that you need to capture a new image each time you want to make a change to the operating system, apps, or other software in the image. + +### Select a method to initiate deployment + +The MDT deployment process is highly automated, requiring minimal information to deploy or upgrade Windows 10, but you must manually initiate the MDT deployment process. To do so, use the method listed in Table 8 that best meets the needs of your institution. + +*Table 8. Methods to initiate MDT deployment* + + ++++ + + + + + + + + + + + + + + + + + + + + + + + +
MethodDescription and reason to select this method
Windows Deployment ServicesThis method:

+
    +
  • Uses diskless booting to initiate MDT deployment.
    • +
  • Works only with devices that support PXE boot.
    • +
  • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
    • +
  • Deploys images more slowly than when using local media.
    • +
  • Requires that you deploy a Windows Deployment Services server.
    • +
+ +Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.
Bootable mediaThis method:

+
    +
  • Initiates MDT deployment by booting from local media, including from USB drives, DVD-ROM, or CD-ROM.
    • +
  • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
    • +
  • Deploys images more slowly than when using local media.
    • +
  • Requires no additional infrastructure.
    • +
+ +Select this method when you want to deploy Windows over-the-network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.
MDT deployment mediaThis method:

+
    +
  • Initiates MDT deployment by booting from a local USB hard disk.
    • +
  • Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
    • +
  • Deploys images more quickly than network-based methods do.
    • +
  • Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
    • +
+ +Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share, you must regenerate the MDT deployment media and update the USB hard disk.
+ +### Summary + +At the end of this section, you should know the Windows 10 editions and processor architecture that you want to deploy (and will import later in the process). You also determined whether you want to use thin or thick images. Finally, you selected the method for initiating your LTI deployment. Now, you can prepare for Windows 10 deployment. + +## Prepare for deployment + +To deploy Windows 10 to devices, using the LTI deployment method in MDT. In this section, you prepare your MDT environment and Windows Deployment Services for Windows 10 deployment. + +### Configure the MDT deployment share + +The first step in preparation for Windows 10 deployment is to configure—that is, *populate*—the MDT deployment share. Table 9 lists the MDT deployment share configuration tasks that you must perform. Perform the tasks in the order represented in Table 9. + +*Table 9. Tasks to configure the MDT deployment share* + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TaskDescription
1. Import operating systemsImport the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench).
2. Import device drivesDevice drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.

+ +Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench). + +
3. Create MDT applications for Windows Store appsCreate an MDT application for each Windows Store app you want to deploy. You can deploy Windows Store apps by using *sideloading*, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called *provisioned apps*). Use this method to deploy up to 24 apps to Windows 10.

+ +Prior to sideloading the .appx files, obtain the Windows Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Windows Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Windows Store or Windows Store for Business.

+ +If you have Intune, you can deploy Windows Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows Store apps, and you can use it for ongoing management of Windows Store apps. This is the preferred method of deploying and managing Windows Store apps.

+ +In addition, you must prepare your environment for sideloading (deploying) Windows Store apps. For more information about how to:

+
    +
  • Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](https://technet.microsoft.com/en-us/itpro/windows/deploy/sideload-apps-in-windows-10).
    • +
  • Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
    • +
+ + +
4. Create MDT applications for Windows desktop apps +You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.

+ +To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219423.aspx?f=255&MSPPError=-2147217396).

+ +If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.

+ +**Note**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.

+ +For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench). + +
5. Create task sequences. +You must create a separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64 bit versions of Windows 10. To do so, you must create task sequences that will: +

+
  • Deploy Windows 10 Education 64-bit to devices.
    • +
  • Deploy Windows 10 Education 32-bit to devices.
    • +
  • Upgrade existing devices to Windows 10 Education 64-bit.
    • +
  • Upgrade existing devices to Windows 10 Education 32-bit.
    • +
+ +Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench). + +
6. Update the deployment share. +Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64 bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.

+ +For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench).
+ +### Configure Window Deployment Services for MDT + +You can use Windows Deployment Services in conjunction with MDT to automatically initiate boot images on target computers. These boot images can be Windows PE images (which you generated in Step 6 in Table 9) or custom images that can deploy operating systems directly to the target computers. + +#### To configure Windows Deployment Services for MDT + +1. Set up and configure Windows Deployment Services.

Windows Deployment Services is a server role available in all Windows Server editions. You can enable the Windows Deployment Services server role on a new server or on any server running Windows Server in your institution. For more information about how to perform this step, see the following resources: + + - [Windows Deployment Services overview](https://technet.microsoft.com/library/hh831764.aspx) + - The Windows Deployment Services Help file, included in Windows Deployment Services + - [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/en-us/library/jj648426.aspx) + +2. Add LTI boot images (Windows PE images) to Windows Deployment Services.

The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com/en-us/library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices). + +### Summary + +Now, Windows Deployment Services is ready to initiate the LTI deployment process in MDT. You have set up and configured Windows Deployment Services and added the LTI boot images, which you generated in the previous section, to Windows Deployment Services. Now, you’re ready to prepare to manage the devices in your institution. + +## Prepare for device management + +Before you deploy Windows 10 in your institution, you must prepare for device management. You will deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant. + +### Select the management method + +If you have only one device to configure, manually configuring that one device is tedious but possible. When you have multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, manually keeping an identical configuration on each device is virtually impossible as the number of devices in the school increases. + +For a school, there are many ways to manage devices. Table 10 lists the methods that this guide describes and recommends. Use the information in Table 10 to determine which combination of management methods is right for your institution. + +*Table 10. School management methods* + + ++++ + + + + + + + + + + + + + + + + + + + +
MethodDescription
Group Policy +Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you: +
    +
  • Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
    • +
  • Want more granular control of device and user settings.
    • +
  • Have an existing AD DS infrastructure.
    • +
  • Typically manage on-premises devices.
    • +
  • Can manage a required setting only by using Group Policy.
    • +
+ +The advantages of this method include: +
    +
  • No cost beyond the AD DS infrastructure.
    • +
  • A larger number of settings (compared to Intune).
    • +
+The disadvantages of this method are: +
    +
  • Can only manage domain-joined (institution-owned devices).
    • +
  • Requires an AD DS infrastructure (if the institution does not have AD DS already).
    • +
  • Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess).
    • +
+
IntuneIntune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD. +Select this method when you: +
    +
  • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
    • +
  • Don’t require the level of granular control over device and user settings (compared to Group Policy).
    • +
  • Don’t have an existing AD DS infrastructure.
    • +
  • Need to manage devices regardless of where they are (on or off premises).
    • +
  • Can manage a required setting only by using Intune.
    • +
+ +The advantages of this method are: +
    +
  • You can manage institution-owned and personal devices.
    • +
  • It doesn’t require that devices be domain joined.
    • +
  • It doesn’t require any on-premises infrastructure.
    • +
  • It can manage devices regardless of their location (on or off premises).
    • + +
+The disadvantages of this method are: +
    +
  • Carries an additional cost for subscription.
    • +
  • Doesn’t have a granular level control over device and user settings (compared to Group Policy).
    • +
+ +

+ +### Select Microsoft-recommended settings + +Microsoft has several recommended settings for educational institutions. Table 11 lists them, provides a brief description of why you need to configure them, and recommends methods for configuring the settings. Review the settings in Table 11 and evaluate their relevancy to your institution. Use the information to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings. + +*Table 11. Recommended settings for educational institutions* + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
RecommendationDescription
Use of Microsoft accountsYou want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.

+**Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

+**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com/en-us/library/jj966262.aspx?f=255&MSPPError=-2147217396) Group Policy setting to use the Users can’t add Microsoft accounts setting option.

+**Intune.** Enable or disable the camera by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. +
Restrict local administrator accounts on the devicesEnsure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

+**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx).

+**Intune**. Not available. +
Restrict the local administrator accounts on the devicesEnsure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

+**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx).

+**Intune**. Not available. +
Manage the built-in administrator account created during device deploymentWhen you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.

+**Group Policy**. Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc747484.aspx). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com/en-us/library/jj852165.aspx).

+**Intune**. Not available. +
Control Windows Store accessYou can control access to Windows Store and whether existing Windows Store apps receive updates. You can only disable the Windows Store app in Windows 10 Education and Windows 10 Enterprise.

+**Group Policy**. You can disable the Windows Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Windows Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Windows Store in my enterprise environment?](https://technet.microsoft.com/en-us/library/hh832040.aspx#BKMK_UseGP).

+**Intune**. You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy. +
Use of Remote Desktop connections to devicesRemote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.

+**Group Policy**. You can enable or disable Remote Desktop connections to devices by using the **Allow Users to connect remotely using Remote Desktop setting** in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.

+**Intune**. Not available. +
Use of cameraA device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.

+**Group Policy**. Not available.

+**Intune**. You can enable or disable the camera by using the **Allow camera** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. +
Use of audio recordingAudio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.

+**Group Policy**. You can disable the Sound Recorder app by using the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in [Editing an AppLocker Policy](https://technet.microsoft.com/en-us/library/ee791894(v=ws.10).aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com/en-us/library/ee791899.aspx).

+**Intune**. You can enable or disable the camera by using the **Allow voice recording** policy setting in the **Features** section of a **Windows 10 General Configuration** policy. +
Use of screen captureScreen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.

+**Group Policy**. Not available.

+**Intune**. You can enable or disable the camera by using the **Allow screen capture** policy setting in the **System** section of a **Windows 10 General Configuration** policy. +
Use of location servicesProviding a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.

+**Group Policy**. You can enable or disable location services by using the **Turn off location** Group Policy setting in User Configuration\Windows Components\Location and Sensors.

+**Intune**. You can enable or disable the camera by using the **Allow geolocation** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. +
Changing wallpaperDisplaying a custom wallpaper can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or the device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on your devices.

+**Group Policy**. You can configure the wallpaper by using the **Desktop WallPaper** setting in User Configuration\Administrative Templates\Desktop\Desktop.

+**Intune**. Not available. +

+ +### Configure settings by using Group Policy + +Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You will configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. + +For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com/en-us/library/cc754948.aspx). + +#### To configure Group Policy settings + +1. Create a Group Policy object (GPO) that will contain the Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com/en-us/library/cc738830.aspx). +2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com/en-us/library/cc739902.aspx). +3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com/en-us/library/cc738954(v=ws.10).aspx). + +### Configure settings by using Intune + +Now, you’re ready to configure settings by using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. + +For more information about Intune, see [Documentation for Microsoft Intune](https://docs.microsoft.com/en-us/intune/). + +#### To configure Intune settings + +1. Add Intune to your Office 365 subscription by completing the steps in [Get started with a paid subscription to Microsoft Intune](https://docs.microsoft.com/en-us/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune). +2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646962.aspx). +3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://technet.microsoft.com/en-us/library/dn646984.aspx). +4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646959.aspx). + +### Deploy apps by using Intune + +You can use Intune to deploy Windows Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices) Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or are managed by another solution. + +For more information about how to configure Intune to manage your apps, see [Deploy and configure apps with Microsoft Intune](https://docs.microsoft.com/en-us/intune/). + +### Summary + +In this section, you prepared your institution for device management. You determined whether you want to use Group Policy or Intune to manage your devices. You identified the configuration settings that you want to use to manage your users and devices. Finally, you configured the Group Policy and Intune settings in Group Policy and Intune, respectively. + +## Deploy Windows 10 to devices + +You’re ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms as well as for any new student devices you add in the future. You can also perform these actions for any device that’s eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows to Windows 10. + +### Prepare for deployment + +Prior to deployment of Windows 10, ensure that you complete the tasks listed in Table 12. Most of these tasks are already complete, but use this step to make sure. + +*Table 12. Deployment preparation checklist* + +|Task | | +| ---| --- | +| |The target devices have sufficient system resources to run Windows 10. | +| | Identify the necessary devices drivers, and import them to the MDT deployment share.| +| | Create an MDT application for each Windows Store and Windows desktop app.| +| | Notify the students and faculty about the deployment.| +

+### Perform the deployment + +Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated. + +**Note**  To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/en-us/library/dn781089.aspx). + +In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems. + +#### To deploy Windows 10 + +1. **Initiate the LTI deployment process**. Initiate the LTI deployment process booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select a method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide. +2. **Complete the Deployment Wizard**. For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” topic in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/library/dn759415.aspx#Running%20the%20Deployment%20Wizard). + +### Set up printers + +After you have deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to the [Verify deployment](#verify-deployment) section. + +**Note**  If you’re performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to the [Verify deployment](#verify-deployment) section. + +#### To set up printers + +1. Review the printer manufacturer’s instructions for installing the printer drivers. +2. On the admin device, download the printer drivers. +3. Copy the printer drivers to a USB drive. +4. On a device, use the same account you used to set up Windows 10 in the [Perform the deployment](#perform-the-deployment) section to sign in to the device. +5. Insert the USB drive in the device. +6. Follow the printer manufacturer’s instructions to install the printer drivers from the USB drive. +7. Verify that the printer drivers were installed correctly by printing a test page. +8. Complete steps 1–8 for each printer. + +### Verify deployment + +As a final quality control step, verify the device configuration to ensure that all apps run. Microsoft recommends that you perform all the tasks that the user would perform. Specifically, verify the following: + +- The device can connect to the Internet and view the appropriate web content in Microsoft Edge. +- Windows Update is active and current with software updates. +- Windows Defender is active and current with malware signatures. +- The SmartScreen Filter is active. +- All Windows Store apps are properly installed and updated. +- All Windows desktop apps are properly installed and updated. +- Printers are properly configured. + +When you have verified that the first device is properly configured, you can move to the next device and perform the same steps. + +### Summary + +You prepared the devices for deployment by verifying that they have adequate system resources and that the resources in the devices have corresponding Windows 10 device drivers. You performed device deployment over the network or by using local MDT media. Next, you configured the appropriate printers on the devices. Finally, you verified that the devices are properly configured and ready for use. + +## Maintain Windows devices and Office 365 + +After the initial deployment, you will need to perform certain tasks to maintain the Windows 10 devices and your Office 365 Education subscription. You should perform these tasks on the following schedule: + +- **Monthly.** These tasks help ensure that the devices are current with software updates and properly protected against viruses and malware. +- **New semester or academic year.** Perform these tasks prior to the start of a new curriculum—for example, at the start of a new academic year or semester. These tasks help ensure that the classroom environments are ready for the next group of students. +- **As required (ad hoc).** Perform these tasks as necessary in a classroom. For example, a new version of an app may be available, or a student may inadvertently corrupt a device so that you must restore it to the default configuration. + +Table 13 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks. + +*Table 13. School and individual classroom maintenance tasks, with resources and the schedule for performing them* + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Task and resourcesMonthlyNew semester or academic yearAs required
Verify that Windows Update is active and current with operating system and software updates.

+For more information about completing this task when you have: +
    +
  • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune).
    • +
  • Group Policy, see [Windows Update for Business](https://technet.microsoft.com/itpro/windows/plan/windows-update-for-business).
    • +
  • Windows Server Update Services (WSUS), see [Windows Server Update Services](https://msdn.microsoft.com/en-us/library/bb332157.aspx?f=255&MSPPError=-2147217396).
    • +
  • Neither Intune, Group Policy, or WSUS, see [Update Windows 10](http://windows.microsoft.com/en-id/windows-10/update-windows-10)
    • +
+		XXX
Verify that Windows Defender is active and current with malware signatures.

+For more information about completing this task, see [Turn Windows Defender on or off](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab01) and [Updating Windows Defender](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab03). 		XXX
Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.

+For more information about completing this task, see [How do I find and remove a virus?](http://windows.microsoft.com/en-US/windows-8/how-find-remove-virus) +		XXX
Verify that you are using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).

+For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](https://technet.microsoft.com/itpro/windows/manage/introduction-to-windows-10-servicing).		XX
Refresh the operating system and apps on devices.

+For more information about completing this task, see the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. + +		XX
Install any new Windows desktop apps or update any Windows desktop apps that are used in the curriculum.

+For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. + +		XX
Install new or update existing Windows Store apps that are used in the curriculum.

+Windows Store apps are automatically updated from Windows Store. The menu bar in the Windows Store app shows whether any Windows Store app updates are available for download.

+You can also deploy Windows Store apps directly to devices by using Intune. For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. + +		XX
Remove unnecessary user accounts (and corresponding licenses) from Office 365.

+For more information about how to: +
    +
  • Remove unnecessary user accounts, see [Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e?ui=en-US&rs=en-US&ad=US).
    • +
  • Unassign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
    • +
+ +		XX
Add new accounts (and corresponding licenses) to Office 365.

+For more information about how to: +
    +
  • Add user accounts, see [Add users to Office 365 for business](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
    • +
  • Assign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
    • +
+		XX
Create or modify security groups and manage group membership in Office 365.

+For more information about how to: +
    +
  • Create or modify security groups, see [View, create, and delete Groups in the Office 365 admin center](https://support.office.com/en-us/article/View-create-and-delete-groups-in-the-Office-365-admin-center-a6360120-2fc4-46af-b105-6a04dc5461c7).
    • +
  • Manage group membership, see [Manage Group membership in the Office 365 admin center](https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a).
    • +
+ +		XX
Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.

+For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Manage Distribution Groups](https://technet.microsoft.com/library/bb124513.aspx) and [Groups in Exchange Online and SharePoint Online](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB#__groups_in_exchange). + +		XX
Install new student devices

+Follow the same steps described in the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. + +		X
+

+### Summary + +Now, you have identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By performing these maintenance tasks you help ensure that your school stays secure and is configured as you specified. + +##Related resources +

+ diff --git a/education/windows/images/TakeATestURL.png b/education/windows/images/TakeATestURL.png new file mode 100644 index 0000000000..b057763e8b Binary files /dev/null and b/education/windows/images/TakeATestURL.png differ diff --git a/education/windows/images/app-distribution-options.PNG b/education/windows/images/app-distribution-options.PNG new file mode 100644 index 0000000000..75b3374720 Binary files /dev/null and b/education/windows/images/app-distribution-options.PNG differ diff --git a/education/windows/images/app1.jpg b/education/windows/images/app1.jpg new file mode 100644 index 0000000000..aef6c5c22e Binary files /dev/null and b/education/windows/images/app1.jpg differ diff --git a/education/windows/images/choose-package.png b/education/windows/images/choose-package.png new file mode 100644 index 0000000000..868407df56 Binary files /dev/null and b/education/windows/images/choose-package.png differ diff --git a/education/windows/images/chromebook-fig1-googleadmin.png b/education/windows/images/chromebook-fig1-googleadmin.png new file mode 100644 index 0000000000..b3d42e5ff2 Binary files /dev/null and b/education/windows/images/chromebook-fig1-googleadmin.png differ diff --git a/education/windows/images/connect-aad.png b/education/windows/images/connect-aad.png new file mode 100644 index 0000000000..8583866165 Binary files /dev/null and b/education/windows/images/connect-aad.png differ diff --git a/education/windows/images/deploy-win-10-school-figure1.png b/education/windows/images/deploy-win-10-school-figure1.png new file mode 100644 index 0000000000..66113dcce1 Binary files /dev/null and b/education/windows/images/deploy-win-10-school-figure1.png differ diff --git a/education/windows/images/deploy-win-10-school-figure2.png b/education/windows/images/deploy-win-10-school-figure2.png new file mode 100644 index 0000000000..0227f8dbaa Binary files /dev/null and b/education/windows/images/deploy-win-10-school-figure2.png differ diff --git a/education/windows/images/deploy-win-10-school-figure3.png b/education/windows/images/deploy-win-10-school-figure3.png new file mode 100644 index 0000000000..1b39b5cc14 Binary files /dev/null and b/education/windows/images/deploy-win-10-school-figure3.png differ diff --git a/education/windows/images/deploy-win-10-school-figure4.png b/education/windows/images/deploy-win-10-school-figure4.png new file mode 100644 index 0000000000..09552a448a Binary files /dev/null and b/education/windows/images/deploy-win-10-school-figure4.png differ diff --git a/education/windows/images/deploy-win-10-school-figure5.png b/education/windows/images/deploy-win-10-school-figure5.png new file mode 100644 index 0000000000..550386f1ce Binary files /dev/null and b/education/windows/images/deploy-win-10-school-figure5.png differ diff --git a/education/windows/images/deploy-win-10-school-figure6.png b/education/windows/images/deploy-win-10-school-figure6.png new file mode 100644 index 0000000000..09552a448a Binary files /dev/null and b/education/windows/images/deploy-win-10-school-figure6.png differ diff --git a/education/windows/images/deploy-win-10-school-figure7.png b/education/windows/images/deploy-win-10-school-figure7.png new file mode 100644 index 0000000000..8e7581007a Binary files /dev/null and b/education/windows/images/deploy-win-10-school-figure7.png differ diff --git a/education/windows/images/enter-email.PNG b/education/windows/images/enter-email.PNG new file mode 100644 index 0000000000..644d893f06 Binary files /dev/null and b/education/windows/images/enter-email.PNG differ diff --git a/education/windows/images/express-settings.png b/education/windows/images/express-settings.png new file mode 100644 index 0000000000..99e9c4825a Binary files /dev/null and b/education/windows/images/express-settings.png differ diff --git a/education/windows/images/fig2-locallyconfig.png b/education/windows/images/fig2-locallyconfig.png new file mode 100644 index 0000000000..d2fe9820da Binary files /dev/null and b/education/windows/images/fig2-locallyconfig.png differ diff --git a/education/windows/images/get-app-store.png b/education/windows/images/get-app-store.png new file mode 100644 index 0000000000..14ae888425 Binary files /dev/null and b/education/windows/images/get-app-store.png differ diff --git a/education/windows/images/get-the-app.PNG b/education/windows/images/get-the-app.PNG new file mode 100644 index 0000000000..0692ae6f7f Binary files /dev/null and b/education/windows/images/get-the-app.PNG differ diff --git a/education/windows/images/it-get-app.PNG b/education/windows/images/it-get-app.PNG new file mode 100644 index 0000000000..9740081ef4 Binary files /dev/null and b/education/windows/images/it-get-app.PNG differ diff --git a/education/windows/images/license-terms.png b/education/windows/images/license-terms.png new file mode 100644 index 0000000000..8dd34b0a18 Binary files /dev/null and b/education/windows/images/license-terms.png differ diff --git a/education/windows/images/minecraft-perms.PNG b/education/windows/images/minecraft-perms.PNG new file mode 100644 index 0000000000..1788d6b593 Binary files /dev/null and b/education/windows/images/minecraft-perms.PNG differ diff --git a/education/windows/images/minecraft.PNG b/education/windows/images/minecraft.PNG new file mode 100644 index 0000000000..c758c28ad5 Binary files /dev/null and b/education/windows/images/minecraft.PNG differ diff --git a/education/windows/images/oobe.jpg b/education/windows/images/oobe.jpg new file mode 100644 index 0000000000..53a5dab6bf Binary files /dev/null and b/education/windows/images/oobe.jpg differ diff --git a/education/windows/images/package.png b/education/windows/images/package.png new file mode 100644 index 0000000000..f5e975e3e9 Binary files /dev/null and b/education/windows/images/package.png differ diff --git a/education/windows/images/prov.jpg b/education/windows/images/prov.jpg new file mode 100644 index 0000000000..1593ccb36b Binary files /dev/null and b/education/windows/images/prov.jpg differ diff --git a/education/windows/images/school.PNG b/education/windows/images/school.PNG new file mode 100644 index 0000000000..f8be255a05 Binary files /dev/null and b/education/windows/images/school.PNG differ diff --git a/education/windows/images/setup-app-1-access.png b/education/windows/images/setup-app-1-access.png new file mode 100644 index 0000000000..1de1081d1d Binary files /dev/null and b/education/windows/images/setup-app-1-access.png differ diff --git a/education/windows/images/setup-app-1-usb.png b/education/windows/images/setup-app-1-usb.png new file mode 100644 index 0000000000..b2d170244f Binary files /dev/null and b/education/windows/images/setup-app-1-usb.png differ diff --git a/education/windows/images/setup-app-1-wifi-manual.png b/education/windows/images/setup-app-1-wifi-manual.png new file mode 100644 index 0000000000..92de4f784c Binary files /dev/null and b/education/windows/images/setup-app-1-wifi-manual.png differ diff --git a/education/windows/images/setup-app-1-wifi.png b/education/windows/images/setup-app-1-wifi.png new file mode 100644 index 0000000000..9f305e081c Binary files /dev/null and b/education/windows/images/setup-app-1-wifi.png differ diff --git a/education/windows/images/setup-app-1.PNG b/education/windows/images/setup-app-1.PNG new file mode 100644 index 0000000000..1b88c5ac31 Binary files /dev/null and b/education/windows/images/setup-app-1.PNG differ diff --git a/education/windows/images/setup-app-2-directions.png b/education/windows/images/setup-app-2-directions.png new file mode 100644 index 0000000000..f245aafb2b Binary files /dev/null and b/education/windows/images/setup-app-2-directions.png differ diff --git a/education/windows/images/setup-app-3-directions.png b/education/windows/images/setup-app-3-directions.png new file mode 100644 index 0000000000..f593ea7371 Binary files /dev/null and b/education/windows/images/setup-app-3-directions.png differ diff --git a/education/windows/images/setup-app-all-done.png b/education/windows/images/setup-app-all-done.png new file mode 100644 index 0000000000..af7343f0e5 Binary files /dev/null and b/education/windows/images/setup-app-all-done.png differ diff --git a/education/windows/images/setupmsg.jpg b/education/windows/images/setupmsg.jpg new file mode 100644 index 0000000000..12935483c5 Binary files /dev/null and b/education/windows/images/setupmsg.jpg differ diff --git a/education/windows/images/sign-in-prov.png b/education/windows/images/sign-in-prov.png new file mode 100644 index 0000000000..55c9276203 Binary files /dev/null and b/education/windows/images/sign-in-prov.png differ diff --git a/education/windows/images/signin.jpg b/education/windows/images/signin.jpg new file mode 100644 index 0000000000..ad31bb31c4 Binary files /dev/null and b/education/windows/images/signin.jpg differ diff --git a/education/windows/images/take-a-test-flow.png b/education/windows/images/take-a-test-flow.png new file mode 100644 index 0000000000..a5135c1822 Binary files /dev/null and b/education/windows/images/take-a-test-flow.png differ diff --git a/education/windows/images/teacher-get-app.PNG b/education/windows/images/teacher-get-app.PNG new file mode 100644 index 0000000000..329607edb9 Binary files /dev/null and b/education/windows/images/teacher-get-app.PNG differ diff --git a/education/windows/images/teacher.PNG b/education/windows/images/teacher.PNG new file mode 100644 index 0000000000..286d515624 Binary files /dev/null and b/education/windows/images/teacher.PNG differ diff --git a/education/windows/images/test-account-icd.PNG b/education/windows/images/test-account-icd.PNG new file mode 100644 index 0000000000..4fd9bf3f28 Binary files /dev/null and b/education/windows/images/test-account-icd.PNG differ diff --git a/education/windows/images/trust-package.png b/education/windows/images/trust-package.png new file mode 100644 index 0000000000..8a293ea4da Binary files /dev/null and b/education/windows/images/trust-package.png differ diff --git a/education/windows/images/who-owns-pc.png b/education/windows/images/who-owns-pc.png new file mode 100644 index 0000000000..d3ce1def8d Binary files /dev/null and b/education/windows/images/who-owns-pc.png differ diff --git a/education/windows/index.md b/education/windows/index.md new file mode 100644 index 0000000000..55697f65f9 --- /dev/null +++ b/education/windows/index.md @@ -0,0 +1,28 @@ +--- +title: Windows 10 for Education (Windows 10) +description: Learn about using Windows 10 in schools. +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +--- + +# Windows 10 for Education +[Windows 10 Education](https://www.microsoft.com/en-us/education/products/windows/default.aspx) empowers staff, administrators, teachers and students to do great things. + +[Find out how to get Windows 10 Education for your school.](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools) + +## In this section + +|Topic |Description | +|------|------------| +| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | Learn how the Set up School PCs app works and how to use it. | +| [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md) | See the changes that the Set up School PCs app makes to a PC. | +| [Take tests in Windows 10](take-tests-in-windows-10.md) | Learn how to configure and use the **Take a Test** app in Windows 10 | +| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. | +| [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. | + +## Related topics + +- [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index) +- [Try it out: virtual labs and how-to videos for Windows 10 Education](https://technet.microsoft.com/en-us/windows/dn610356) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md new file mode 100644 index 0000000000..515f82d2d3 --- /dev/null +++ b/education/windows/set-up-school-pcs-technical.md @@ -0,0 +1,262 @@ +--- +title: Set up School PCs app technical reference +description: Describes the changes that the Set up School PCs app makes to a PC. +keywords: ["shared cart", "shared PC", "school"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Technical reference for the Set up School PCs app (Preview) +**Applies to:** + +- Windows 10 Insider Preview + + +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + +The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode, available in Windows 10, version 1607. **Set up School PCs** also configures school-specific settings and policies, described in this topic. + +If your school uses Azure Active Directory (Azure AD) or Office 365, the **Set up School PCs** app will create a setup file that connects the computer to your subscription. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity. + +The following table tells you what you get using the **Set up School PCs** app in your school. + +| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium | +| --- | :---: | :---: | :---: | :---: | +| **Fast sign-in**
Each student can sign in and start using the computer in less than a minute, even on their first sign-in. | X | X | X | X | +| **Custom Start experience**\*
The apps students need are pinned to Start, and unnecessary apps are removed. | X | X | X | X | +| **Temporary access, no sign-in required**
This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X | +| **School policies**\*
Settings specific to education create a useful learning environment and the best computer performance. | X | X | X | X | +| **Azure AD Join**
The computers are joined to your Azure AD or Office 365 subscription for centralized management. | | X | X | X | +| **Single sign-on to Office 365**
By signing on with student IDs, students have fast access to Office 365 web apps. | | | X | X | +| **[Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) via Azure AD**
Student user and application settings data can be synchronized across devices for a personalized experience. | | | | X | +| | | | | | +\* Feature applies to Windows 10 Pro, Windows 10 Pro for Education, Windows 10 Enterprise, and Windows 10 Enterprise for EDU + +> **Note**: If your school uses Active Directory, use Windows Imaging and Configuration Designer to configure your PCs to join the domain. You can only use the **Set up School PCs** app to set up PCs that are not connected to your traditional domain. + +## Prerequisites for IT + +* If your school uses Azure AD, [configure your directory to allow devices to join](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/). If the teacher is going to set up a lot of devices, give the teacher appropriate privileges for joining devices or make a special account. +* Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan) +* If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx) +* After you set up your Office 365 Education tenant, use [Microsoft School Data Sync Preview](https://sis.microsoft.com/) to sync user profiles and class rosters from your Student Information System (SIS). + + +## Information about Windows Update + +Shared PC mode helps ensure that computers are always up-to-date. If a PC is configured using the **Set up School PCs** app, shared PC mode sets the power states and Windows Update to: +* Wake nightly +* Check and install updates +* Forcibly reboot if necessary to finish applying updates + +The PC is also configured to not interrupt the user during normal daytime hours with updates or reboots. + +## Guidance for accounts on shared PCs + +* We recommend no local admin accounts on the PC to improve the reliability and security of the PC. +* When a PC is set up in shared PC mode, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Start without an account** will also be deleted automatically at sign out. +* On a Windows PC joined to Azure Active Directory: + * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. + * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. +* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out. +* If admin accounts are necessary on the PC + * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or + * Create admin accounts before setting up shared PC mode, or + * Create exempt accounts before signing out. +* The account management service supports accounts that are exempt from deletion. + * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key. + * To add the account SID to the registry key using PowerShell: + ``` + $adminName = "LocalAdmin" + $adminPass = 'Pa$$word123' + iex "net user /add $adminName $adminPass" + $user = New-Object System.Security.Principal.NTAccount($adminName) + $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) + $sid = $sid.Value; + New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force + ``` + + +## Custom images +Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the `/oobe` flag to create an image that teachers can then apply the **Set up School PCs** provisioning package to. [Learn more about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx). + +## Provisioning package details + +The **Set up School PCs** app produces a specialized provisioning package that makes use of the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx). + +### Education customizations + +- Saving content locally to the PC is disabled. This prevents data loss by forcing students to save to the cloud. +- A custom Start layout and sign in background image are set. +- Prohibits Microsoft Accounts (MSAs) from being created. +- Prohibits unlocking the PC to developer mode. +- Prohibits untrusted Windows Store apps from being installed. +- Prohibits students from removing MDM. +- Prohibits students from adding new provisioning packages. +- Prohibits student from removing existing provisioning packages (including the one set by **Set up School PCs**). +- Sets active hours from 6 AM to 6 PM. +- Sets Windows Update to update nightly. + + +### Uninstalled apps + +- 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe) +- Weather (Microsoft.BingWeather_8wekyb3d8bbwe) +- Get Started (Microsoft.Getstarted_8wekyb3d8bbwe) +- Get Office (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) +- Microsoft Solitaire Collection (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) +- Paid Wi-Fi & Cellular (Microsoft.OneConnect_8wekyb3d8bbwe) +- Feedback Hub (Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) +- Xbox (Microsoft.XboxApp_8wekyb3d8bbwe) +- Groove Music (Microsoft.ZuneMusic_8wekyb3d8bbwe) +- Movies & TV (Microsoft.ZuneVideo_8wekyb3d8bbwe) +- Mail/Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe) + +### Local Group Policies + +> **Important**: It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Policy path

Policy name

Value

Admin Templates > Control Panel > Personalization

Prevent enabling lock screen slide show

Enabled

Prevent changing lock screen and logon image

Enabled

Admin Templates > System > Power Management > Button Settings

Select the Power button action (plugged in)

Sleep

Select the Power button action (on battery)

Sleep

Select the Sleep button action (plugged in)

Sleep

Select the lid switch action (plugged in)

Sleep

Select the lid switch action (on battery)

Sleep

Admin Templates > System > Power Management > Sleep Settings

Require a password when a computer wakes (plugged in)

Enabled

Require a password when a computer wakes (on battery)

Enabled

Specify the system sleep timeout (plugged in)

1 hour

Specify the system sleep timeout (on battery)

1 hour

Turn off hybrid sleep (plugged in)

Enabled

Turn off hybrid sleep (on battery)

Enabled

Specify the unattended sleep timeout (plugged in)

1 hour

Specify the unattended sleep timeout (on battery)

1 hour

Allow standby states (S1-S3) when sleeping (plugged in)

Enabled

Allow standby states (S1-S3) when sleeping (on battery)

Enabled

Specify the system hibernate timeout (plugged in)

Enabled, 0

Specify the system hibernate timeout (on battery)

Enabled, 0

Admin Templates > System > Power Management > Video and Display Settings

Turn off the display (plugged in)

1 hour

Turn off the display (on battery

1 hour

Admin Templates > System > Logon

Show first sign-in animation

Disabled

Hide entry points for Fast User Switching

Enabled

Turn on convenience PIN sign-in

Disabled

Turn off picture password sign-in

Enabled

Turn off app notification on the lock screen

Enabled

Allow users to select when a password is required when resuming from connected standby

Disabled

Block user from showing account details on sign-in

Enabled

Admin Templates > System > User Profiles

Turn off the advertising ID

Enabled

Admin Templates > Windows Components

Do not show Windows Tips

Enabled

Turn off Microsoft consumer experiences

Enabled

Microsoft Passport for Work

Disabled

Prevent the usage of OneDrive for file storage

Enabled

Admin Templates > Windows Components > Biometrics

Allow the use of biometrics

Disabled

Allow users to log on using biometrics

Disabled

Allow domain users to log on using biometrics

Disabled

Admin Templates > Windows Components > Data Collection and Preview Builds

Toggle user control over Insider builds

Disabled

Disable pre-release features or settings

Disabled

Do not show feedback notifications

Enabled

Admin Templates > Windows Components > File Explorer

Show lock in the user tile menu

Disabled

Admin Templates > Windows Components > Maintenance Scheduler

Automatic Maintenance Activation Boundary

12am

Automatic Maintenance Random Delay

Enabled, 2 hours

Automatic Maintenance WakeUp Policy

Enabled

Admin Templates > Windows Components > Microsoft Edge

Open a new tab with an empty tab

Disabled

Configure corporate home pages

Enabled, about:blank

Admin Templates > Windows Components > Search

Allow Cortana

Disabled

Windows Settings > Security Settings > Local Policies > Security Options

Interactive logon: Do not display last user name

Enabled

Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

Disabled

Shutdown: Allow system to be shut down without having to log on

Disabled

User Account Control: Behavior of the elevation prompt for standard users

Auto deny



+ +## Related topics + +[Use Set up School PCs app](use-set-up-school-pcs-app.md) + + + + diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md new file mode 100644 index 0000000000..149c29d066 --- /dev/null +++ b/education/windows/take-a-test-app-technical.md @@ -0,0 +1,82 @@ +--- +title: Take a Test app technical reference +description: The policies and settings applied by the Take a Test app. +keywords: ["shared cart", "shared PC", "school"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Take a Test app technical reference (Preview) +**Applies to:** + +- Windows 10 Insider Preview + + +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + +Take a Test is an app that locks down the PC and displays an online assessment web page. + +Whether you are a teacher or IT administrator, you can easily configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment for more secure online assessments. This means that students taking the tests that don’t have copy/paste privileges, can’t access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher’s preferred assessment website to deliver digital assessments + +Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](http://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. (Link to Javascript API when available) + +## PC lockdown for assessment + + When the assessment page initiates lock down, the student’s desktop will be locked and the app will be launched above the Windows lock screen to provide a sandbox that ensures the student can only interact with the Take a Test app . After transitioning to the lock screen, Take a Test will apply local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lockdown. The lockdown process is atomic, which means that if any part of the lockdown operation fails, the app will not be above lock and won't have any of the policies applied. + +When running above the lock screen: +- The app runs full screen with no chrome + +- The hardware print screen button is disabled + +- Content within the app will show up as black in screen capturing/sharing software Copy/paste is disabled + +- Web apps can query the processes currently running in the user’s device + +- Extended display shows up as black + +- Auto-fill is disabled + +## Mobile device management (MDM) policies + +When Take a Test is running, the following MDM policies are applied to lock down the PC. + +| Policy | Description | Value | +|---|---|---| +| AllowToasts | Disables toast notifications from being shown | 0 | +| AllowAppStoreAutoUpdate | Disables automatic updates for Windows Store apps that are installed on the PC | 0 | +| AllowDeviceDiscovery | Disables UI for screen sharing | 0 | +| AllowInput Panel | Disables the onscreen keyboard which will disable auto-fill | 0 | +| AllowCortana | Disables Cortana functionality | 0 | +| AllowAutoupdate | Disables Windows Update from starting OS updates | 5 | + +## Allowed functionality + +When Take a Test is running, the following functionality is available to students: + +- Assistive technology that is configured to run above the lock screen should run as expected + +- Narrator is available through Windows key + Enter + +- Magnifier is available through Windows key + "+" key + + - Full screen mode is compatible + +- The student can press Alt+Tab when locked down. This results in the student being able to switch between the following: + + - Take a Test + - Assistive technology that may be running + - Lock Screen (not available if student is using a dedicated test account) + > **Note** The app will exit if the student signs in to an account from the lock screen. Progress made in the test may be lost or invalidated. + +- The student can exit the test by pressing one of the following key combinations: + + - Ctrl+Alt+Del + + - Alt+F4 (**Take a Test** will restart if the student is using a dedicated test account) + + + + diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md new file mode 100644 index 0000000000..64dde75a76 --- /dev/null +++ b/education/windows/take-a-test-multiple-pcs.md @@ -0,0 +1,215 @@ +--- +title: Set up Take a Test on multiple PCs +description: Learn how to set up and use the Take a Test app on multiple PCs. +keywords: ["shared cart", "shared PC", "school"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Set up Take a Test on multiple PCs (Preview) +**Applies to:** + +- Windows 10 Insider Preview + + +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + +Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: + +- A Microsoft Edge browser window opens, showing just the test and nothing else. +- Students aren’t able to go to other websites. +- Students can’t open or access other apps. +- Students can't share, print, or record their screens. +- Students can’t copy or paste. +- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features. +- Cortana is turned off. + + +**Take a Test** is included in Windows 10 Education. To add **Take a Test** to other editions of Windows 10, see [Add the Take a Test app to Windows 10](take-tests-in-windows-10.md#add-the-take-a-test-app-to-windows-10) + +## How you use Take a Test + +![Use test account or test url in Take a Test](images/take-a-test-flow.png) + +- **Use a test URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. +- **[Put a test URL with an included prefix](#provide-link-to-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments. + +## Set up a dedicated test account + +To configure a dedicated test account on multiple PCs, you can use: +- [Mobile device management (MDM) or Microsoft System Center Configuration Manager](#set-up-test-account-in-mdm-or-configuration-manager) +- [A provisioning package](#set-up-test-account-in-a-provisioning-package) created in Windows Imaging and Configuration Designer (ICD) +- [Group Policy](#set-up-test-account-in-group-policy) to deploy a scheduled task that runs a Powershell script + + +### Set up test account in MDM or Configuration Manager + +1. Launch your management console. +2. Create a policy to set up single app kiosk mode, using the following values: + + - **Custom OMA-DM URI** = ./Vendor/MSFT/AssignedAccess/KioskModeApp + - **String value** = {"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "} + + > Account can be in one of the following formats: + > - username + > - domain\username + > - computer name\\username + > - username@tenant.com + +3. Create a policy to configure the assessment URL, using the following values: + + - **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/LaunchURI + - **String value** = *assessment URL* + > See [Assessment URLs](#assessment-urls) + +4. Create a policy that associates the assessment URL to the account, using the following values: + + - **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/TesterAccount + - **String value** = Enter the account that you created in step 2, using the same account format. + +5. To take the test, the student signs in to the test account. + +### Set up test account in a provisioning package + +Prerequisite: You must first [download the Windows ADK](https://msdn.microsoft.com/en-us/windows/hardware/dn913721.aspx) for Windows 10, Version 1607, and install Windows Imaging and Configuration Designer (ICD). + +**Create a provisioning package to set up a test account + +1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). +2. Select **Advanced provisioning**. +3. Name your project, and click **Next**. +4. Select **All Windows desktop editions**, and click **Next**. +5. Click **Finish**. +6. Go to **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings**. +7. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up, as shown in the following image. + + ![Enter account and app for Assigned Access Settings](images/test-account-icd.png) + > Account can be in one of the following formats: + > - username + > - domain\username + > - computer name\\username + > - username@tenant.com + +8. Go to **Runtime settings** > **TakeATest**. +9. Enter the test URL in **LaunchURI**. +10. Enter the test account from step 7 in **TesterAccount**. +On the **File** menu, select **Save.** + +9. On the **Export** menu, select **Provisioning package**. + +10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** + +11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. + + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package. + +12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location. + + Optionally, you can click **Browse** to change the default output location. + +13. Click **Next**. + +14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. + + If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + +15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. + + If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. + + **Apply the provisioning package** + + 1. Select the provisioning package that you want to apply, double-click the file, and then allow admin privileges. + +2. Consent to allow the package to be installed. + + After you allow the package to be installed, the settings will be applied to the device + +[Learn how to apply a provisioning package in audit mode or OOBE.](http://go.microsoft.com/fwlink/p/?LinkID=692012) + +### Set up test account in Group Policy + +To set up a test account using Group Policy, first create a Powershell script that configures the test account and test URL, and then create a scheduled task to run the script. + +#### Create a Powershell script + +This sample Powershell script configures the test account and the test URL. Edit the sample to: +- Use your test account for **$obj.LaunchURI** +- Use your test URL for **$obj.TesterAccount** +- Use your test account for **-UserName** + +``` +$obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'"; +$obj.LaunchURI='http://www.foo.com'; +$obj.TesterAccount='TestAccount'; +$obj.put() +Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount +``` + + +#### Create a scheduled task in Group Policy + +1. Open the Group Policy Management Console. +2. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click **Edit**. +3. In the console tree under **Computer Configuration** or **User Configuration**, go to **Preferences** > **Control Panel Settings**. +4. Right-click **Scheduled Tasks**, point to **New**, and select **Scheduled Task**. +5. In the **New Scheduled Task Properties** dialog box, click **Change User or Group**. +6. In the **Select User or Group** dialog box, click **Advanced**. +7. In the **Advanced** dialog box, click **Find Now**. +8. Select **System** in the search results +9. Go back to the **Properties** dialog box and select **Run with highest privileges** under **Security options**. +9. Specify the operating system in the **Configure for** field. +9. Navigate to the **Actions** tab. +9. Create a new **Action**. +9. Configure the action to **Start a program**. +9. In the **Program/script** field, enter **powershell**. +9. In the **Add arguments** field, enter **-file “”**. +9. Click **OK**. +9. Navigate to the **Triggers** tab and create a new trigger. +9. Specify the trigger to be **On a schedule**. +9. Specify the trigger to be **One time**. +9. Specify the time the trigger should start. +9. Click **OK**. +9. In the **Settings** tab, select **Run task as soon as possible after a scheduled start is missed**. +9. Click **OK**. + + + +## Provide link to test + +Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments. + +1. Create a link to the test URL. Use **ms-edu-secureassessment:** before the URL and **!enforceLockdown** after the URL. +``` +ms-edu-secureassessment:!enforceLockdown + ``` + > **Note**: You may want to remove !enforceLockdown for tests that utilizes our lockdown API that checks for running processes before locking down. Removing !enforceLockdown will result in the app not locking down immediately which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps. + +2. Distribute the link. You can use the web, email, OneNote, or any other method of your choosing. +3. To take the test, the student clicks on the link and provides user consent. + + + +## Assessment URLs + +This assessment URL uses our lockdown API: + +- SBAC/AIR: [http://mobile.tds.airast.org/launchpad/](http://mobile.tds.airast.org/launchpad/). + + +## Related topics + +[Take tests in Windows 10](take-tests-in-windows-10.md) + +[Set up Take a Test on a single PC](take-a-test-single-pc.md) + +[Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) + +[Take a Test app technical reference](take-a-test-app-technical.md) diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md new file mode 100644 index 0000000000..e1c6bb189c --- /dev/null +++ b/education/windows/take-a-test-single-pc.md @@ -0,0 +1,85 @@ +--- +title: Set up Take a Test on a single PC +description: Learn how to set up and use the Take a Test app on a single PC. +keywords: ["shared cart", "shared PC", "school"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Set up Take a Test on a single PC (Preview) +**Applies to:** + +- Windows 10 Insider Preview + + +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + +The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: + +- A Microsoft Edge browser window opens, showing just the test and nothing else. +- Students aren’t able to go to other websites. +- Students can’t open or access other apps. +- Students can't share, print, or record their screens. +- Students can’t copy or paste. +- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features. +- Cortana is turned off. + +> **Tip!** +> To exit **Take a Test**, press Ctrl+Alt+Delete. + +**Take a Test** is included in Windows 10 Education. To add **Take a Test** to other editions of Windows 10, see [Add the Take a Test app to Windows 10](take-tests-in-windows-10.md#add-the-take-a-test-app-to-windows-10) + +## How you use Take a Test + +![Use test account or test url in Take a Test](images/take-a-test-flow.png) + +- **Use a test URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. +- **[Put a test URL with an included prefix](#provide-link-to-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments. + +## Set up a dedicated test account + + + + + + +1. Sign into the device with an administrator account. +2. Go to **Settings** > **Accounts** > **Work or school access** (final name needs to be updated, still TBD) > **Set up an account for taking tests**. +3. Select an account to use as the dedicated testing account. + >**Note**: If you don't have an account on the device, you can create a new account. To do this, go to **Settings** > **Accounts** > **Other Users** > **Add someone else to this PC** > **I don’t have this person’s sign-in information** > **Add a user without a Microsoft account**. +4. Specify an assessment URL. + +5. Click **Save**. + +6. To take the test, the student signs in to the selected account. + + + + +## Provide link to test + +Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments. + +1. Create a link to the test URL. Use **ms-edu-secureassessment:** before the URL and **!enforceLockdown** after the URL. +``` +ms-edu-secureassessment:!enforceLockdown + ``` + +2. Distribute the link. You can use the web, email, OneNote, or any other method of your choosing. +3. To take the test, the student clicks on the link and provides user consent. + + +## Related topics +[Take tests in Windows 10](take-tests-in-windows-10.md) + +[Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) + +[Take a Test app technical reference](take-a-test-app-technical.md) + + + + + + diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md new file mode 100644 index 0000000000..7d15a79d72 --- /dev/null +++ b/education/windows/take-tests-in-windows-10.md @@ -0,0 +1,68 @@ +--- +title: Take tests in Windows 10 +description: Learn how to set up and use the Take a Test app. +keywords: ["shared cart", "shared PC", "school"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Take tests in Windows 10 (Preview) +**Applies to:** + +- Windows 10 Insider Preview + + +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + +Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: + +- **Take a Test** shows just the test and nothing else. +- Students aren’t able to go to other websites. +- Students can’t open or access other apps. +- Students can't share, print, or record their screens. +- Students can’t copy or paste. +- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features. +- Cortana is turned off. + + +**Take a Test** is included in Windows 10 Education. To add **Take a Test** to other editions of Windows 10, see [Add the Take a Test app to Windows 10](#add-the-take-a-test-app-to-windows-10) + +## How you use Take a Test + +![Use test account or test url in Take a Test](images/take-a-test-flow.png) + +- **Use a test URL and a dedicated testing account** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. +- **Put a test URL with an included prefix on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments. + +[Learn how to set up Take a Test on a single PC](take-a-test-single-pc.md) + +[Learn how to set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) + +## Add the Take a Test app to Windows 10 + +You can add the Take a Test app to Windows 10 Pro and Enterprise. + +### Add Take a Test on a single PC + +Use **Settings** to get **Take a Test** from Windows Update. + +1. Open **Settings**. +2. Go to **System** > **Apps & features** > **Manage optional features** > **Add a feature**. +3. Select **Take a Test**. + +### Deploy Take a Test to multiple PCs using DISM + +You can deploy the Take a Test package through Deployment Image Servicing and Management (DISM.exe). + +1. Get the Take a Test package from the [Microsoft update catalog](http://catalog.update.microsoft.com/). +2. Upload the package to a network share or to your Windows Server Update Services (WSUS) server. +3. Create and deploy a DISM script to add the package to offline or online images. For more information on how to add or enable features through DISM, see [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism-operating-system-package-servicing-command-line-options). + +## Related topics + +[Take a Test app technical reference](take-a-test-app-technical.md) + + + diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md new file mode 100644 index 0000000000..1e5af39910 --- /dev/null +++ b/education/windows/use-set-up-school-pcs-app.md @@ -0,0 +1,142 @@ +--- +title: Use Set up School PCs app +description: Learn how the Set up School PCs app works and how to use it. +keywords: ["shared cart", "shared PC", "school"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Use the Set up School PCs app (Preview) +**Applies to:** + +- Windows 10 Insider Preview + + +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + +Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. A computer set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. + +![Run app, turn on PC, insert USB key](images/app1.jpg) + +## What does this app do? + +The Set up School PCs app helps you set up new computers running Windows 10, version 1607. Some benefits of using this app to set up your students' PCs: +* A computer set up this way is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. + * Places tiles for OneNote, Office 365 web apps, Sway, and Microsoft Classroom on the Start menu + * Installs OneDrive for cloud-based documents and places it on the Start menu and taskbar + * Sets Microsoft Edge as the default browser + * Uninstalls apps not specific to education, such as Solitaire and Sports + * Turns off Offers and tips + * Prevents students from adding personal Microsoft accounts to the computer +* Significantly improves how fast students sign-in. +* The app connects the PCs to your school’s cloud so IT can manage them (optional). +* Windows 10 automatically manages accounts no matter how many students use the PC. +* Keeps computers up-to-date without interfering with class time using Windows Update and maintenance hours (by default, 12 AM). +* Customizes the sign-in screen to support students with IDs and temporary users. +* Locks down the computer to prevent mischievous activity: + * Prevents students from installing apps + * Prevents students from removing the computer from the school's device management system + * Prevents students from removing the Set up School PCs settings + + +## Tips for success + +* **Run the app at work**: For the best results, run the **Set up School PCs** app on your work device connected to your school's network. That way the app can gather accurate information about your wireless networks and cloud subscriptions. + > **Note**: Don't use **Set up Schools PCs** app for PCs that must connect to enterprise networks or to open wi-fi networks that require the user to accept Terms of Use. +* **Apply to new computers**: The setup file that the **Set up School PCs** app creates should be used on new computers that haven't been set up for accounts yet. If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost. +> **Warning**: Only use the setup file on computers that you want to configure and lock down for students. After you apply the setup file to a computer, the computer must be reset to remove the settings. +* **Turn on student PCs and stay on first screen**: The computer must be on this screen when you insert the USB key. + +![The first screen to set up a new PC](images/oobe.jpg) + +If you have gone past this screen, you may have to reset your PC to start over. To reset your PC after you have completed the first run experience, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. +* **Use more than one USB key**: If you are setting up multiple PCs, you can set them up at the same time. Just run the **Set up School PCs** app again and save the same settings to another key. That way you can run set up on more than one PC at once. Create three keys and you can run it on three PCs at once, etc. +* **Start fresh**: If the PC has already been set up and you want to return to the first-run-experience to apply a new package, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. +* **Keep it clean**: We strongly recommend that IT avoid changes to policies unless absolutely necessary, as any changes can impair performance and sign-in time. Get more information at [Set up School PCs app technical reference](set-up-school-pcs-technical.md). + +## Set up School PCs app step-by-step + +What you need: + +- The **Set up School PCs** app, installed on your work computer, connected to your school's network +- A USB drive, 1 GB or larger + +### Create the setup file in the app + +The **Set up School PCs** app guides you through the configuration choices for the student PCs. + +1. Open the **Set up School PCs** app and select **Start**. + + ![select start](images/app1.jpg) + +2. Choose **No** to require students to sign in only with an account, or choose **Yes** to allow students to use the PC without an account too, and then select **Next**. + + ![account required?](images/setup-app-1-access.png) + +3. Choose a Wi-Fi network from the list and then select **Next**, or choose **Manually connect to a wireless network** to enter the network information yourself. + + ![choose network](images/setup-app-1-wifi.png) + + - For a manual network connection, enter the network name, security type, and password (if required), and then select **Next**. + + ![enter network information](images/setup-app-1-wifi-manual.png) + +4. Insert a USB drive, select it in the app, and then select **Save**. + + ![select usb drive](images/setup-app-1-usb.png) + + + +### Apply the setup file to PCs + +The setup file on your USB drive is named `SetupSchoolPCs.ppkg`, which is a provisioning package. A provisioning package is a method for applying settings to Windows 10. When Windows 10 refers to *package*, it means your setup file, and when it refers to *provisioning*, it means applying the setup file to the computer. + +1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. + + ![The first screen to set up a new PC](images/oobe.jpg) + +2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. + + ![Set up device?](images/setupmsg.jpg) + +3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. + + ![Provision this device](images/prov.jpg) + +4. Select `SetupSchoolPCs.ppkg` and tap **Next**. + + ![Choose a package](images/choose-package.png) + +5. Select **Yes, add it**. + + ![Do you trust this package?](images/trust-package.png) + +6. Read and accept the Microsoft Software License Terms. + + ![Sign in](images/license-terms.png) + +7. Select **Use Express settings**. + + ![Get going fast](images/express-settings.png) + +8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**. + + ![Who owns this PC?](images/who-owns-pc.png) + +9. On the **Choose how you'll connect** screen, select **Join Azure AD** and tap **Next**. + + ![Connect to Azure AD](images/connect-aad.png) + +10. Your last step is to sign in. Use your Azure AD or Office 365 account and password. When you see the progress ring, you can remove the USB drive. + + ![Sign in](images/sign-in-prov.png) + + +That's it! Sign out and the computer is now ready for students. + +## Learn more + +See [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md) for prerequisites and provisioning details. + diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md index 86ea7532e1..cc0388e935 100644 --- a/windows/deploy/TOC.md +++ b/windows/deploy/TOC.md @@ -1,5 +1,4 @@ # [Deploy Windows 10](index.md) -## [Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) ## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) ## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) ### [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) @@ -35,9 +34,11 @@ ### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) ## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) ## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) +## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md) ## [Deploy Windows To Go in your organization](deploy-windows-to-go.md) ## [Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) +## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) ## [Sideload apps in Windows 10](sideload-apps-in-windows-10.md) ## [Volume Activation [client]](volume-activation-windows-10.md) ### [Plan for volume activation [client]](plan-for-volume-activation-client.md) @@ -133,4 +134,4 @@ ###### [Recognized Environment Variables](usmt-recognized-environment-variables.md) ###### [XML Elements Library](usmt-xml-elements-library.md) ##### [Offline Migration Reference](offline-migration-reference.md) - +## [Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) diff --git a/windows/deploy/activate-forest-by-proxy-vamt.md b/windows/deploy/activate-forest-by-proxy-vamt.md index f178e14406..1e852d5221 100644 --- a/windows/deploy/activate-forest-by-proxy-vamt.md +++ b/windows/deploy/activate-forest-by-proxy-vamt.md @@ -2,7 +2,7 @@ title: Activate by Proxy an Active Directory Forest (Windows 10) description: Activate by Proxy an Active Directory Forest ms.assetid: 6475fc87-a6f7-4fa8-b0aa-de19f2dea7e5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/activate-forest-vamt.md b/windows/deploy/activate-forest-vamt.md index 267e03be9c..082bac639c 100644 --- a/windows/deploy/activate-forest-vamt.md +++ b/windows/deploy/activate-forest-vamt.md @@ -2,7 +2,7 @@ title: Activate an Active Directory Forest Online (Windows 10) description: Activate an Active Directory Forest Online ms.assetid: 9b5bc193-799b-4aa5-9d3e-0e495f7195d3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/activate-using-active-directory-based-activation-client.md b/windows/deploy/activate-using-active-directory-based-activation-client.md index 15ae96825a..dbf9a5a617 100644 --- a/windows/deploy/activate-using-active-directory-based-activation-client.md +++ b/windows/deploy/activate-using-active-directory-based-activation-client.md @@ -3,11 +3,11 @@ title: Activate using Active Directory-based activation (Windows 10) description: Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: CFaw +author: greg-lindsay --- # Activate using Active Directory-based activation diff --git a/windows/deploy/activate-using-key-management-service-vamt.md b/windows/deploy/activate-using-key-management-service-vamt.md index 4c5d735436..9681860156 100644 --- a/windows/deploy/activate-using-key-management-service-vamt.md +++ b/windows/deploy/activate-using-key-management-service-vamt.md @@ -3,7 +3,7 @@ title: Activate using Key Management Service (Windows 10) ms.assetid: f2417bfe-7d25-4e82-bc07-de316caa8dac description: keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/activate-windows-10-clients-vamt.md b/windows/deploy/activate-windows-10-clients-vamt.md index 91b743947e..2d77f355dc 100644 --- a/windows/deploy/activate-windows-10-clients-vamt.md +++ b/windows/deploy/activate-windows-10-clients-vamt.md @@ -3,7 +3,7 @@ title: Activate clients running Windows 10 (Windows 10) description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. ms.assetid: 39446e49-ad7c-48dc-9f18-f85a11ded643 keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/active-directory-based-activation-overview.md b/windows/deploy/active-directory-based-activation-overview.md index 7f47592aa7..9a64d7572a 100644 --- a/windows/deploy/active-directory-based-activation-overview.md +++ b/windows/deploy/active-directory-based-activation-overview.md @@ -2,11 +2,11 @@ title: Active Directory-Based Activation Overview (Windows 10) description: Active Directory-Based Activation Overview ms.assetid: c1dac3bd-6a86-4c45-83dd-421e63a398c0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: CFaw +author: greg-lindsay --- # Active Directory-Based Activation Overview diff --git a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md index 13a328ea77..5a3eadbc33 100644 --- a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -2,8 +2,8 @@ title: Add a Windows 10 operating system image using Configuration Manager (Windows 10) description: Operating system images are typically the production image used for deployment throughout the organization. ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b -keywords: ["image, deploy, distribute"] -ms.prod: W10 +keywords: image, deploy, distribute +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index 8e72718b82..de701986b4 100644 --- a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -2,8 +2,8 @@ title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager (Windows 10) description: In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c -keywords: ["deploy, task sequence"] -ms.prod: W10 +keywords: deploy, task sequence +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/add-manage-products-vamt.md b/windows/deploy/add-manage-products-vamt.md index 6bbbfaf218..88d5145472 100644 --- a/windows/deploy/add-manage-products-vamt.md +++ b/windows/deploy/add-manage-products-vamt.md @@ -2,7 +2,7 @@ title: Add and Manage Products (Windows 10) description: Add and Manage Products ms.assetid: a48fbc23-917d-40f7-985c-e49702c05e51 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/add-remove-computers-vamt.md b/windows/deploy/add-remove-computers-vamt.md index eae34332f2..2ad22c3d7f 100644 --- a/windows/deploy/add-remove-computers-vamt.md +++ b/windows/deploy/add-remove-computers-vamt.md @@ -2,7 +2,7 @@ title: Add and Remove Computers (Windows 10) description: Add and Remove Computers ms.assetid: cb6f3a78-ece0-4dc7-b086-cb003d82cd52 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS diff --git a/windows/deploy/add-remove-product-key-vamt.md b/windows/deploy/add-remove-product-key-vamt.md index 5776806c20..d659ae2507 100644 --- a/windows/deploy/add-remove-product-key-vamt.md +++ b/windows/deploy/add-remove-product-key-vamt.md @@ -2,7 +2,7 @@ title: Add and Remove a Product Key (Windows 10) description: Add and Remove a Product Key ms.assetid: feac32bb-fb96-4802-81b8-c69220dcfcce -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md index 8a21466ddb..39133a9d8c 100644 --- a/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md @@ -3,7 +3,7 @@ title: Appendix Information sent to Microsoft during activation (Windows 10) ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8 description: keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md index dab995bb1e..1319888616 100644 --- a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md +++ b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md @@ -3,7 +3,7 @@ title: Assign applications using roles in MDT (Windows 10) description: This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer. ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7 keywords: settings, database, deploy -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md index 32a354ad0e..f015c71c1f 100644 --- a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md @@ -3,7 +3,7 @@ title: Build a distributed environment for Windows 10 deployment (Windows 10) description: In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c keywords: replication, replicate, deploy, configure, remote -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md index 3ca65edd17..ef6b329f37 100644 --- a/windows/deploy/change-history-for-deploy-windows-10.md +++ b/windows/deploy/change-history-for-deploy-windows-10.md @@ -2,15 +2,25 @@ title: Change history for Deploy Windows 10 (Windows 10) description: This topic lists new and updated topics in the Deploy Windows 10 documentation for Windows 10 and Windows 10 Mobile. ms.assetid: 19C50373-6B25-4F5C-A6EF-643D36904349 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Change history for Deploy Windows 10 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## June 2016 +| New or changed topic | Description | +|----------------------|-------------| +| [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New | + +## May 2016 +| New or changed topic | Description | +|----------------------|-------------| +| [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) | New | + ## December 2015 | New or changed topic | Description | |----------------------|-------------| diff --git a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md new file mode 100644 index 0000000000..a304a10c23 --- /dev/null +++ b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md @@ -0,0 +1,168 @@ +--- +title: Configure a PXE server to load Windows PE (Windows 10) +description: This topic describes how to configure a PXE server to load Windows PE so that it can be used with an image file to install Windows 10 from the network. +keywords: upgrade, update, windows, windows 10, pxe, WinPE, image, wim +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +--- + +# Configure a PXE server to load Windows PE + +**Applies to** + +- Windows 10 + +## Summary + +This walkthrough describes how to configure a PXE server to load Windows PE by booting a client computer from the network. Using the Windows PE tools and a Windows 10 image file, you can install Windows 10 from the network. + +## Prerequisites + +- A deployment computer: A computer with the [Windows Assessment and Deployment Kit](https://www.microsoft.com/en-us/download/details.aspx?id=39982) (Windows ADK) installed. +- A DHCP server: A DHCP server or DHCP proxy configured to respond to PXE client requests is required. +- A PXE server: A server running the TFTP service that can host Windows PE boot files that the client will download. +- A file server: A server hosting a network file share. + +All four of the roles specified above can be hosted on the same computer or each can be on a separate computer. + +## Step 1: Copy Windows PE source files + +1. On the deployment computer, click **Start**, and type **deployment**. + +2. Right-click **Deployment and Imaging Tools Environment** and then click **Run as administrator**. The Deployment and Imaging Tools Environment shortcut opens a Command Prompt window and automatically sets environment variables to point to all the necessary tools. + +3. Run the following command to copy the base Windows PE files into a new folder. The script requires two arguments: hardware architecture and destination location. The value of **<architecture>** can be **x86**, **amd64**, or **arm** and **<destination>** is a path to a local directory. If the directory does not already exist, it will be created. + + ``` + copype.cmd + ``` + + For example, the following command copies **amd64** architecture files to the **C:\winpe_amd64** directory: + + ``` + copype.cmd amd64 C:\winpe_amd64 + ``` + + The script creates the destination directory structure and copies all the necessary files for that architecture. In the previous example, the following directories are created: + + ``` + C:\winpe\_amd64 + C:\winpe\_amd64\fwfiles + C:\winpe\_amd64\media + C:\winpe\_amd64\mount + ``` +4. Mount the base Windows PE image (winpe.wim) to the \mount directory using the DISM tool. Mounting an image file unpacks the file contents into a folder so that you can make changes directly or by using tools such as DISM. See the following example. + + ``` + Dism /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount + ``` +5. Map a network share to the root TFTP directory on the PXE/TFTP server and create a \Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, then enable sharing for this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of \\PXE-1\TFTPRoot: + + ``` + net use y: \\PXE-1\TFTPRoot + y: + md boot + ``` +6. Copy the PXE boot files from the mounted directory to the \Boot folder. For example: + + ``` + copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\boot + ``` +7. Copy the boot.sdi file to the PXE/TFTP server. + + ``` + copy C:\winpe_amd64\media\boot\boot.sdi y:\boot + ``` +8. Copy the bootable Windows PE image (boot.wim) to the \Boot folder. + + ``` + copy C:\winpe_amd64\media\sources\boot.wim y:\boot + ``` + +## Step 2: Configure boot settings and copy the BCD file + +1. Create a BCD store using bcdedit.exe: + + ``` + bcdedit /createstore c:\BCD + ``` +2. Configure RAMDISK settings: + + ``` + bcdedit /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options" + bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice partition=C: + bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \winpe_amd64\media\boot\boot.sdi + ``` +3. Create a new boot application entry for the Windows PE image: + + ``` + bcdedit /store c:\BCD /set {GUID1} device ramdisk=[c:]\winpe_amd64\media\sources\boot.wim,{ramdiskoptions} + bcdedit /store c:\BCD /set {GUID1} path \windows\system32\winload.exe + bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[c:]\winpe_amd64\media\sources\boot.wim,{ramdiskoptions} + bcdedit /store c:\BCD /set {GUID1} systemroot \windows + bcdedit /store c:\BCD /set {GUID1} detecthal Yes + bcdedit /store c:\BCD /set {GUID1} winpe Yes + ``` +4. Configure BOOTMGR settings: + + ``` + bcdedit /store c:\BCD /set {bootmgr} timeout 30 + bcdedit /store c:\BCD -displayorder {GUID1} -addlast + ``` +5. Copy the BCD file to your TFTP server: + + ``` + copy c:\BCD \\PXE-1\TFTPRoot\Boot + ``` + +Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit /store <BCD file location> /enum all. See the following example. Note: Your GUID will be different than the one shown below. + +``` +C:\>bcdedit /store C:\BCD /enum all +Windows Boot Manager +-------------------- +identifier {bootmgr} +description boot manager +displayorder {a4f89c62-2142-11e6-80b6-00155da04110} +timeout 30 + +Windows Boot Loader +------------------- +identifier {a4f89c62-2142-11e6-80b6-00155da04110} +device ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} +description winpe boot image +osdevice ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} +systemroot \Windows +detecthal Yes +winpe Yes + +Setup Ramdisk Options +--------------------- +identifier {ramdiskoptions} +description ramdisk options +ramdisksdidevice boot +ramdisksdipath \boot\boot.sdi +``` + +## PXE boot process summary + +The following summarizes the PXE client boot process. + +1. A client is directed by DHCP options 066 and 067 to download boot\\wdsnbp.com from the TFTP server. +2. Wdsnbp.com validates the DHCP/PXE response packet and then the client downloads boot\\pxeboot.com. +3. Pxeboot.com requires the client to press the F12 key to initiate a PXE boot. +4. The client downloads boot\\bootmgr.exe and the boot\\BCD file from the TFTP server. Note: The BCD store must reside in the \\boot directory on the TFTP server and must be named BCD. +5. Bootmgr.exe reads the BCD operating system entries and downloads boot\\boot.sdi and the Windows PE image (boot\\boot.wim). Optional files that can also be downloaded include true type fonts (boot\\Fonts\\wgl4\_boot.ttf) and the hibernation state file (\\hiberfil.sys) if these files are present. +6. Bootmgr.exe starts Windows PE by calling winload.exe within the Windows PE image. +7. Windows PE loads, a command prompt opens and wpeinit.exe is run to initialize Windows PE. +8. The Windows PE client provides access to tools like imagex, diskpart, and bcdboot using the Windows PE command prompt. Using these tools together with a Windows 10 image file, the destination computer can be formatted properly to load a full Windows 10 operating system. + +See Also +--------- + +#### Concepts + +[Windows PE Walkthroughs](https://technet.microsoft.com/en-us/library/cc748899.aspx) \ No newline at end of file diff --git a/windows/deploy/configure-client-computers-vamt.md b/windows/deploy/configure-client-computers-vamt.md index b3618bac74..704c8d01f9 100644 --- a/windows/deploy/configure-client-computers-vamt.md +++ b/windows/deploy/configure-client-computers-vamt.md @@ -2,7 +2,7 @@ title: Configure Client Computers (Windows 10) description: Configure Client Computers ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md index 590f112414..a94bee6b7b 100644 --- a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md +++ b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md @@ -3,7 +3,7 @@ title: Configure MDT for UserExit scripts (Windows 10) description: In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7 keywords: rules, script -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/configure-mdt-2013-settings.md b/windows/deploy/configure-mdt-2013-settings.md index af41a8a1bb..ba84efd5c1 100644 --- a/windows/deploy/configure-mdt-2013-settings.md +++ b/windows/deploy/configure-mdt-2013-settings.md @@ -3,7 +3,7 @@ title: Configure MDT settings (Windows 10) description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) 2013 is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122 keywords: customize, customization, deploy, features, tools -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/configure-mdt-deployment-share-rules.md b/windows/deploy/configure-mdt-deployment-share-rules.md index 908f92144b..5eeadbbfd6 100644 --- a/windows/deploy/configure-mdt-deployment-share-rules.md +++ b/windows/deploy/configure-mdt-deployment-share-rules.md @@ -3,7 +3,7 @@ title: Configure MDT deployment share rules (Windows 10) description: In this topic, you will learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. ms.assetid: b5ce2360-33cc-4b14-b291-16f75797391b keywords: rules, configuration, automate, deploy -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index 049c3e93c2..a5cbfb7886 100644 --- a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -2,8 +2,8 @@ title: Create a custom Windows PE boot image with Configuration Manager (Windows 10) description: In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809 -keywords: ["tool, customize, deploy, boot image"] -ms.prod: W10 +keywords: tool, customize, deploy, boot image +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md index 03c856a7dc..0838ebde59 100644 --- a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -2,9 +2,10 @@ title: Create a task sequence with Configuration Manager and MDT (Windows 10) description: In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98 -keywords: ["deploy, upgrade, task sequence, install"] -ms.prod: W10 +keywords: deploy, upgrade, task sequence, install +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: mdt ms.sitesec: library author: mtniehaus --- diff --git a/windows/deploy/create-a-windows-10-reference-image.md b/windows/deploy/create-a-windows-10-reference-image.md index f81f4eac9a..50ec7f2fcf 100644 --- a/windows/deploy/create-a-windows-10-reference-image.md +++ b/windows/deploy/create-a-windows-10-reference-image.md @@ -3,7 +3,7 @@ title: Create a Windows 10 reference image (Windows 10) description: Creating a reference image is important because that image serves as the foundation for the devices in your organization. ms.assetid: 9da2fb57-f2ff-4fce-a858-4ae4c237b5aa keywords: deploy, deployment, configure, customize, install, installation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index c47ac7bc38..5dbd28f0c8 100644 --- a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -2,8 +2,8 @@ title: Create an application to deploy with Windows 10 using Configuration Manager (Windows 10) description: Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c -keywords: ["deployment, task sequence, custom, customize"] -ms.prod: W10 +keywords: deployment, task sequence, custom, customize +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/deploy-a-windows-10-image-using-mdt.md b/windows/deploy/deploy-a-windows-10-image-using-mdt.md index 23176dbd84..7f92cbc0d8 100644 --- a/windows/deploy/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deploy/deploy-a-windows-10-image-using-mdt.md @@ -2,8 +2,8 @@ title: Deploy a Windows 10 image using MDT 2013 Update 2 (Windows 10) description: This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c -keywords: [eployment, automate, tools, configure -ms.prod: W10 +keywords: deployment, automate, tools, configure +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md index 0cdf8e0509..2bc874cf8b 100644 --- a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -2,8 +2,8 @@ title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10) description: In this topic, you will learn how to deploy Windows 10 using Microsoft System Center 2012 R2 Configuration Manager deployment packages and task sequences. ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa -keywords: ["deployment, image, UEFI, task sequence"] -ms.prod: W10 +keywords: deployment, image, UEFI, task sequence +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md index 32ee03ca6c..e3e558c24b 100644 --- a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md +++ b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md @@ -2,8 +2,8 @@ title: Deploy Windows 10 with System Center 2012 R2 Configuration Manager (Windows 10) description: If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363 -keywords: ["deployment, custom, boot"] -ms.prod: W10 +keywords: deployment, custom, boot +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md index 765f29c16d..93028930c5 100644 --- a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md @@ -3,7 +3,7 @@ title: Deploy Windows 10 with the Microsoft Deployment Toolkit (Windows 10) description: This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb keywords: deploy, tools, configure, script -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/deploy-windows-to-go.md b/windows/deploy/deploy-windows-to-go.md index 609ae81687..b4e13c5b8c 100644 --- a/windows/deploy/deploy-windows-to-go.md +++ b/windows/deploy/deploy-windows-to-go.md @@ -2,10 +2,11 @@ title: Deploy Windows To Go in your organization (Windows 10) description: This topic helps you to deploy Windows To Go in your organization. ms.assetid: cfe550be-ffbd-42d1-ab4d-80efae49b07f -keywords: ["deployment, USB, device, BitLocker, workspace, security, data"] -ms.prod: W10 +keywords: deployment, USB, device, BitLocker, workspace, security, data +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: mobility author: mtniehaus --- diff --git a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 67136031be..2ed9de7378 100644 --- a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -2,8 +2,8 @@ title: Finalize the operating system configuration for Windows 10 deployment with Configuration Manager (Windows 10) description: This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft System Center 2012 R2 Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence. ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e -keywords: ["configure, deploy, upgrade"] -ms.prod: W10 +keywords: configure, deploy, upgrade +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md index 57d9153cb2..85ad95c548 100644 --- a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md @@ -3,7 +3,7 @@ title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10) description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 in particular, as part of a Windows operating system deployment. ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee keywords: deploy, image, feature, install, tools -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/getting-started-with-the-user-state-migration-tool.md b/windows/deploy/getting-started-with-the-user-state-migration-tool.md index d83c01ec2d..8dae688326 100644 --- a/windows/deploy/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deploy/getting-started-with-the-user-state-migration-tool.md @@ -2,10 +2,10 @@ title: Getting Started with the User State Migration Tool (USMT) (Windows 10) description: Getting Started with the User State Migration Tool (USMT) ms.assetid: 506ff1d2-94b8-4460-8672-56aad963504b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Getting Started with the User State Migration Tool (USMT) diff --git a/windows/deploy/import-export-vamt-data.md b/windows/deploy/import-export-vamt-data.md index aff3d6376f..d33f27e139 100644 --- a/windows/deploy/import-export-vamt-data.md +++ b/windows/deploy/import-export-vamt-data.md @@ -2,7 +2,7 @@ title: Import and Export VAMT Data (Windows 10) description: Import and Export VAMT Data ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/index.md b/windows/deploy/index.md index a3b28ded45..4e09532aaf 100644 --- a/windows/deploy/index.md +++ b/windows/deploy/index.md @@ -2,10 +2,10 @@ title: Deploy Windows 10 (Windows 10) description: Learn about deploying Windows 10 for IT professionals. ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Deploy Windows 10 @@ -15,19 +15,20 @@ Learn about deploying Windows 10 for IT professionals. |Topic |Description | |------|------------| -|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). | |[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. | |[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. | |[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. | |[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. | |[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. | +|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. | |[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. | |[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) |Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. | +|[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. | |[Sideload apps in Windows 10](sideload-apps-in-windows-10.md) |Sideload line-of-business apps in Windows 10. | |[Volume Activation [client]](volume-activation-windows-10.md) |This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. | |[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. | - +|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). | ## Related topics - [Windows 10 and Windows 10 Mobile](../index.md) diff --git a/windows/deploy/install-configure-vamt.md b/windows/deploy/install-configure-vamt.md index a660854f6f..49b3f8ec44 100644 --- a/windows/deploy/install-configure-vamt.md +++ b/windows/deploy/install-configure-vamt.md @@ -2,7 +2,7 @@ title: Install and Configure VAMT (Windows 10) description: Install and Configure VAMT ms.assetid: 5c7ae9b9-0dbc-4277-bc4f-8b3e4ab0bf50 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/install-kms-client-key-vamt.md b/windows/deploy/install-kms-client-key-vamt.md index f1e5cd2769..9605053d6a 100644 --- a/windows/deploy/install-kms-client-key-vamt.md +++ b/windows/deploy/install-kms-client-key-vamt.md @@ -2,7 +2,7 @@ title: Install a KMS Client Key (Windows 10) description: Install a KMS Client Key ms.assetid: d234468e-7917-4cf5-b0a8-4968454f7759 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/install-product-key-vamt.md b/windows/deploy/install-product-key-vamt.md index a3f4a3760e..71817b7b80 100644 --- a/windows/deploy/install-product-key-vamt.md +++ b/windows/deploy/install-product-key-vamt.md @@ -2,7 +2,7 @@ title: Install a Product Key (Windows 10) description: Install a Product Key ms.assetid: 78812c87-2208-4f8b-9c2c-5a8a18b2d648 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/install-vamt.md b/windows/deploy/install-vamt.md index 02275fb993..07a9a72b5b 100644 --- a/windows/deploy/install-vamt.md +++ b/windows/deploy/install-vamt.md @@ -2,7 +2,7 @@ title: Install VAMT (Windows 10) description: Install VAMT ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md index 1ad2dbc2bd..4a30f0f74c 100644 --- a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md +++ b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md @@ -4,7 +4,7 @@ description: This topic will help you understand the benefits of integrating the ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5 ms.pagetype: mdt keywords: deploy, image, customize, task sequence -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/introduction-vamt.md b/windows/deploy/introduction-vamt.md index ee0060ad4e..3d51c0dd02 100644 --- a/windows/deploy/introduction-vamt.md +++ b/windows/deploy/introduction-vamt.md @@ -2,7 +2,7 @@ title: Introduction to VAMT (Windows 10) description: Introduction to VAMT ms.assetid: 0439685e-0bae-4967-b0d4-dd84ca6d7fa7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/key-features-in-mdt-2013.md b/windows/deploy/key-features-in-mdt-2013.md index 7982bb6d03..03f562ac8e 100644 --- a/windows/deploy/key-features-in-mdt-2013.md +++ b/windows/deploy/key-features-in-mdt-2013.md @@ -3,7 +3,7 @@ title: Key features in MDT 2013 Update 2 (Windows 10) description: The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868 keywords: deploy, feature, tools, upgrade, migrate, provisioning -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/kms-activation-vamt.md b/windows/deploy/kms-activation-vamt.md index 4cd554a80b..beed3fb86f 100644 --- a/windows/deploy/kms-activation-vamt.md +++ b/windows/deploy/kms-activation-vamt.md @@ -2,7 +2,7 @@ title: Perform KMS Activation (Windows 10) description: Perform KMS Activation ms.assetid: 5a3ae8e6-083e-4153-837e-ab0a225c1d10 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/local-reactivation-vamt.md b/windows/deploy/local-reactivation-vamt.md index 2cd36eb80b..72b132e799 100644 --- a/windows/deploy/local-reactivation-vamt.md +++ b/windows/deploy/local-reactivation-vamt.md @@ -2,7 +2,7 @@ title: Perform Local Reactivation (Windows 10) description: Perform Local Reactivation ms.assetid: aacd5ded-da11-4d27-a866-3f57332f5dec -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/manage-activations-vamt.md b/windows/deploy/manage-activations-vamt.md index 1f15048dea..effac81fd1 100644 --- a/windows/deploy/manage-activations-vamt.md +++ b/windows/deploy/manage-activations-vamt.md @@ -2,7 +2,7 @@ title: Manage Activations (Windows 10) description: Manage Activations ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/manage-product-keys-vamt.md b/windows/deploy/manage-product-keys-vamt.md index fffe5de77e..a495718fe7 100644 --- a/windows/deploy/manage-product-keys-vamt.md +++ b/windows/deploy/manage-product-keys-vamt.md @@ -2,7 +2,7 @@ title: Manage Product Keys (Windows 10) description: Manage Product Keys ms.assetid: 4c6c4216-b4b7-437c-904e-4cb257f913cd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/manage-vamt-data.md b/windows/deploy/manage-vamt-data.md index adbd4c4ec6..00bbd3982f 100644 --- a/windows/deploy/manage-vamt-data.md +++ b/windows/deploy/manage-vamt-data.md @@ -2,7 +2,7 @@ title: Manage VAMT Data (Windows 10) description: Manage VAMT Data ms.assetid: 233eefa4-3125-4965-a12d-297a67079dc4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/mdt-2013-lite-touch-components.md b/windows/deploy/mdt-2013-lite-touch-components.md index 6766bdc104..48f1a250ad 100644 --- a/windows/deploy/mdt-2013-lite-touch-components.md +++ b/windows/deploy/mdt-2013-lite-touch-components.md @@ -3,7 +3,7 @@ title: MDT 2013 Update 2 Lite Touch components (Windows 10) description: This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) 2013 Update 2 that support Lite Touch Installation (LTI) for Windows 10. ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089 keywords: deploy, install, deployment, boot, log, monitor -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/migrate-application-settings.md b/windows/deploy/migrate-application-settings.md index af79e440f7..6a8ffdc612 100644 --- a/windows/deploy/migrate-application-settings.md +++ b/windows/deploy/migrate-application-settings.md @@ -2,10 +2,10 @@ title: Migrate Application Settings (Windows 10) description: Migrate Application Settings ms.assetid: 28f70a83-0a3e-4a6b-968a-2b78ccd3cc07 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Migrate Application Settings diff --git a/windows/deploy/migration-store-types-overview.md b/windows/deploy/migration-store-types-overview.md index cf0c52812e..9ee233402b 100644 --- a/windows/deploy/migration-store-types-overview.md +++ b/windows/deploy/migration-store-types-overview.md @@ -2,10 +2,10 @@ title: Migration Store Types Overview (Windows 10) description: Migration Store Types Overview ms.assetid: 3b6ce746-76c6-43ff-8cd5-02ed0ae0cf70 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Migration Store Types Overview diff --git a/windows/deploy/monitor-activation-client.md b/windows/deploy/monitor-activation-client.md index 5a3050cb0b..26c8257cc3 100644 --- a/windows/deploy/monitor-activation-client.md +++ b/windows/deploy/monitor-activation-client.md @@ -3,11 +3,11 @@ title: Monitor activation (Windows 10) ms.assetid: 264a3e86-c880-4be4-8828-bf4c839dfa26 description: keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: CFaw +author: greg-lindsay --- # Monitor activation diff --git a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md index 7802d20b05..12aae5a28c 100644 --- a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md +++ b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md @@ -2,8 +2,8 @@ title: Monitor the Windows 10 deployment with Configuration Manager (Windows 10) description: In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce -keywords: ["deploy, upgrade"] -ms.prod: W10 +keywords: deploy, upgrade +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/offline-migration-reference.md b/windows/deploy/offline-migration-reference.md index 6ad60f1704..f54d3b4c7b 100644 --- a/windows/deploy/offline-migration-reference.md +++ b/windows/deploy/offline-migration-reference.md @@ -2,10 +2,10 @@ title: Offline Migration Reference (Windows 10) description: Offline Migration Reference ms.assetid: f347547c-d601-4c3e-8f2d-0138edeacfda -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Offline Migration Reference diff --git a/windows/deploy/online-activation-vamt.md b/windows/deploy/online-activation-vamt.md index 5f537d3e20..65311aa3e8 100644 --- a/windows/deploy/online-activation-vamt.md +++ b/windows/deploy/online-activation-vamt.md @@ -2,7 +2,7 @@ title: Perform Online Activation (Windows 10) description: Perform Online Activation ms.assetid: 8381792b-a454-4e66-9b4c-e6e4c9303823 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/plan-for-volume-activation-client.md b/windows/deploy/plan-for-volume-activation-client.md index 3247677c72..d5ed360f3e 100644 --- a/windows/deploy/plan-for-volume-activation-client.md +++ b/windows/deploy/plan-for-volume-activation-client.md @@ -3,7 +3,7 @@ title: Plan for volume activation (Windows 10) description: Product activation is the process of validating software with the manufacturer after it has been installed on a specific computer. ms.assetid: f84b005b-c362-4a70-a84e-4287c0d2e4ca keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md index a7b98b2ab3..8f2bbad1b9 100644 --- a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md +++ b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md @@ -3,7 +3,7 @@ title: Prepare for deployment with MDT 2013 Update 2 (Windows 10) description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT) 2013 Update 2. ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226 keywords: deploy, system requirements -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index d9735f4ee1..88a8cac968 100644 --- a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -2,8 +2,8 @@ title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager (Windows 10) description: This topic will walk you through the process of integrating Microsoft System Center 2012 R2 Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 2, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE). ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08 -keywords: ["install, configure, deploy, deployment"] -ms.prod: W10 +keywords: install, configure, deploy, deployment +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/proxy-activation-vamt.md b/windows/deploy/proxy-activation-vamt.md index c848bcd8ab..ab273007b8 100644 --- a/windows/deploy/proxy-activation-vamt.md +++ b/windows/deploy/proxy-activation-vamt.md @@ -2,7 +2,7 @@ title: Perform Proxy Activation (Windows 10) description: Perform Proxy Activation ms.assetid: 35a919ed-f1cc-4d10-9c88-9bd634549dc3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 7d5143cf31..68b0a74563 100644 --- a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -2,8 +2,8 @@ title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10) description: This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7 -keywords: ["upgrade, install, installation, computer refresh"] -ms.prod: W10 +keywords: upgrade, install, installation, computer refresh +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md index 70dadf1711..f6ea4a2125 100644 --- a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md +++ b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md @@ -3,7 +3,7 @@ title: Refresh a Windows 7 computer with Windows 10 (Windows 10) description: This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f keywords: reinstallation, customize, template, script, restore -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/remove-products-vamt.md b/windows/deploy/remove-products-vamt.md index 8dca272b68..da875ea27e 100644 --- a/windows/deploy/remove-products-vamt.md +++ b/windows/deploy/remove-products-vamt.md @@ -2,7 +2,7 @@ title: Remove Products (Windows 10) description: Remove Products ms.assetid: 4d44379e-dda1-4a8f-8ebf-395b6c0dad8e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index 44bc003fca..b9f521531f 100644 --- a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -2,8 +2,8 @@ title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10) description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager. ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36 -keywords: ["upgrade, install, installation, replace computer, setup"] -ms.prod: W10 +keywords: upgrade, install, installation, replace computer, setup +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md index bc78de5970..a862edf501 100644 --- a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md @@ -3,7 +3,7 @@ title: Replace a Windows 7 computer with a Windows 10 computer (Windows 10) description: A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer. ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a keywords: deploy, deployment, replace -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/scenario-kms-activation-vamt.md b/windows/deploy/scenario-kms-activation-vamt.md index a43796b90b..385af084f9 100644 --- a/windows/deploy/scenario-kms-activation-vamt.md +++ b/windows/deploy/scenario-kms-activation-vamt.md @@ -2,7 +2,7 @@ title: Scenario 3 KMS Client Activation (Windows 10) description: Scenario 3 KMS Client Activation ms.assetid: 72b04e8f-cd35-490c-91ab-27ea799b05d0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/scenario-online-activation-vamt.md b/windows/deploy/scenario-online-activation-vamt.md index 69d308ee9c..41dda833ac 100644 --- a/windows/deploy/scenario-online-activation-vamt.md +++ b/windows/deploy/scenario-online-activation-vamt.md @@ -2,7 +2,7 @@ title: Scenario 1 Online Activation (Windows 10) description: Scenario 1 Online Activation ms.assetid: 94dba40e-383a-41e4-b74b-9e884facdfd3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/scenario-proxy-activation-vamt.md b/windows/deploy/scenario-proxy-activation-vamt.md index 8666ae35c6..2e475d02b4 100644 --- a/windows/deploy/scenario-proxy-activation-vamt.md +++ b/windows/deploy/scenario-proxy-activation-vamt.md @@ -2,7 +2,7 @@ title: Scenario 2 Proxy Activation (Windows 10) description: Scenario 2 Proxy Activation ms.assetid: ed5a8a56-d9aa-4895-918f-dd1898cb2c1a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/set-up-mdt-2013-for-bitlocker.md b/windows/deploy/set-up-mdt-2013-for-bitlocker.md index 5af8715c60..7a76f8cdf7 100644 --- a/windows/deploy/set-up-mdt-2013-for-bitlocker.md +++ b/windows/deploy/set-up-mdt-2013-for-bitlocker.md @@ -3,7 +3,7 @@ title: Set up MDT for BitLocker (Windows 10) ms.assetid: 386e6713-5c20-4d2a-a220-a38d94671a38 description: keywords: disk, encryption, TPM, configure, secure, script -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/sideload-apps-in-windows-10.md b/windows/deploy/sideload-apps-in-windows-10.md index 63f3fe6fef..9af7d4e4bc 100644 --- a/windows/deploy/sideload-apps-in-windows-10.md +++ b/windows/deploy/sideload-apps-in-windows-10.md @@ -2,10 +2,10 @@ title: Sideload LOB apps in Windows 10 (Windows 10) description: Sideload line-of-business apps in Windows 10. ms.assetid: C46B27D0-375B-4F7A-800E-21595CF1D53D -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Sideload LOB apps in Windows 10 diff --git a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md index a8391582fa..a6c8789efb 100644 --- a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md +++ b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md @@ -3,7 +3,7 @@ title: Simulate a Windows 10 deployment in a test environment (Windows 10) description: This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. ms.assetid: 2de86c55-ced9-4078-b280-35e0329aea9c keywords: deploy, script -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/understanding-migration-xml-files.md b/windows/deploy/understanding-migration-xml-files.md index 528c77f8d3..c03bc14e24 100644 --- a/windows/deploy/understanding-migration-xml-files.md +++ b/windows/deploy/understanding-migration-xml-files.md @@ -2,10 +2,10 @@ title: Understanding Migration XML Files (Windows 10) description: Understanding Migration XML Files ms.assetid: d3d1fe89-085c-4da8-9657-fd54b8bfc4b7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Understanding Migration XML Files diff --git a/windows/deploy/update-product-status-vamt.md b/windows/deploy/update-product-status-vamt.md index deca904c0c..0e7af45fec 100644 --- a/windows/deploy/update-product-status-vamt.md +++ b/windows/deploy/update-product-status-vamt.md @@ -2,7 +2,7 @@ title: Update Product Status (Windows 10) description: Update Product Status ms.assetid: 39d4abd4-801a-4e8f-9b8c-425a24a96764 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/update-windows-10-images-with-provisioning-packages.md b/windows/deploy/update-windows-10-images-with-provisioning-packages.md index 4a553d8b90..e9415d414b 100644 --- a/windows/deploy/update-windows-10-images-with-provisioning-packages.md +++ b/windows/deploy/update-windows-10-images-with-provisioning-packages.md @@ -2,8 +2,8 @@ title: Update Windows 10 images with provisioning packages (Windows 10) description: Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. ms.assetid: 3CA345D2-B60A-4860-A3BF-174713C3D3A6 -keywords: ["provisioning", "bulk deployment", "image"] -ms.prod: W10 +keywords: provisioning, bulk deployment, image +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS diff --git a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md index 030ab711f2..0f66363610 100644 --- a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -2,8 +2,8 @@ title: Upgrade to Windows 10 with System Center Configuration Manager (Windows 10) description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 -keywords: ["upgrade, update, task sequence, deploy"] -ms.prod: W10 +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 ms.mktglfcycl: deploy author: mtniehaus --- diff --git a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index 35b90474ab..18dfaf7fdf 100644 --- a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -3,7 +3,7 @@ title: Upgrade to Windows 10 with the Microsoft Deployment Toolkit (Windows 10) description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460 keywords: upgrade, update, task sequence, deploy -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/upgrade-windows-phone-8-1-to-10.md b/windows/deploy/upgrade-windows-phone-8-1-to-10.md new file mode 100644 index 0000000000..f79c20d4ba --- /dev/null +++ b/windows/deploy/upgrade-windows-phone-8-1-to-10.md @@ -0,0 +1,102 @@ +--- +title: Upgrade Windows Phone 8.1 to Windows 10 Mobile in an MDM environment (Windows 10) +description: This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using MDM. +keywords: upgrade, update, windows, phone, windows 10, mdm, mobile +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mdt +author: Jamiejdt +--- + +# Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management (MDM) + +**Applies to** + +- Windows 10 Mobile + +## Summary +This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using Mobile Device Management (MDM). To determine if the device is eligible for an upgrade, see the [How to determine whether an upgrade is available for a device](#howto-upgrade-available) topic in this article. + +The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through MDM that can push a management policy to each eligible device to perform the opt-in. + +If you use a list of allowed applications (app whitelisting) with MDM, verify that system applications are whitelisted before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056.aspx#whitelist) with app whitelisting that could adversely affect the device after you upgrade. + +Some enterprises might want to control the availability of the Windows 10 Mobile upgrade to their users. With the opt-in model, the enterprise can blacklist the Upgrade Advisor app to prevent their users from upgrading prematurely. For more information about how to blacklist the Upgrade Advisor app, see the [How to blacklist the Upgrade Advisor app](#howto-blacklist) section in this article. Enterprises that have blacklisted the Upgrade Advisor app can use the solution described in this article to select the upgrade timing on a per-device basis. + +## More information + +To provide enterprises with a solution that's independent of the Upgrade Advisor, a new registry key in the registry configuration service provider (CSP) is available. A special GUID key value is defined. When Microsoft Update (MU) detects the presence of the registry key value on a device, any available upgrade will be made available to the device. + +### Prerequisites + +- Windows Phone 8.1 device with an available upgrade to Windows 10 Mobile. +- Device connected to Wi-Fi or cellular network to perform scan for upgrade. +- Device is already enrolled with an MDM session. +- Device is able to receive the management policy. +- MDM is capable of pushing the management policy to devices. Minimum version numbers for some popular MDM providers that support this solution are: InTune: 5.0.5565, AirWatch: 8.2, Mobile Iron: 9.0. + +### Instructions for the MDM server + +The registry CSP is used to push the GUID value to the following registry key for which the Open Mobile Alliance (OMA) Device Management (DM) client has Read/Write access and for which the Device Update service has Read access. + +``` +[HKLM\Software\Microsoft\Provisioning\OMADM] +"EnterpriseUpgrade"="d369c9b6-2379-466d-9162-afc53361e3c2” +``` + + +The complete SyncML command for the solution is as follows. Note: The SyncML may vary, depending on your MDM solution. + +``` +SyncML xmlns="SYNCML:SYNCML1.1"> + + + 250 + + + ./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade + + + chr + + d369c9b6-2379-466d-9162-afc53361e3c2 + + + + + +``` + +The OMA DM server policy description is provided in the following table: + +|Item |Setting | +|------|------------| +| OMA-URI |./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade | +| Data Type |String | +| Value |d369c9b6-2379-466d-9162-afc53361e3c2 | + + +After the device consumes the policy, it will be able to receive an available upgrade. + +To disable the policy, delete the **OMADM** registry key or set the **EnterpriseUpgrade** string value to anything other than the GUID. + +### How to determine whether an upgrade is available for a device + +The Windows 10 Mobile Upgrade Advisor app is not designed or intended for Enterprise customers who want to automate the upgrade process. However, the Windows 10 Mobile Upgrade Advisor app is the best mechanism to determine when an upgrade is available. The app dynamically queries whether the upgrade is released for this device model and associated mobile operator (MO). + +We recommend that enterprises use a pilot device with the Windows 10 Mobile Upgrade Advisor app installed. The pilot device provides the device model and MO used by the enterprise. When you run the app on the pilot device, it will tell you that either an upgrade is available, that the device is eligible for upgrade, or that an upgrade is not available for this device. + +Note: The availability of Windows 10 Mobile as an update for existing Windows Phone 8.1 devices varies by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. To check for compatibility and other important installation information, see the [Windows 10 mobile](https://www.microsoft.com/en/mobile/windows10) page. + +### How to blacklist the Upgrade Advisor app + +Some enterprises may want to block their users from installing the Windows 10 Mobile Upgrade Advisor app. With Windows Phone 8.1, you can allow or deny individual apps by adding specific app publishers or the app globally unique identifier (GUID) from the Window Phone Store to an allow or deny XML list. The GUID for a particular application can be found in the URL for the app in the phone store. For example, the GUID to the Windows 10 Mobile Upgrade Adviser (fbe47e4f-7769-4103-910e-dca8c43e0b07) is displayed in the following URL: + +http://windowsphone.com/s?appid=fbe47e4f-7769-4103-910e-dca8c43e0b07 + +For more information about how to do this, see [Try it out: restrict Windows Phone 8.1 apps](https://technet.microsoft.com/en-us/windows/dn771706.aspx). + +## Related topics + +[Windows 10 Mobile and mobile device management](..\manage\windows-10-mobile-and-mdm.md) diff --git a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md index 229fb16df0..64e70ced04 100644 --- a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md +++ b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md @@ -3,7 +3,7 @@ title: Use Orchestrator runbooks with MDT (Windows 10) description: This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f keywords: web services, database -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md index 14749270e7..32208d3e25 100644 --- a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md +++ b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md @@ -4,7 +4,7 @@ description: This topic is designed to teach you how to use the MDT database to ms.assetid: 8956ab54-90ba-45d3-a384-4fdec72c4d46 ms.pagetype: mdt keywords: database, permissions, settings, configure, deploy -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/use-the-volume-activation-management-tool-client.md b/windows/deploy/use-the-volume-activation-management-tool-client.md index 4303bd18a1..1e4f5c32b2 100644 --- a/windows/deploy/use-the-volume-activation-management-tool-client.md +++ b/windows/deploy/use-the-volume-activation-management-tool-client.md @@ -3,7 +3,7 @@ title: Use the Volume Activation Management Tool (Windows 10) description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys. ms.assetid: b11f0aee-7b60-44d1-be40-c960fc6c4c47 keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/use-vamt-in-windows-powershell.md b/windows/deploy/use-vamt-in-windows-powershell.md index 1247d95759..01de72d0a6 100644 --- a/windows/deploy/use-vamt-in-windows-powershell.md +++ b/windows/deploy/use-vamt-in-windows-powershell.md @@ -2,7 +2,7 @@ title: Use VAMT in Windows PowerShell (Windows 10) description: Use VAMT in Windows PowerShell ms.assetid: 13e0ceec-d827-4681-a5c3-8704349e3ba9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/use-web-services-in-mdt-2013.md b/windows/deploy/use-web-services-in-mdt-2013.md index 6fbe628335..1d8755df14 100644 --- a/windows/deploy/use-web-services-in-mdt-2013.md +++ b/windows/deploy/use-web-services-in-mdt-2013.md @@ -3,7 +3,7 @@ title: Use web services in MDT (Windows 10) description: In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522 keywords: deploy, web apps -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.pagetype: mdt ms.sitesec: library diff --git a/windows/deploy/usmt-best-practices.md b/windows/deploy/usmt-best-practices.md index b8772fe9f4..8da6b08353 100644 --- a/windows/deploy/usmt-best-practices.md +++ b/windows/deploy/usmt-best-practices.md @@ -2,10 +2,10 @@ title: USMT Best Practices (Windows 10) description: USMT Best Practices ms.assetid: e3cb1e78-4230-4eae-b179-e6e9160542d2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # USMT Best Practices diff --git a/windows/deploy/usmt-choose-migration-store-type.md b/windows/deploy/usmt-choose-migration-store-type.md index 3e3f520ceb..5938b48748 100644 --- a/windows/deploy/usmt-choose-migration-store-type.md +++ b/windows/deploy/usmt-choose-migration-store-type.md @@ -2,10 +2,10 @@ title: Choose a Migration Store Type (Windows 10) description: Choose a Migration Store Type ms.assetid: 4e163e90-9c57-490b-b849-2ed52ab6765f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Choose a Migration Store Type diff --git a/windows/deploy/usmt-command-line-syntax.md b/windows/deploy/usmt-command-line-syntax.md index 8e62c88e30..22cf9c33aa 100644 --- a/windows/deploy/usmt-command-line-syntax.md +++ b/windows/deploy/usmt-command-line-syntax.md @@ -2,10 +2,10 @@ title: User State Migration Tool (USMT) Command-line Syntax (Windows 10) description: User State Migration Tool (USMT) Command-line Syntax ms.assetid: f9d205c9-e824-46c7-8d8b-d7e4b52fd514 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Tool (USMT) Command-line Syntax diff --git a/windows/deploy/usmt-common-issues.md b/windows/deploy/usmt-common-issues.md index d1865b8873..88980d6d7b 100644 --- a/windows/deploy/usmt-common-issues.md +++ b/windows/deploy/usmt-common-issues.md @@ -2,10 +2,10 @@ title: Common Issues (Windows 10) description: Common Issues ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Common Issues diff --git a/windows/deploy/usmt-common-migration-scenarios.md b/windows/deploy/usmt-common-migration-scenarios.md index dd61667933..9262ef9b0f 100644 --- a/windows/deploy/usmt-common-migration-scenarios.md +++ b/windows/deploy/usmt-common-migration-scenarios.md @@ -2,10 +2,10 @@ title: Common Migration Scenarios (Windows 10) description: Common Migration Scenarios ms.assetid: 1d8170d5-e775-4963-b7a5-b55e8987c1e4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Common Migration Scenarios diff --git a/windows/deploy/usmt-configxml-file.md b/windows/deploy/usmt-configxml-file.md index dea99cd9e0..4484c03e2d 100644 --- a/windows/deploy/usmt-configxml-file.md +++ b/windows/deploy/usmt-configxml-file.md @@ -2,10 +2,10 @@ title: Config.xml File (Windows 10) description: Config.xml File ms.assetid: 9dc98e76-5155-4641-bcb3-81915db538e8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Config.xml File diff --git a/windows/deploy/usmt-conflicts-and-precedence.md b/windows/deploy/usmt-conflicts-and-precedence.md index 9de02f7dca..3b570d51e5 100644 --- a/windows/deploy/usmt-conflicts-and-precedence.md +++ b/windows/deploy/usmt-conflicts-and-precedence.md @@ -2,10 +2,10 @@ title: Conflicts and Precedence (Windows 10) description: Conflicts and Precedence ms.assetid: 0e2691a8-ff1e-4424-879b-4d5a2f8a113a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Conflicts and Precedence diff --git a/windows/deploy/usmt-custom-xml-examples.md b/windows/deploy/usmt-custom-xml-examples.md index c1fa2bd582..4d60c4903c 100644 --- a/windows/deploy/usmt-custom-xml-examples.md +++ b/windows/deploy/usmt-custom-xml-examples.md @@ -2,10 +2,10 @@ title: Custom XML Examples (Windows 10) description: Custom XML Examples ms.assetid: 48f441d9-6c66-43ef-91e9-7c78cde6fcc0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Custom XML Examples diff --git a/windows/deploy/usmt-customize-xml-files.md b/windows/deploy/usmt-customize-xml-files.md index 94619ce485..30930f05ad 100644 --- a/windows/deploy/usmt-customize-xml-files.md +++ b/windows/deploy/usmt-customize-xml-files.md @@ -2,10 +2,10 @@ title: Customize USMT XML Files (Windows 10) description: Customize USMT XML Files ms.assetid: d58363c1-fd13-4f65-8b91-9986659dc93e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Customize USMT XML Files diff --git a/windows/deploy/usmt-determine-what-to-migrate.md b/windows/deploy/usmt-determine-what-to-migrate.md index 24c81b0742..27ad2ea86d 100644 --- a/windows/deploy/usmt-determine-what-to-migrate.md +++ b/windows/deploy/usmt-determine-what-to-migrate.md @@ -2,10 +2,10 @@ title: Determine What to Migrate (Windows 10) description: Determine What to Migrate ms.assetid: 01ae1d13-c3eb-4618-b39d-ee5d18d55761 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Determine What to Migrate diff --git a/windows/deploy/usmt-estimate-migration-store-size.md b/windows/deploy/usmt-estimate-migration-store-size.md index 1dbd440416..a331a99c09 100644 --- a/windows/deploy/usmt-estimate-migration-store-size.md +++ b/windows/deploy/usmt-estimate-migration-store-size.md @@ -2,10 +2,10 @@ title: Estimate Migration Store Size (Windows 10) description: Estimate Migration Store Size ms.assetid: cfb9062b-7a2a-467a-a24e-0b31ce830093 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Estimate Migration Store Size diff --git a/windows/deploy/usmt-exclude-files-and-settings.md b/windows/deploy/usmt-exclude-files-and-settings.md index 99918b8c5c..e856679334 100644 --- a/windows/deploy/usmt-exclude-files-and-settings.md +++ b/windows/deploy/usmt-exclude-files-and-settings.md @@ -2,10 +2,10 @@ title: Exclude Files and Settings (Windows 10) description: Exclude Files and Settings ms.assetid: df85baf1-6e29-4995-a4bb-ba3f8f7fed0b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Exclude Files and Settings diff --git a/windows/deploy/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deploy/usmt-extract-files-from-a-compressed-migration-store.md index 8bd8e87680..c679d58b27 100644 --- a/windows/deploy/usmt-extract-files-from-a-compressed-migration-store.md +++ b/windows/deploy/usmt-extract-files-from-a-compressed-migration-store.md @@ -2,10 +2,10 @@ title: Extract Files from a Compressed USMT Migration Store (Windows 10) description: Extract Files from a Compressed USMT Migration Store ms.assetid: ad9fbd6e-f89e-4444-8538-9b11566b1f33 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Extract Files from a Compressed USMT Migration Store diff --git a/windows/deploy/usmt-faq.md b/windows/deploy/usmt-faq.md index e69272bc26..715340a82d 100644 --- a/windows/deploy/usmt-faq.md +++ b/windows/deploy/usmt-faq.md @@ -2,10 +2,10 @@ title: Frequently Asked Questions (Windows 10) description: Frequently Asked Questions ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Frequently Asked Questions diff --git a/windows/deploy/usmt-general-conventions.md b/windows/deploy/usmt-general-conventions.md index ab6c9ad6b3..020557c402 100644 --- a/windows/deploy/usmt-general-conventions.md +++ b/windows/deploy/usmt-general-conventions.md @@ -2,10 +2,10 @@ title: General Conventions (Windows 10) description: General Conventions ms.assetid: 5761986e-a847-41bd-bf8e-7c1bd01acbc6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # General Conventions diff --git a/windows/deploy/usmt-hard-link-migration-store.md b/windows/deploy/usmt-hard-link-migration-store.md index afddeaf45d..e65487a0bd 100644 --- a/windows/deploy/usmt-hard-link-migration-store.md +++ b/windows/deploy/usmt-hard-link-migration-store.md @@ -2,10 +2,10 @@ title: Hard-Link Migration Store (Windows 10) description: Hard-Link Migration Store ms.assetid: b0598418-4607-4952-bfa3-b6e4aaa2c574 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Hard-Link Migration Store diff --git a/windows/deploy/usmt-how-it-works.md b/windows/deploy/usmt-how-it-works.md index 8e6b12231e..0c274924a6 100644 --- a/windows/deploy/usmt-how-it-works.md +++ b/windows/deploy/usmt-how-it-works.md @@ -2,10 +2,10 @@ title: How USMT Works (Windows 10) description: How USMT Works ms.assetid: 5c8bd669-9e1e-473d-81e6-652f40b24171 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # How USMT Works diff --git a/windows/deploy/usmt-how-to.md b/windows/deploy/usmt-how-to.md index 4baa318509..1a22d71262 100644 --- a/windows/deploy/usmt-how-to.md +++ b/windows/deploy/usmt-how-to.md @@ -2,10 +2,10 @@ title: User State Migration Tool (USMT) How-to topics (Windows 10) description: User State Migration Tool (USMT) How-to topics ms.assetid: 7b9a2f2a-a43a-4984-9746-a767f9f1c7e3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Tool (USMT) How-to topics diff --git a/windows/deploy/usmt-identify-application-settings.md b/windows/deploy/usmt-identify-application-settings.md index ca14712f31..5fa216f2b3 100644 --- a/windows/deploy/usmt-identify-application-settings.md +++ b/windows/deploy/usmt-identify-application-settings.md @@ -2,10 +2,10 @@ title: Identify Applications Settings (Windows 10) description: Identify Applications Settings ms.assetid: eda68031-9b02-4a5b-a893-3786a6505381 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Identify Applications Settings diff --git a/windows/deploy/usmt-identify-file-types-files-and-folders.md b/windows/deploy/usmt-identify-file-types-files-and-folders.md index 3ab8ded02b..49766ca745 100644 --- a/windows/deploy/usmt-identify-file-types-files-and-folders.md +++ b/windows/deploy/usmt-identify-file-types-files-and-folders.md @@ -2,10 +2,10 @@ title: Identify File Types, Files, and Folders (Windows 10) description: Identify File Types, Files, and Folders ms.assetid: 93bb2a33-c126-4f7a-a961-6c89686d54e0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Identify File Types, Files, and Folders diff --git a/windows/deploy/usmt-identify-operating-system-settings.md b/windows/deploy/usmt-identify-operating-system-settings.md index 232fabdc33..27fd8c0c25 100644 --- a/windows/deploy/usmt-identify-operating-system-settings.md +++ b/windows/deploy/usmt-identify-operating-system-settings.md @@ -2,10 +2,10 @@ title: Identify Operating System Settings (Windows 10) description: Identify Operating System Settings ms.assetid: 1704ab18-1765-41fb-a27c-3aa3128fa242 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Identify Operating System Settings diff --git a/windows/deploy/usmt-identify-users.md b/windows/deploy/usmt-identify-users.md index 1f23cb942d..6d081727c3 100644 --- a/windows/deploy/usmt-identify-users.md +++ b/windows/deploy/usmt-identify-users.md @@ -2,10 +2,10 @@ title: Identify Users (Windows 10) description: Identify Users ms.assetid: 957a4fe9-79fd-44a2-8c26-33e50f71f9de -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Identify Users diff --git a/windows/deploy/usmt-include-files-and-settings.md b/windows/deploy/usmt-include-files-and-settings.md index 6142749d13..411525684e 100644 --- a/windows/deploy/usmt-include-files-and-settings.md +++ b/windows/deploy/usmt-include-files-and-settings.md @@ -2,10 +2,10 @@ title: Include Files and Settings (Windows 10) description: Include Files and Settings ms.assetid: 9009c6a5-0612-4478-8742-abe5eb6cbac8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Include Files and Settings diff --git a/windows/deploy/usmt-loadstate-syntax.md b/windows/deploy/usmt-loadstate-syntax.md index a82a0b4357..36c3dfb311 100644 --- a/windows/deploy/usmt-loadstate-syntax.md +++ b/windows/deploy/usmt-loadstate-syntax.md @@ -2,10 +2,10 @@ title: LoadState Syntax (Windows 10) description: LoadState Syntax ms.assetid: 53d2143b-cbe9-4cfc-8506-36e9d429f6d4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # LoadState Syntax diff --git a/windows/deploy/usmt-log-files.md b/windows/deploy/usmt-log-files.md index 89fc388cf9..9796591745 100644 --- a/windows/deploy/usmt-log-files.md +++ b/windows/deploy/usmt-log-files.md @@ -2,10 +2,10 @@ title: Log Files (Windows 10) description: Log Files ms.assetid: 28185ebd-630a-4bbd-94f4-8c48aad05649 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Log Files diff --git a/windows/deploy/usmt-migrate-efs-files-and-certificates.md b/windows/deploy/usmt-migrate-efs-files-and-certificates.md index 43a57ddc5d..d4e2db536f 100644 --- a/windows/deploy/usmt-migrate-efs-files-and-certificates.md +++ b/windows/deploy/usmt-migrate-efs-files-and-certificates.md @@ -2,10 +2,10 @@ title: Migrate EFS Files and Certificates (Windows 10) description: Migrate EFS Files and Certificates ms.assetid: 7f19a753-ec45-4433-b297-cc30f16fdee1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Migrate EFS Files and Certificates diff --git a/windows/deploy/usmt-migrate-user-accounts.md b/windows/deploy/usmt-migrate-user-accounts.md index 25c9490cbc..6c87c9b043 100644 --- a/windows/deploy/usmt-migrate-user-accounts.md +++ b/windows/deploy/usmt-migrate-user-accounts.md @@ -2,10 +2,10 @@ title: Migrate User Accounts (Windows 10) description: Migrate User Accounts ms.assetid: a3668361-43c8-4fd2-b26e-9a2deaeaeb09 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Migrate User Accounts diff --git a/windows/deploy/usmt-migration-store-encryption.md b/windows/deploy/usmt-migration-store-encryption.md index bb6343401f..1e8ea1a8e0 100644 --- a/windows/deploy/usmt-migration-store-encryption.md +++ b/windows/deploy/usmt-migration-store-encryption.md @@ -2,10 +2,10 @@ title: Migration Store Encryption (Windows 10) description: Migration Store Encryption ms.assetid: b28c2657-b986-4487-bd38-cb81500b831d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Migration Store Encryption diff --git a/windows/deploy/usmt-overview.md b/windows/deploy/usmt-overview.md index f3d7f0b860..928044a3cf 100644 --- a/windows/deploy/usmt-overview.md +++ b/windows/deploy/usmt-overview.md @@ -2,10 +2,10 @@ title: User State Migration Tool (USMT) Overview (Windows 10) description: User State Migration Tool (USMT) Overview ms.assetid: 3b649431-ad09-4b17-895a-3fec7ac0a81f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Tool (USMT) Overview diff --git a/windows/deploy/usmt-plan-your-migration.md b/windows/deploy/usmt-plan-your-migration.md index eaed479359..2b6ce76d7f 100644 --- a/windows/deploy/usmt-plan-your-migration.md +++ b/windows/deploy/usmt-plan-your-migration.md @@ -2,10 +2,10 @@ title: Plan Your Migration (Windows 10) description: Plan Your Migration ms.assetid: c951f7df-850e-47ad-b31b-87f902955e3e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Plan Your Migration diff --git a/windows/deploy/usmt-recognized-environment-variables.md b/windows/deploy/usmt-recognized-environment-variables.md index 8246122fd9..edebf602f1 100644 --- a/windows/deploy/usmt-recognized-environment-variables.md +++ b/windows/deploy/usmt-recognized-environment-variables.md @@ -2,10 +2,10 @@ title: Recognized Environment Variables (Windows 10) description: Recognized Environment Variables ms.assetid: 2b0ac412-e131-456e-8f0c-c26249b5f3df -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Recognized Environment Variables diff --git a/windows/deploy/usmt-reference.md b/windows/deploy/usmt-reference.md index ffe3b71ef8..753146d6b9 100644 --- a/windows/deploy/usmt-reference.md +++ b/windows/deploy/usmt-reference.md @@ -2,10 +2,10 @@ title: User State Migration Toolkit (USMT) Reference (Windows 10) description: User State Migration Toolkit (USMT) Reference ms.assetid: 2135dbcf-de49-4cea-b2fb-97dd016e1a1a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Toolkit (USMT) Reference diff --git a/windows/deploy/usmt-requirements.md b/windows/deploy/usmt-requirements.md index ace2abc84a..c8632b0b4a 100644 --- a/windows/deploy/usmt-requirements.md +++ b/windows/deploy/usmt-requirements.md @@ -2,10 +2,10 @@ title: USMT Requirements (Windows 10) description: USMT Requirements ms.assetid: 2b0cf3a3-9032-433f-9622-1f9df59d6806 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # USMT Requirements diff --git a/windows/deploy/usmt-reroute-files-and-settings.md b/windows/deploy/usmt-reroute-files-and-settings.md index a948ee7c8c..99dd2eb09c 100644 --- a/windows/deploy/usmt-reroute-files-and-settings.md +++ b/windows/deploy/usmt-reroute-files-and-settings.md @@ -2,10 +2,10 @@ title: Reroute Files and Settings (Windows 10) description: Reroute Files and Settings ms.assetid: 905e6a24-922c-4549-9732-60fa11862a6c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Reroute Files and Settings diff --git a/windows/deploy/usmt-resources.md b/windows/deploy/usmt-resources.md index 0cb115c915..cc268ff816 100644 --- a/windows/deploy/usmt-resources.md +++ b/windows/deploy/usmt-resources.md @@ -2,10 +2,10 @@ title: USMT Resources (Windows 10) description: USMT Resources ms.assetid: a0b266c7-4bcb-49f1-b63c-48c6ace86b43 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # USMT Resources diff --git a/windows/deploy/usmt-return-codes.md b/windows/deploy/usmt-return-codes.md index 4354a11ca8..365b49b5c7 100644 --- a/windows/deploy/usmt-return-codes.md +++ b/windows/deploy/usmt-return-codes.md @@ -2,10 +2,10 @@ title: Return Codes (Windows 10) description: Return Codes ms.assetid: e71bbc6b-d5a6-4e48-ad01-af0012b35f22 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Return Codes diff --git a/windows/deploy/usmt-scanstate-syntax.md b/windows/deploy/usmt-scanstate-syntax.md index ff2636ee8c..5083385534 100644 --- a/windows/deploy/usmt-scanstate-syntax.md +++ b/windows/deploy/usmt-scanstate-syntax.md @@ -2,10 +2,10 @@ title: ScanState Syntax (Windows 10) description: ScanState Syntax ms.assetid: 004c755f-33db-49e4-8a3b-37beec1480ea -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # ScanState Syntax diff --git a/windows/deploy/usmt-technical-reference.md b/windows/deploy/usmt-technical-reference.md index 232f27f2fa..5bdf666976 100644 --- a/windows/deploy/usmt-technical-reference.md +++ b/windows/deploy/usmt-technical-reference.md @@ -2,10 +2,10 @@ title: User State Migration Tool (USMT) Technical Reference (Windows 10) description: The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals. ms.assetid: f90bf58b-5529-4520-a9f8-b6cb4e4d3add -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Tool (USMT) Technical Reference diff --git a/windows/deploy/usmt-test-your-migration.md b/windows/deploy/usmt-test-your-migration.md index 05e999a34d..e460f17de8 100644 --- a/windows/deploy/usmt-test-your-migration.md +++ b/windows/deploy/usmt-test-your-migration.md @@ -2,10 +2,10 @@ title: Test Your Migration (Windows 10) description: Test Your Migration ms.assetid: 754af276-8386-4eac-8079-3d1e45964a0d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Test Your Migration diff --git a/windows/deploy/usmt-topics.md b/windows/deploy/usmt-topics.md index a58a88b007..4fe5cace86 100644 --- a/windows/deploy/usmt-topics.md +++ b/windows/deploy/usmt-topics.md @@ -2,10 +2,10 @@ title: User State Migration Tool (USMT) Overview Topics (Windows 10) description: User State Migration Tool (USMT) Overview Topics ms.assetid: 23170271-130b-416f-a7a7-c2f6adc32eee -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Tool (USMT) Overview Topics diff --git a/windows/deploy/usmt-troubleshooting.md b/windows/deploy/usmt-troubleshooting.md index 576f9801c9..33296077f4 100644 --- a/windows/deploy/usmt-troubleshooting.md +++ b/windows/deploy/usmt-troubleshooting.md @@ -2,10 +2,10 @@ title: User State Migration Tool (USMT) Troubleshooting (Windows 10) description: User State Migration Tool (USMT) Troubleshooting ms.assetid: 770f45bb-2284-463f-a29c-69c04f437533 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Tool (USMT) Troubleshooting diff --git a/windows/deploy/usmt-utilities.md b/windows/deploy/usmt-utilities.md index eb9081b082..08df5661f2 100644 --- a/windows/deploy/usmt-utilities.md +++ b/windows/deploy/usmt-utilities.md @@ -2,10 +2,10 @@ title: UsmtUtils Syntax (Windows 10) description: UsmtUtils Syntax ms.assetid: cdab7f2d-dd68-4016-b9ed-41ffa743b65c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # UsmtUtils Syntax diff --git a/windows/deploy/usmt-what-does-usmt-migrate.md b/windows/deploy/usmt-what-does-usmt-migrate.md index 83b3851c29..89ba8aa60b 100644 --- a/windows/deploy/usmt-what-does-usmt-migrate.md +++ b/windows/deploy/usmt-what-does-usmt-migrate.md @@ -2,10 +2,10 @@ title: What Does USMT Migrate (Windows 10) description: What Does USMT Migrate ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # What Does USMT Migrate? diff --git a/windows/deploy/usmt-xml-elements-library.md b/windows/deploy/usmt-xml-elements-library.md index 87ffc8c9c3..f4f412fc2a 100644 --- a/windows/deploy/usmt-xml-elements-library.md +++ b/windows/deploy/usmt-xml-elements-library.md @@ -2,10 +2,10 @@ title: XML Elements Library (Windows 10) description: XML Elements Library ms.assetid: f5af0f6d-c3bf-4a4c-a0ca-9db7985f954f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # XML Elements Library diff --git a/windows/deploy/usmt-xml-reference.md b/windows/deploy/usmt-xml-reference.md index 49d7403f8f..4023b52759 100644 --- a/windows/deploy/usmt-xml-reference.md +++ b/windows/deploy/usmt-xml-reference.md @@ -2,10 +2,10 @@ title: USMT XML Reference (Windows 10) description: USMT XML Reference ms.assetid: fb946975-0fee-4ec0-b3ef-7c34945ee96f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # USMT XML Reference diff --git a/windows/deploy/vamt-known-issues.md b/windows/deploy/vamt-known-issues.md index 1e014a3e46..4aa2185e8f 100644 --- a/windows/deploy/vamt-known-issues.md +++ b/windows/deploy/vamt-known-issues.md @@ -2,7 +2,7 @@ title: VAMT Known Issues (Windows 10) description: VAMT Known Issues ms.assetid: 8992f1f3-830a-4ce7-a248-f3a6377ab77f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/vamt-requirements.md b/windows/deploy/vamt-requirements.md index 9da49547b0..06a8615669 100644 --- a/windows/deploy/vamt-requirements.md +++ b/windows/deploy/vamt-requirements.md @@ -2,7 +2,7 @@ title: VAMT Requirements (Windows 10) description: VAMT Requirements ms.assetid: d14d152b-ab8a-43cb-a8fd-2279364007b9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/vamt-step-by-step.md b/windows/deploy/vamt-step-by-step.md index e886684243..5582bd3417 100644 --- a/windows/deploy/vamt-step-by-step.md +++ b/windows/deploy/vamt-step-by-step.md @@ -2,7 +2,7 @@ title: VAMT Step-by-Step Scenarios (Windows 10) description: VAMT Step-by-Step Scenarios ms.assetid: 455c542c-4860-4b57-a1f0-7e2d28e11a10 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md b/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md index 233beb97f0..ee16be2715 100644 --- a/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md +++ b/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md @@ -2,10 +2,10 @@ title: Verify the Condition of a Compressed Migration Store (Windows 10) description: Verify the Condition of a Compressed Migration Store ms.assetid: 4a3fda96-5f7d-494a-955f-6b865ec9fcae -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Verify the Condition of a Compressed Migration Store diff --git a/windows/deploy/volume-activation-management-tool.md b/windows/deploy/volume-activation-management-tool.md index 04af72f880..887c116352 100644 --- a/windows/deploy/volume-activation-management-tool.md +++ b/windows/deploy/volume-activation-management-tool.md @@ -2,7 +2,7 @@ title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10) description: The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. ms.assetid: 1df0f795-f41c-473b-850c-e98af1ad2f2a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/volume-activation-windows-10.md b/windows/deploy/volume-activation-windows-10.md index e57043d4ca..eda56e2651 100644 --- a/windows/deploy/volume-activation-windows-10.md +++ b/windows/deploy/volume-activation-windows-10.md @@ -3,7 +3,7 @@ title: Volume Activation for Windows 10 (Windows 10) description: This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. ms.assetid: 6e8cffae-7322-4fd3-882a-cde68187aef2 keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/windows-10-deployment-scenarios.md b/windows/deploy/windows-10-deployment-scenarios.md index 54221f9de3..e76d648bb0 100644 --- a/windows/deploy/windows-10-deployment-scenarios.md +++ b/windows/deploy/windows-10-deployment-scenarios.md @@ -2,8 +2,8 @@ title: Windows 10 deployment scenarios (Windows 10) description: To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 -keywords: ["upgrade, in-place, configuration, deploy"] -ms.prod: W10 +keywords: upgrade, in-place, configuration, deploy +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/windows-10-deployment-tools-reference.md b/windows/deploy/windows-10-deployment-tools-reference.md index e71eedae97..597900fb82 100644 --- a/windows/deploy/windows-10-deployment-tools-reference.md +++ b/windows/deploy/windows-10-deployment-tools-reference.md @@ -2,10 +2,10 @@ title: Windows 10 deployment tools reference (Windows 10) description: Learn about the tools available to deploy Windows 10. ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Windows 10 deployment tools reference diff --git a/windows/deploy/windows-10-edition-upgrades.md b/windows/deploy/windows-10-edition-upgrades.md index 72baf3a243..21981254a9 100644 --- a/windows/deploy/windows-10-edition-upgrades.md +++ b/windows/deploy/windows-10-edition-upgrades.md @@ -2,10 +2,10 @@ title: Windows 10 edition upgrade (Windows 10) description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Windows 10 edition upgrade diff --git a/windows/deploy/windows-adk-scenarios-for-it-pros.md b/windows/deploy/windows-adk-scenarios-for-it-pros.md index 3fb2944f22..8821ada189 100644 --- a/windows/deploy/windows-adk-scenarios-for-it-pros.md +++ b/windows/deploy/windows-adk-scenarios-for-it-pros.md @@ -2,10 +2,10 @@ title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10) description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Windows ADK for Windows 10 scenarios for IT Pros diff --git a/windows/deploy/windows-deployment-scenarios-and-tools.md b/windows/deploy/windows-deployment-scenarios-and-tools.md index a66deb1389..ba4f22b7c5 100644 --- a/windows/deploy/windows-deployment-scenarios-and-tools.md +++ b/windows/deploy/windows-deployment-scenarios-and-tools.md @@ -2,8 +2,8 @@ title: Windows 10 deployment tools (Windows 10) description: To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877 -keywords: ["deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS"] -ms.prod: W10 +keywords: deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/windows-upgrade-and-migration-considerations.md b/windows/deploy/windows-upgrade-and-migration-considerations.md index 2b5ee05766..7763b0502d 100644 --- a/windows/deploy/windows-upgrade-and-migration-considerations.md +++ b/windows/deploy/windows-upgrade-and-migration-considerations.md @@ -2,10 +2,10 @@ title: Windows Upgrade and Migration Considerations (Windows 10) description: Windows Upgrade and Migration Considerations ms.assetid: 7f85095c-5922-45e9-b28e-91b1263c7281 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Windows Upgrade and Migration Considerations diff --git a/windows/deploy/xml-file-requirements.md b/windows/deploy/xml-file-requirements.md index 50c5e1b161..100306e84d 100644 --- a/windows/deploy/xml-file-requirements.md +++ b/windows/deploy/xml-file-requirements.md @@ -2,10 +2,10 @@ title: XML File Requirements (Windows 10) description: XML File Requirements ms.assetid: 4b567b50-c50a-4a4f-8684-151fe3f8275f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # XML File Requirements diff --git a/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md b/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md index f6f7140989..ff24a84d8c 100644 --- a/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md +++ b/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md @@ -2,7 +2,7 @@ title: Access Credential Manager as a trusted caller (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Access Credential Manager as a trusted caller security policy setting. ms.assetid: a51820d2-ca5b-47dd-8e9b-d7008603db88 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/access-this-computer-from-the-network.md b/windows/keep-secure/access-this-computer-from-the-network.md index 00a88b6ba8..1cb598fcfd 100644 --- a/windows/keep-secure/access-this-computer-from-the-network.md +++ b/windows/keep-secure/access-this-computer-from-the-network.md @@ -2,7 +2,7 @@ title: Access this computer from the network (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Access this computer from the network security policy setting. ms.assetid: f6767bc2-83d1-45f1-847c-54f5362db022 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/account-lockout-duration.md b/windows/keep-secure/account-lockout-duration.md index 9b8fd5a9f4..1d438057a4 100644 --- a/windows/keep-secure/account-lockout-duration.md +++ b/windows/keep-secure/account-lockout-duration.md @@ -2,7 +2,7 @@ title: Account lockout duration (Windows 10) description: Describes the best practices, location, values, and security considerations for the Account lockout duration security policy setting. ms.assetid: a4167bf4-27c3-4a9b-8ef0-04e3c6ec3aa4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/account-lockout-policy.md b/windows/keep-secure/account-lockout-policy.md index edf3c1a723..6a13c989d3 100644 --- a/windows/keep-secure/account-lockout-policy.md +++ b/windows/keep-secure/account-lockout-policy.md @@ -2,7 +2,7 @@ title: Account Lockout Policy (Windows 10) description: Describes the Account Lockout Policy settings and links to information about each policy setting. ms.assetid: eb968c28-17c5-405f-b413-50728cb7b724 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/account-lockout-threshold.md b/windows/keep-secure/account-lockout-threshold.md index 56fedf53b7..828a524fe0 100644 --- a/windows/keep-secure/account-lockout-threshold.md +++ b/windows/keep-secure/account-lockout-threshold.md @@ -2,7 +2,7 @@ title: Account lockout threshold (Windows 10) description: Describes the best practices, location, values, and security considerations for the Account lockout threshold security policy setting. ms.assetid: 4904bb40-a2bd-4fef-a102-260ba8d74e30 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/account-policies.md b/windows/keep-secure/account-policies.md index 487d575c7f..ca8fb5a3b4 100644 --- a/windows/keep-secure/account-policies.md +++ b/windows/keep-secure/account-policies.md @@ -2,7 +2,7 @@ title: Account Policies (Windows 10) description: An overview of account policies in Windows and provides links to policy descriptions. ms.assetid: 711b3797-b87a-4cd9-a2e3-1f8ef18688fb -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/accounts-administrator-account-status.md b/windows/keep-secure/accounts-administrator-account-status.md index 6c992c3bcb..5a3cde966e 100644 --- a/windows/keep-secure/accounts-administrator-account-status.md +++ b/windows/keep-secure/accounts-administrator-account-status.md @@ -2,7 +2,7 @@ title: Accounts Administrator account status (Windows 10) description: Describes the best practices, location, values, and security considerations for the Accounts Administrator account status security policy setting. ms.assetid: 71a3bd48-1014-49e0-a936-bfe9433af23e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/accounts-block-microsoft-accounts.md b/windows/keep-secure/accounts-block-microsoft-accounts.md index a482a7a88c..cc479c5bc2 100644 --- a/windows/keep-secure/accounts-block-microsoft-accounts.md +++ b/windows/keep-secure/accounts-block-microsoft-accounts.md @@ -2,7 +2,7 @@ title: Accounts Block Microsoft accounts (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Accounts Block Microsoft accounts security policy setting. ms.assetid: 94c76f45-057c-4d80-8d01-033cf28ef2f7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/accounts-guest-account-status.md b/windows/keep-secure/accounts-guest-account-status.md index 2e66ee3ae1..f9054008ac 100644 --- a/windows/keep-secure/accounts-guest-account-status.md +++ b/windows/keep-secure/accounts-guest-account-status.md @@ -2,7 +2,7 @@ title: Accounts Guest account status (Windows 10) description: Describes the best practices, location, values, and security considerations for the Accounts Guest account status security policy setting. ms.assetid: 07e53fc5-b495-4d02-ab42-5b245d10d0ce -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md index 9d8ddd27c9..eb700fe6ec 100644 --- a/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md +++ b/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md @@ -2,7 +2,7 @@ title: Accounts Limit local account use of blank passwords to console logon only (Windows 10) description: Describes the best practices, location, values, and security considerations for the Accounts Limit local account use of blank passwords to console logon only security policy setting. ms.assetid: a1bfb58b-1ae8-4de9-832b-aa889a6e64bd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/accounts-rename-administrator-account.md b/windows/keep-secure/accounts-rename-administrator-account.md index 8873990424..5c79c1d38b 100644 --- a/windows/keep-secure/accounts-rename-administrator-account.md +++ b/windows/keep-secure/accounts-rename-administrator-account.md @@ -2,7 +2,7 @@ title: Accounts Rename administrator account (Windows 10) description: This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting. ms.assetid: d21308eb-7c60-4e48-8747-62b8109844f9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/accounts-rename-guest-account.md b/windows/keep-secure/accounts-rename-guest-account.md index f82b907968..aa06c480c3 100644 --- a/windows/keep-secure/accounts-rename-guest-account.md +++ b/windows/keep-secure/accounts-rename-guest-account.md @@ -2,7 +2,7 @@ title: Accounts Rename guest account (Windows 10) description: Describes the best practices, location, values, and security considerations for the Accounts Rename guest account security policy setting. ms.assetid: 9b8052b4-bbb9-4cc1-bfee-ce25390db707 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/act-as-part-of-the-operating-system.md b/windows/keep-secure/act-as-part-of-the-operating-system.md index 5d4a39d466..a35393e223 100644 --- a/windows/keep-secure/act-as-part-of-the-operating-system.md +++ b/windows/keep-secure/act-as-part-of-the-operating-system.md @@ -2,7 +2,7 @@ title: Act as part of the operating system (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Act as part of the operating system security policy setting. ms.assetid: c1b7e084-a9f7-4377-b678-07cc913c8b0c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md b/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md index 214bc1763d..8e62ff36b5 100644 --- a/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md +++ b/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md @@ -2,7 +2,7 @@ title: AD DS schema extensions to support TPM backup (Windows 10) description: This topic provides more details about this change and provides template schema extensions that you can incorporate into your organization. ms.assetid: beb7097c-e674-4eab-b8e2-6f67c85d1f3f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md index 3f9700cfb4..eb028e5f03 100644 --- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md +++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md @@ -2,9 +2,10 @@ title: Add multiple apps to your enterprise data protection (EDP) Protected Apps list (Windows 10) description: Add multiple apps to your enterprise data protection (EDP) Protected Apps list at the same time, by using the Microsoft Intune Custom URI functionality and the AppLocker. ms.assetid: b50db35d-a2a9-4b78-a95d-a1b066e66880 -keywords: ["EDP", "Enterprise Data Protection", "protected apps", "protected app list"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection, protected apps, protected app list +ms.prod: w10 ms.mktglfcycl: explore +ms.pagetype: security ms.sitesec: library author: eross-msft --- diff --git a/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md index c05eb4ebd2..d99dda899b 100644 --- a/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md +++ b/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md @@ -2,7 +2,7 @@ title: Add rules for packaged apps to existing AppLocker rule-set (Windows 10) description: This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). ms.assetid: 758c2a9f-c2a3-418c-83bc-fd335a94097f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/add-workstations-to-domain.md b/windows/keep-secure/add-workstations-to-domain.md index 7cdeb90a8b..fac531b419 100644 --- a/windows/keep-secure/add-workstations-to-domain.md +++ b/windows/keep-secure/add-workstations-to-domain.md @@ -2,7 +2,7 @@ title: Add workstations to domain (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Add workstations to domain security policy setting. ms.assetid: b0c21af4-c928-4344-b1f1-58ef162ad0b3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md index 604d4ba268..93d466aa32 100644 --- a/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md @@ -3,8 +3,9 @@ title: Additional Windows Defender ATP configuration settings description: Use the Group Policy Console to configure settings that enable sample sharing from your endpoints. These settings are used in the deep analysis feature. keywords: configuration settings, Windows Defender ATP configuration settings, Windows Defender Advanced Threat Protection configuration settings, group policy Management Editor, computer configuration, policies, administrative templates, search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: security ms.sitesec: library author: mjcaparas --- diff --git a/windows/keep-secure/adjust-memory-quotas-for-a-process.md b/windows/keep-secure/adjust-memory-quotas-for-a-process.md index 4568ef9fe0..44fe866134 100644 --- a/windows/keep-secure/adjust-memory-quotas-for-a-process.md +++ b/windows/keep-secure/adjust-memory-quotas-for-a-process.md @@ -2,7 +2,7 @@ title: Adjust memory quotas for a process (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Adjust memory quotas for a process security policy setting. ms.assetid: 6754a2c8-6d07-4567-9af3-335fd8dd7626 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/administer-applocker.md b/windows/keep-secure/administer-applocker.md index 232b69b1ef..0940acac92 100644 --- a/windows/keep-secure/administer-applocker.md +++ b/windows/keep-secure/administer-applocker.md @@ -2,7 +2,7 @@ title: Administer AppLocker (Windows 10) description: This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. ms.assetid: 511a3b6a-175f-4d6d-a6e0-c1780c02e818 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/administer-security-policy-settings.md b/windows/keep-secure/administer-security-policy-settings.md index 59bc1ce37f..de0baa4b22 100644 --- a/windows/keep-secure/administer-security-policy-settings.md +++ b/windows/keep-secure/administer-security-policy-settings.md @@ -2,7 +2,7 @@ title: Administer security policy settings (Windows 10) description: This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization. ms.assetid: 7617d885-9d28-437a-9371-171197407599 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/advanced-security-audit-policy-settings.md b/windows/keep-secure/advanced-security-audit-policy-settings.md index 5b5faf0b14..14ecaca52f 100644 --- a/windows/keep-secure/advanced-security-audit-policy-settings.md +++ b/windows/keep-secure/advanced-security-audit-policy-settings.md @@ -2,7 +2,7 @@ title: Advanced security audit policy settings (Windows 10) description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/advanced-security-auditing-faq.md b/windows/keep-secure/advanced-security-auditing-faq.md index eef52f8d63..3bfa640035 100644 --- a/windows/keep-secure/advanced-security-auditing-faq.md +++ b/windows/keep-secure/advanced-security-auditing-faq.md @@ -2,7 +2,7 @@ title: Advanced security auditing FAQ (Windows 10) description: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/advanced-security-auditing.md b/windows/keep-secure/advanced-security-auditing.md index 5ed85a625d..bdec74db1c 100644 --- a/windows/keep-secure/advanced-security-auditing.md +++ b/windows/keep-secure/advanced-security-auditing.md @@ -2,7 +2,7 @@ title: Advanced security audit policies (Windows 10) description: Advanced security audit policy settings are found in Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies and appear to overlap with basic security audit policies, but they are recorded and applied differently. ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md index ee4ce0a4a9..46dddb36a1 100644 --- a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: View and organize the Windows Defender ATP Alerts queue description: Learn about how the Windows Defender ATP alerts queue work, and how to sort and filter lists of alerts. keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/allow-log-on-locally.md b/windows/keep-secure/allow-log-on-locally.md index fdfa7ab402..3cbeacb088 100644 --- a/windows/keep-secure/allow-log-on-locally.md +++ b/windows/keep-secure/allow-log-on-locally.md @@ -2,7 +2,7 @@ title: Allow log on locally (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting. ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/allow-log-on-through-remote-desktop-services.md b/windows/keep-secure/allow-log-on-through-remote-desktop-services.md index cc51c9cbea..d409837c30 100644 --- a/windows/keep-secure/allow-log-on-through-remote-desktop-services.md +++ b/windows/keep-secure/allow-log-on-through-remote-desktop-services.md @@ -2,7 +2,7 @@ title: Allow log on through Remote Desktop Services (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting. ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-architecture-and-components.md b/windows/keep-secure/applocker-architecture-and-components.md index 39e8bbf34c..98760516ec 100644 --- a/windows/keep-secure/applocker-architecture-and-components.md +++ b/windows/keep-secure/applocker-architecture-and-components.md @@ -2,7 +2,7 @@ title: AppLocker architecture and components (Windows 10) description: This topic for IT professional describes AppLocker’s basic architecture and its major components. ms.assetid: efdd8494-553c-443f-bd5f-c8976535135a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-functions.md b/windows/keep-secure/applocker-functions.md index d3ab5362dd..eaad056c7a 100644 --- a/windows/keep-secure/applocker-functions.md +++ b/windows/keep-secure/applocker-functions.md @@ -2,7 +2,7 @@ title: AppLocker functions (Windows 10) description: This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. ms.assetid: bf704198-9e74-4731-8c5a-ee0512df34d2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-overview.md b/windows/keep-secure/applocker-overview.md index 6918af6f1e..954c093d80 100644 --- a/windows/keep-secure/applocker-overview.md +++ b/windows/keep-secure/applocker-overview.md @@ -2,7 +2,7 @@ title: AppLocker (Windows 10) description: This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. ms.assetid: 94b57864-2112-43b6-96fb-2863c985dc9a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-policies-deployment-guide.md b/windows/keep-secure/applocker-policies-deployment-guide.md index f0bce74c2a..2adc3ff79b 100644 --- a/windows/keep-secure/applocker-policies-deployment-guide.md +++ b/windows/keep-secure/applocker-policies-deployment-guide.md @@ -2,7 +2,7 @@ title: AppLocker deployment guide (Windows 10) description: This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. ms.assetid: 38632795-be13-46b0-a7af-487a4340bea1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-policies-design-guide.md b/windows/keep-secure/applocker-policies-design-guide.md index 7954db3edb..2e331c4fb8 100644 --- a/windows/keep-secure/applocker-policies-design-guide.md +++ b/windows/keep-secure/applocker-policies-design-guide.md @@ -2,7 +2,7 @@ title: AppLocker design guide (Windows 10) description: This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. ms.assetid: 1c8e4a7b-3164-4eb4-9277-11b1d5a09c7b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-policy-use-scenarios.md b/windows/keep-secure/applocker-policy-use-scenarios.md index ce30809f52..64a8fd4db0 100644 --- a/windows/keep-secure/applocker-policy-use-scenarios.md +++ b/windows/keep-secure/applocker-policy-use-scenarios.md @@ -2,7 +2,7 @@ title: AppLocker policy use scenarios (Windows 10) description: This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. ms.assetid: 33f71578-89f0-4063-ac04-cf4f4ca5c31f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-processes-and-interactions.md b/windows/keep-secure/applocker-processes-and-interactions.md index 0243055da8..5f07c7d07f 100644 --- a/windows/keep-secure/applocker-processes-and-interactions.md +++ b/windows/keep-secure/applocker-processes-and-interactions.md @@ -2,7 +2,7 @@ title: AppLocker processes and interactions (Windows 10) description: This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. ms.assetid: 0beec616-6040-4be7-8703-b6c919755d8e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-settings.md b/windows/keep-secure/applocker-settings.md index 77509f8e43..7af2350b9d 100644 --- a/windows/keep-secure/applocker-settings.md +++ b/windows/keep-secure/applocker-settings.md @@ -2,7 +2,7 @@ title: AppLocker settings (Windows 10) description: This topic for the IT professional lists the settings used by AppLocker. ms.assetid: 9cb4aa19-77c0-4415-9968-bd07dab86839 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-technical-reference.md b/windows/keep-secure/applocker-technical-reference.md index 164a159782..1c797a1679 100644 --- a/windows/keep-secure/applocker-technical-reference.md +++ b/windows/keep-secure/applocker-technical-reference.md @@ -2,7 +2,7 @@ title: AppLocker technical reference (Windows 10) description: This overview topic for IT professionals provides links to the topics in the technical reference. ms.assetid: 2b2678f8-c46b-4e1d-b8c5-037c0be255ab -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md index 5828778660..fd5dcf7155 100644 --- a/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -2,7 +2,7 @@ title: Apply a basic audit policy on a file or folder (Windows 10) description: You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log. ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-account-lockout.md b/windows/keep-secure/audit-account-lockout.md index 6c7ebbb0e2..be3326efee 100644 --- a/windows/keep-secure/audit-account-lockout.md +++ b/windows/keep-secure/audit-account-lockout.md @@ -2,7 +2,7 @@ title: Audit Account Lockout (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Account Lockout, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out. ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-application-generated.md b/windows/keep-secure/audit-application-generated.md index f7c31ca13a..3aa2716aa8 100644 --- a/windows/keep-secure/audit-application-generated.md +++ b/windows/keep-secure/audit-application-generated.md @@ -2,7 +2,7 @@ title: Audit Application Generated (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Application Generated, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs). ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-application-group-management.md b/windows/keep-secure/audit-application-group-management.md index 3055b72f6d..76cdabda54 100644 --- a/windows/keep-secure/audit-application-group-management.md +++ b/windows/keep-secure/audit-application-group-management.md @@ -2,7 +2,7 @@ title: Audit Application Group Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Application Group Management, which determines whether the operating system generates audit events when application group management tasks are performed. ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-audit-policy-change.md b/windows/keep-secure/audit-audit-policy-change.md index 65b7d6261e..de2aca1b0a 100644 --- a/windows/keep-secure/audit-audit-policy-change.md +++ b/windows/keep-secure/audit-audit-policy-change.md @@ -2,7 +2,7 @@ title: Audit Audit Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Audit Policy Change, which determines whether the operating system generates audit events when changes are made to audit policy. ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md b/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md index 767ec7c30a..9fcecc87b1 100644 --- a/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md +++ b/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md @@ -2,7 +2,7 @@ title: Audit Audit the access of global system objects (Windows 10) description: Describes the best practices, location, values, and security considerations for the Audit Audit the access of global system objects security policy setting. ms.assetid: 20d40a79-ce89-45e6-9bb4-148f83958460 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md index 49b518da5a..3bd9ddd1b8 100644 --- a/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md +++ b/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md @@ -2,7 +2,7 @@ title: Audit Audit the use of Backup and Restore privilege (Windows 10) description: Describes the best practices, location, values, and security considerations for the Audit Audit the use of Backup and Restore privilege security policy setting. ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-authentication-policy-change.md b/windows/keep-secure/audit-authentication-policy-change.md index e26a96a284..712e480800 100644 --- a/windows/keep-secure/audit-authentication-policy-change.md +++ b/windows/keep-secure/audit-authentication-policy-change.md @@ -2,7 +2,7 @@ title: Audit Authentication Policy Change (Windows 10) description: This topic for the IT professional describes this Advanced Security Audit policy setting, Audit Authentication Policy Change, which determines whether the operating system generates audit events when changes are made to authentication policy. ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-authorization-policy-change.md b/windows/keep-secure/audit-authorization-policy-change.md index 3bff0a5dd9..7e426a2044 100644 --- a/windows/keep-secure/audit-authorization-policy-change.md +++ b/windows/keep-secure/audit-authorization-policy-change.md @@ -2,7 +2,7 @@ title: Audit Authorization Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Authorization Policy Change, which determines whether the operating system generates audit events when specific changes are made to the authorization policy. ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-central-access-policy-staging.md b/windows/keep-secure/audit-central-access-policy-staging.md index e53abd2a09..28539eb491 100644 --- a/windows/keep-secure/audit-central-access-policy-staging.md +++ b/windows/keep-secure/audit-central-access-policy-staging.md @@ -2,7 +2,7 @@ title: Audit Central Access Policy Staging (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Central Access Policy Staging, which determines permissions on a Central Access Policy. ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-certification-services.md b/windows/keep-secure/audit-certification-services.md index f23bdde027..f5aa0959d7 100644 --- a/windows/keep-secure/audit-certification-services.md +++ b/windows/keep-secure/audit-certification-services.md @@ -2,7 +2,7 @@ title: Audit Certification Services (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed. ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-computer-account-management.md b/windows/keep-secure/audit-computer-account-management.md index 5211936625..f336c85c74 100644 --- a/windows/keep-secure/audit-computer-account-management.md +++ b/windows/keep-secure/audit-computer-account-management.md @@ -2,7 +2,7 @@ title: Audit Computer Account Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Computer Account Management, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted. ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-credential-validation.md b/windows/keep-secure/audit-credential-validation.md index 7f4232806f..fdacd0aa43 100644 --- a/windows/keep-secure/audit-credential-validation.md +++ b/windows/keep-secure/audit-credential-validation.md @@ -2,7 +2,7 @@ title: Audit Credential Validation (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Credential Validation, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request. ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-detailed-directory-service-replication.md b/windows/keep-secure/audit-detailed-directory-service-replication.md index ae2e46a570..295527e35e 100644 --- a/windows/keep-secure/audit-detailed-directory-service-replication.md +++ b/windows/keep-secure/audit-detailed-directory-service-replication.md @@ -3,7 +3,7 @@ title: Audit Detailed Directory Service Replication (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Detailed Directory Service Replication, which determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers. ms.assetid: 1b89c8f5-bce7-4b20-8701-42585c7ab993 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft diff --git a/windows/keep-secure/audit-detailed-file-share.md b/windows/keep-secure/audit-detailed-file-share.md index f60e4dd5f2..4d0294c79c 100644 --- a/windows/keep-secure/audit-detailed-file-share.md +++ b/windows/keep-secure/audit-detailed-file-share.md @@ -2,7 +2,7 @@ title: Audit Detailed File Share (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Detailed File Share, which allows you to audit attempts to access files and folders on a shared folder. ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-directory-service-access.md b/windows/keep-secure/audit-directory-service-access.md index 230dce9a69..2c88e66d93 100644 --- a/windows/keep-secure/audit-directory-service-access.md +++ b/windows/keep-secure/audit-directory-service-access.md @@ -2,7 +2,7 @@ title: Audit Directory Service Access (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed. ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-directory-service-changes.md b/windows/keep-secure/audit-directory-service-changes.md index 361827a614..18b22defe5 100644 --- a/windows/keep-secure/audit-directory-service-changes.md +++ b/windows/keep-secure/audit-directory-service-changes.md @@ -2,7 +2,7 @@ title: Audit Directory Service Changes (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-directory-service-replication.md b/windows/keep-secure/audit-directory-service-replication.md index 9f09abada9..8dde61d22d 100644 --- a/windows/keep-secure/audit-directory-service-replication.md +++ b/windows/keep-secure/audit-directory-service-replication.md @@ -2,7 +2,7 @@ title: Audit Directory Service Replication (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Replication, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends. ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-distribution-group-management.md b/windows/keep-secure/audit-distribution-group-management.md index 1e259424ed..80cfcea450 100644 --- a/windows/keep-secure/audit-distribution-group-management.md +++ b/windows/keep-secure/audit-distribution-group-management.md @@ -2,7 +2,7 @@ title: Audit Distribution Group Management (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Distribution Group Management, which determines whether the operating system generates audit events for specific distribution-group management tasks. ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-dpapi-activity.md b/windows/keep-secure/audit-dpapi-activity.md index 1e7c77ac71..30db4c39a8 100644 --- a/windows/keep-secure/audit-dpapi-activity.md +++ b/windows/keep-secure/audit-dpapi-activity.md @@ -2,7 +2,7 @@ title: Audit DPAPI Activity (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit DPAPI Activity, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI). ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-file-share.md b/windows/keep-secure/audit-file-share.md index 8040bc118a..af74a0b2a8 100644 --- a/windows/keep-secure/audit-file-share.md +++ b/windows/keep-secure/audit-file-share.md @@ -2,7 +2,7 @@ title: Audit File Share (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File Share, which determines whether the operating system generates audit events when a file share is accessed. ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-file-system.md b/windows/keep-secure/audit-file-system.md index 53faccfac6..1ddb1c3d49 100644 --- a/windows/keep-secure/audit-file-system.md +++ b/windows/keep-secure/audit-file-system.md @@ -2,7 +2,7 @@ title: Audit File System (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File System, which determines whether the operating system generates audit events when users attempt to access file system objects. ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.pagetype: security ms.sitesec: library diff --git a/windows/keep-secure/audit-filtering-platform-connection.md b/windows/keep-secure/audit-filtering-platform-connection.md index a23961c6d9..4b8c95c652 100644 --- a/windows/keep-secure/audit-filtering-platform-connection.md +++ b/windows/keep-secure/audit-filtering-platform-connection.md @@ -2,7 +2,7 @@ title: Audit Filtering Platform Connection (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Connection, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform. ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-filtering-platform-packet-drop.md b/windows/keep-secure/audit-filtering-platform-packet-drop.md index fda5bc89e7..96935fa8b7 100644 --- a/windows/keep-secure/audit-filtering-platform-packet-drop.md +++ b/windows/keep-secure/audit-filtering-platform-packet-drop.md @@ -2,7 +2,7 @@ title: Audit Filtering Platform Packet Drop (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Packet Drop, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform. ms.assetid: 95457601-68d1-4385-af20-87916ddab906 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-filtering-platform-policy-change.md b/windows/keep-secure/audit-filtering-platform-policy-change.md index 97f04007ea..10c8a9459b 100644 --- a/windows/keep-secure/audit-filtering-platform-policy-change.md +++ b/windows/keep-secure/audit-filtering-platform-policy-change.md @@ -2,7 +2,7 @@ title: Audit Filtering Platform Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Policy Change, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions. ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md index 2ceff2fa34..50880766f6 100644 --- a/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md +++ b/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md @@ -2,7 +2,7 @@ title: Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings (Windows 10) description: Describes the best practices, location, values, and security considerations for the Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings security policy setting. ms.assetid: 8ddc06bc-b6d6-4bac-9051-e0d77035bd4e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-group-membership.md b/windows/keep-secure/audit-group-membership.md index bfbd5e7887..d738bb1582 100644 --- a/windows/keep-secure/audit-group-membership.md +++ b/windows/keep-secure/audit-group-membership.md @@ -2,7 +2,7 @@ title: Audit Group Membership (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Group Membership, which enables you to audit group memberships when they are enumerated on the client PC. ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-handle-manipulation.md b/windows/keep-secure/audit-handle-manipulation.md index da8a48ee26..6b9fb9ab21 100644 --- a/windows/keep-secure/audit-handle-manipulation.md +++ b/windows/keep-secure/audit-handle-manipulation.md @@ -2,7 +2,7 @@ title: Audit Handle Manipulation (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed. ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-ipsec-driver.md b/windows/keep-secure/audit-ipsec-driver.md index 7394906faa..dbe0ede32c 100644 --- a/windows/keep-secure/audit-ipsec-driver.md +++ b/windows/keep-secure/audit-ipsec-driver.md @@ -2,7 +2,7 @@ title: Audit IPsec Driver (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit IPsec Driver, which determines whether the operating system generates audit events for the activities of the IPsec driver. ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-ipsec-extended-mode.md b/windows/keep-secure/audit-ipsec-extended-mode.md index 89f0857940..5030fc74a2 100644 --- a/windows/keep-secure/audit-ipsec-extended-mode.md +++ b/windows/keep-secure/audit-ipsec-extended-mode.md @@ -2,7 +2,7 @@ title: Audit IPsec Extended Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Extended Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-ipsec-main-mode.md b/windows/keep-secure/audit-ipsec-main-mode.md index 203307a841..872af92c04 100644 --- a/windows/keep-secure/audit-ipsec-main-mode.md +++ b/windows/keep-secure/audit-ipsec-main-mode.md @@ -2,7 +2,7 @@ title: Audit IPsec Main Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Main Mode, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-ipsec-quick-mode.md b/windows/keep-secure/audit-ipsec-quick-mode.md index 79de06ad17..8a3446cb65 100644 --- a/windows/keep-secure/audit-ipsec-quick-mode.md +++ b/windows/keep-secure/audit-ipsec-quick-mode.md @@ -2,7 +2,7 @@ title: Audit IPsec Quick Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Quick Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-kerberos-authentication-service.md b/windows/keep-secure/audit-kerberos-authentication-service.md index 85498b7404..f8665de37e 100644 --- a/windows/keep-secure/audit-kerberos-authentication-service.md +++ b/windows/keep-secure/audit-kerberos-authentication-service.md @@ -2,7 +2,7 @@ title: Audit Kerberos Authentication Service (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Authentication Service, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests. ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-kerberos-service-ticket-operations.md b/windows/keep-secure/audit-kerberos-service-ticket-operations.md index 5f00cf260a..4e3a1976d6 100644 --- a/windows/keep-secure/audit-kerberos-service-ticket-operations.md +++ b/windows/keep-secure/audit-kerberos-service-ticket-operations.md @@ -2,7 +2,7 @@ title: Audit Kerberos Service Ticket Operations (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Service Ticket Operations, which determines whether the operating system generates security audit events for Kerberos service ticket requests. ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-kernel-object.md b/windows/keep-secure/audit-kernel-object.md index 783f4c3e18..6600a97c21 100644 --- a/windows/keep-secure/audit-kernel-object.md +++ b/windows/keep-secure/audit-kernel-object.md @@ -2,7 +2,7 @@ title: Audit Kernel Object (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kernel Object, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores. ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-logoff.md b/windows/keep-secure/audit-logoff.md index 05aee8928a..56970b2562 100644 --- a/windows/keep-secure/audit-logoff.md +++ b/windows/keep-secure/audit-logoff.md @@ -2,7 +2,7 @@ title: Audit Logoff (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logoff, which determines whether the operating system generates audit events when logon sessions are terminated. ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-logon.md b/windows/keep-secure/audit-logon.md index fb98f6691c..bd363a9eb0 100644 --- a/windows/keep-secure/audit-logon.md +++ b/windows/keep-secure/audit-logon.md @@ -2,7 +2,7 @@ title: Audit Logon (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logon, which determines whether the operating system generates audit events when a user attempts to log on to a computer. ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md index 67760b944f..ab8412a168 100644 --- a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md +++ b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md @@ -2,7 +2,7 @@ title: Audit MPSSVC Rule-Level Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit MPSSVC Rule-Level Policy Change, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-network-policy-server.md b/windows/keep-secure/audit-network-policy-server.md index 5f060ff57e..f98d7f0579 100644 --- a/windows/keep-secure/audit-network-policy-server.md +++ b/windows/keep-secure/audit-network-policy-server.md @@ -2,7 +2,7 @@ title: Audit Network Policy Server (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Network Policy Server, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock). ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-non-sensitive-privilege-use.md b/windows/keep-secure/audit-non-sensitive-privilege-use.md index e1321ebc6a..45dd5b1a2c 100644 --- a/windows/keep-secure/audit-non-sensitive-privilege-use.md +++ b/windows/keep-secure/audit-non-sensitive-privilege-use.md @@ -2,7 +2,7 @@ title: Audit Non-Sensitive Privilege Use (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used. ms.assetid: 8fd74783-1059-443e-aa86-566d78606627 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-account-logon-events.md b/windows/keep-secure/audit-other-account-logon-events.md index 57eaa771fa..4511233562 100644 --- a/windows/keep-secure/audit-other-account-logon-events.md +++ b/windows/keep-secure/audit-other-account-logon-events.md @@ -2,7 +2,7 @@ title: Audit Other Account Logon Events (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Other Account Logon Events, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-account-management-events.md b/windows/keep-secure/audit-other-account-management-events.md index 737c91e478..48fecc4788 100644 --- a/windows/keep-secure/audit-other-account-management-events.md +++ b/windows/keep-secure/audit-other-account-management-events.md @@ -2,7 +2,7 @@ title: Audit Other Account Management Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Account Management Events, which determines whether the operating system generates user account management audit events. ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-logonlogoff-events.md b/windows/keep-secure/audit-other-logonlogoff-events.md index 14b371601d..5b9c517af5 100644 --- a/windows/keep-secure/audit-other-logonlogoff-events.md +++ b/windows/keep-secure/audit-other-logonlogoff-events.md @@ -2,7 +2,7 @@ title: Audit Other Logon/Logoff Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, which determines whether Windows generates audit events for other logon or logoff events. ms.assetid: 76d987cd-1917-4907-a739-dd642609a458 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-object-access-events.md b/windows/keep-secure/audit-other-object-access-events.md index 71b1ee1965..3d453c1927 100644 --- a/windows/keep-secure/audit-other-object-access-events.md +++ b/windows/keep-secure/audit-other-object-access-events.md @@ -2,7 +2,7 @@ title: Audit Other Object Access Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Object Access Events, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects. ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-policy-change-events.md b/windows/keep-secure/audit-other-policy-change-events.md index 7e2c53404a..5ef649bca4 100644 --- a/windows/keep-secure/audit-other-policy-change-events.md +++ b/windows/keep-secure/audit-other-policy-change-events.md @@ -2,7 +2,7 @@ title: Audit Other Policy Change Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Policy Change Events, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category. ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-privilege-use-events.md b/windows/keep-secure/audit-other-privilege-use-events.md index 839251f763..5babb23a8a 100644 --- a/windows/keep-secure/audit-other-privilege-use-events.md +++ b/windows/keep-secure/audit-other-privilege-use-events.md @@ -2,7 +2,7 @@ title: Audit Other Privilege Use Events (Windows 10) description: This security policy setting is not used. ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-system-events.md b/windows/keep-secure/audit-other-system-events.md index 2b28658209..3bb668bd64 100644 --- a/windows/keep-secure/audit-other-system-events.md +++ b/windows/keep-secure/audit-other-system-events.md @@ -2,7 +2,7 @@ title: Audit Other System Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other System Events, which determines whether the operating system audits various system events. ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-pnp-activity.md b/windows/keep-secure/audit-pnp-activity.md index aef1c0ae47..c80884e78c 100644 --- a/windows/keep-secure/audit-pnp-activity.md +++ b/windows/keep-secure/audit-pnp-activity.md @@ -2,7 +2,7 @@ title: Audit PNP Activity (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit PNP Activity, which determines when plug and play detects an external device. ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-policy.md b/windows/keep-secure/audit-policy.md index 87cf555f43..2cd2c8cd95 100644 --- a/windows/keep-secure/audit-policy.md +++ b/windows/keep-secure/audit-policy.md @@ -2,7 +2,7 @@ title: Audit Policy (Windows 10) description: Provides information about basic audit policies that are available in Windows and links to information about each setting. ms.assetid: 2e8ea400-e555-43e5-89d6-0898cb89da90 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-process-creation.md b/windows/keep-secure/audit-process-creation.md index dbe4b6bc69..c9c6d41c57 100644 --- a/windows/keep-secure/audit-process-creation.md +++ b/windows/keep-secure/audit-process-creation.md @@ -2,7 +2,7 @@ title: Audit Process Creation (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Creation, which determines whether the operating system generates audit events when a process is created (starts). ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-process-termination.md b/windows/keep-secure/audit-process-termination.md index 4208a938c3..9f4fde6d86 100644 --- a/windows/keep-secure/audit-process-termination.md +++ b/windows/keep-secure/audit-process-termination.md @@ -2,7 +2,7 @@ title: Audit Process Termination (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Termination, which determines whether the operating system generates audit events when an attempt is made to end a process. ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-registry.md b/windows/keep-secure/audit-registry.md index 40ea22bf27..2f58eb5560 100644 --- a/windows/keep-secure/audit-registry.md +++ b/windows/keep-secure/audit-registry.md @@ -2,7 +2,7 @@ title: Audit Registry (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Registry, which determines whether the operating system generates audit events when users attempt to access registry objects. ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-removable-storage.md b/windows/keep-secure/audit-removable-storage.md index 1892857f3e..cdfc2b415e 100644 --- a/windows/keep-secure/audit-removable-storage.md +++ b/windows/keep-secure/audit-removable-storage.md @@ -2,7 +2,7 @@ title: Audit Removable Storage (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines when there is a read or a write to a removable drive. ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-rpc-events.md b/windows/keep-secure/audit-rpc-events.md index dfb512694b..8bd9607c04 100644 --- a/windows/keep-secure/audit-rpc-events.md +++ b/windows/keep-secure/audit-rpc-events.md @@ -2,7 +2,7 @@ title: Audit RPC Events (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit RPC Events, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made. ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-sam.md b/windows/keep-secure/audit-sam.md index c682e87a89..734ac0681a 100644 --- a/windows/keep-secure/audit-sam.md +++ b/windows/keep-secure/audit-sam.md @@ -2,7 +2,7 @@ title: Audit SAM (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects. ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-security-group-management.md b/windows/keep-secure/audit-security-group-management.md index 65d91ba967..7ff17d66f3 100644 --- a/windows/keep-secure/audit-security-group-management.md +++ b/windows/keep-secure/audit-security-group-management.md @@ -2,7 +2,7 @@ title: Audit Security Group Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Security Group Management, which determines whether the operating system generates audit events when specific security group management tasks are performed. ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-security-state-change.md b/windows/keep-secure/audit-security-state-change.md index efda133f49..e8c184b3e0 100644 --- a/windows/keep-secure/audit-security-state-change.md +++ b/windows/keep-secure/audit-security-state-change.md @@ -2,7 +2,7 @@ title: Audit Security State Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system. ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-security-system-extension.md b/windows/keep-secure/audit-security-system-extension.md index e605195736..428a0d685c 100644 --- a/windows/keep-secure/audit-security-system-extension.md +++ b/windows/keep-secure/audit-security-system-extension.md @@ -2,7 +2,7 @@ title: Audit Security System Extension (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security System Extension, which determines whether the operating system generates audit events related to security system extensions. ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-sensitive-privilege-use.md b/windows/keep-secure/audit-sensitive-privilege-use.md index 2c7cd5a902..718aa00bd9 100644 --- a/windows/keep-secure/audit-sensitive-privilege-use.md +++ b/windows/keep-secure/audit-sensitive-privilege-use.md @@ -2,7 +2,7 @@ title: Audit Sensitive Privilege Use (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Sensitive Privilege Use, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used. ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md index 5ce9aeecf7..0cd45cc597 100644 --- a/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md +++ b/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md @@ -2,7 +2,7 @@ title: Audit Shut down system immediately if unable to log security audits (Windows 10) description: Describes the best practices, location, values, management practices, and security considerations for the Audit Shut down system immediately if unable to log security audits security policy setting. ms.assetid: 2cd23cd9-0e44-4d0b-a1f1-39fc29303826 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-special-logon.md b/windows/keep-secure/audit-special-logon.md index 439cf91d3d..f4bad313c7 100644 --- a/windows/keep-secure/audit-special-logon.md +++ b/windows/keep-secure/audit-special-logon.md @@ -2,7 +2,7 @@ title: Audit Special Logon (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Special Logon, which determines whether the operating system generates audit events under special sign on (or log on) circumstances. ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-system-integrity.md b/windows/keep-secure/audit-system-integrity.md index dfc2666ebf..38fd5a5ce5 100644 --- a/windows/keep-secure/audit-system-integrity.md +++ b/windows/keep-secure/audit-system-integrity.md @@ -2,7 +2,7 @@ title: Audit System Integrity (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit System Integrity, which determines whether the operating system audits events that violate the integrity of the security subsystem. ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-user-account-management.md b/windows/keep-secure/audit-user-account-management.md index 1f05f3085b..a763d8ea76 100644 --- a/windows/keep-secure/audit-user-account-management.md +++ b/windows/keep-secure/audit-user-account-management.md @@ -2,7 +2,7 @@ title: Audit User Account Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit User Account Management, which determines whether the operating system generates audit events when specific user account management tasks are performed. ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-user-device-claims.md b/windows/keep-secure/audit-user-device-claims.md index 254bfb2c7d..e5576c4bdf 100644 --- a/windows/keep-secure/audit-user-device-claims.md +++ b/windows/keep-secure/audit-user-device-claims.md @@ -2,7 +2,7 @@ title: Audit User/Device Claims (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit User/Device Claims, which enables you to audit security events that are generated by user and device claims. ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/back-up-files-and-directories.md b/windows/keep-secure/back-up-files-and-directories.md index 2cddb14842..6f6a7b8805 100644 --- a/windows/keep-secure/back-up-files-and-directories.md +++ b/windows/keep-secure/back-up-files-and-directories.md @@ -2,7 +2,7 @@ title: Back up files and directories (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting. ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md index 5f46d91a0d..aee1050952 100644 --- a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md +++ b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md @@ -2,7 +2,7 @@ title: Backup the TPM recovery Information to AD DS (Windows 10) description: This topic for the IT professional describes how to back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer. ms.assetid: 62bcec80-96a1-464e-8b3f-d177a7565ac5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-account-logon-events.md b/windows/keep-secure/basic-audit-account-logon-events.md index 4bfa89fd5b..392a87e381 100644 --- a/windows/keep-secure/basic-audit-account-logon-events.md +++ b/windows/keep-secure/basic-audit-account-logon-events.md @@ -2,7 +2,7 @@ title: Audit account logon events (Windows 10) description: Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account. ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-account-management.md b/windows/keep-secure/basic-audit-account-management.md index ee0cf33722..364a455ec2 100644 --- a/windows/keep-secure/basic-audit-account-management.md +++ b/windows/keep-secure/basic-audit-account-management.md @@ -2,7 +2,7 @@ title: Audit account management (Windows 10) description: Determines whether to audit each event of account management on a device. ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-directory-service-access.md b/windows/keep-secure/basic-audit-directory-service-access.md index 0d48b78b27..b377adcecc 100644 --- a/windows/keep-secure/basic-audit-directory-service-access.md +++ b/windows/keep-secure/basic-audit-directory-service-access.md @@ -2,7 +2,7 @@ title: Audit directory service access (Windows 10) description: Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified. ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-logon-events.md b/windows/keep-secure/basic-audit-logon-events.md index d83d80357e..143c150317 100644 --- a/windows/keep-secure/basic-audit-logon-events.md +++ b/windows/keep-secure/basic-audit-logon-events.md @@ -2,7 +2,7 @@ title: Audit logon events (Windows 10) description: Determines whether to audit each instance of a user logging on to or logging off from a device. ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-object-access.md b/windows/keep-secure/basic-audit-object-access.md index 6ae03e3c93..05d9500660 100644 --- a/windows/keep-secure/basic-audit-object-access.md +++ b/windows/keep-secure/basic-audit-object-access.md @@ -2,7 +2,7 @@ title: Audit object access (Windows 10) description: Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified. ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-policy-change.md b/windows/keep-secure/basic-audit-policy-change.md index 0590d832ee..9aee64c9c8 100644 --- a/windows/keep-secure/basic-audit-policy-change.md +++ b/windows/keep-secure/basic-audit-policy-change.md @@ -2,7 +2,7 @@ title: Audit policy change (Windows 10) description: Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-privilege-use.md b/windows/keep-secure/basic-audit-privilege-use.md index 38a2117169..62d38eec12 100644 --- a/windows/keep-secure/basic-audit-privilege-use.md +++ b/windows/keep-secure/basic-audit-privilege-use.md @@ -2,7 +2,7 @@ title: Audit privilege use (Windows 10) description: Determines whether to audit each instance of a user exercising a user right. ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-process-tracking.md b/windows/keep-secure/basic-audit-process-tracking.md index 9fd272a03c..acfe7b0fb1 100644 --- a/windows/keep-secure/basic-audit-process-tracking.md +++ b/windows/keep-secure/basic-audit-process-tracking.md @@ -2,7 +2,7 @@ title: Audit process tracking (Windows 10) description: Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-system-events.md b/windows/keep-secure/basic-audit-system-events.md index 7724e17654..70674dbb21 100644 --- a/windows/keep-secure/basic-audit-system-events.md +++ b/windows/keep-secure/basic-audit-system-events.md @@ -2,7 +2,7 @@ title: Audit system events (Windows 10) description: Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-security-audit-policies.md b/windows/keep-secure/basic-security-audit-policies.md index 0ad34f0790..1de3ff5747 100644 --- a/windows/keep-secure/basic-security-audit-policies.md +++ b/windows/keep-secure/basic-security-audit-policies.md @@ -2,7 +2,7 @@ title: Basic security audit policies (Windows 10) description: Before you implement auditing, you must decide on an auditing policy. ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-security-audit-policy-settings.md b/windows/keep-secure/basic-security-audit-policy-settings.md index eeade033ce..82989b0eee 100644 --- a/windows/keep-secure/basic-security-audit-policy-settings.md +++ b/windows/keep-secure/basic-security-audit-policy-settings.md @@ -2,7 +2,7 @@ title: Basic security audit policy settings (Windows 10) description: Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bcd-settings-and-bitlocker.md b/windows/keep-secure/bcd-settings-and-bitlocker.md index bee0c9e8f3..ccd9afd831 100644 --- a/windows/keep-secure/bcd-settings-and-bitlocker.md +++ b/windows/keep-secure/bcd-settings-and-bitlocker.md @@ -2,7 +2,7 @@ title: BCD settings and BitLocker (Windows 10) description: This topic for IT professionals describes the BCD settings that are used by BitLocker. ms.assetid: c4ab7ac9-16dc-4c7e-b061-c0b0deb2c4fa -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-basic-deployment.md b/windows/keep-secure/bitlocker-basic-deployment.md index e63322f296..b83692c713 100644 --- a/windows/keep-secure/bitlocker-basic-deployment.md +++ b/windows/keep-secure/bitlocker-basic-deployment.md @@ -2,7 +2,7 @@ title: BitLocker basic deployment (Windows 10) description: This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-countermeasures.md b/windows/keep-secure/bitlocker-countermeasures.md index 687bf6047b..7e1f6c7414 100644 --- a/windows/keep-secure/bitlocker-countermeasures.md +++ b/windows/keep-secure/bitlocker-countermeasures.md @@ -2,7 +2,7 @@ title: BitLocker Countermeasures (Windows 10) description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key. ms.assetid: ebdb0637-2597-4da1-bb18-8127964686ea -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-frequently-asked-questions.md b/windows/keep-secure/bitlocker-frequently-asked-questions.md index 4d179869fb..23dc64932f 100644 --- a/windows/keep-secure/bitlocker-frequently-asked-questions.md +++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md @@ -2,7 +2,7 @@ title: BitLocker frequently asked questions (FAQ) (Windows 10) description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md index 77412bda71..8d3864a681 100644 --- a/windows/keep-secure/bitlocker-group-policy-settings.md +++ b/windows/keep-secure/bitlocker-group-policy-settings.md @@ -2,7 +2,7 @@ title: BitLocker Group Policy settings (Windows 10) description: This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption. ms.assetid: 4904e336-29fe-4cef-bb6c-3950541864af -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md index e7035aa4e8..e57e269aff 100644 --- a/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md @@ -2,7 +2,7 @@ title: BitLocker How to deploy on Windows Server 2012 and later (Windows 10) description: This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later. ms.assetid: 91c18e9e-6ab4-4607-8c75-d983bbe2542f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md index 37e9e8b02d..16e0aa12b2 100644 --- a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md +++ b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md @@ -2,7 +2,7 @@ title: BitLocker How to enable Network Unlock (Windows 10) description: This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. ms.assetid: be45bc28-47db-4931-bfec-3c348151d2e9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-overview.md b/windows/keep-secure/bitlocker-overview.md index 897f3dd747..58f3047141 100644 --- a/windows/keep-secure/bitlocker-overview.md +++ b/windows/keep-secure/bitlocker-overview.md @@ -2,7 +2,7 @@ title: BitLocker (Windows 10) description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-recovery-guide-plan.md b/windows/keep-secure/bitlocker-recovery-guide-plan.md index 80df5a2c52..61d362d1a3 100644 --- a/windows/keep-secure/bitlocker-recovery-guide-plan.md +++ b/windows/keep-secure/bitlocker-recovery-guide-plan.md @@ -2,7 +2,7 @@ title: BitLocker recovery guide (Windows 10) description: This topic for IT professionals describes how to recover BitLocker keys from AD DS. ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index ab1c7f7bb2..8d48b8aff4 100644 --- a/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -2,79 +2,113 @@ title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10) description: This topic for the IT professional describes how to use tools to manage BitLocker. ms.assetid: e869db9c-e906-437b-8c70-741dd61b5ea6 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker + **Applies to** - Windows 10 + This topic for the IT professional describes how to use tools to manage BitLocker. + BitLocker Drive Encryption Tools include the command line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell. + Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios. + Repair-bde is a special circumstance tool that is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or using the recovery console. + 1. [Manage-bde](#bkmk-managebde) 2. [Repair-bde](#bkmk-repairbde) 3. [BitLocker cmdlets for Windows PowerShell](#bkmk-blcmdlets) + ## Manage-bde + Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the manage-bde options, see the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line reference. + Manage-bde includes less default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde. + ### Using manage-bde with operating system volumes + Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on ` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. It is recommended that at least one primary protector and a recovery protector be added to an operating system volume. + A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status: + ``` syntax manage-bde -status ``` This command returns the volumes on the target, current encryption status and volume type (operating system or data) for each volume. + The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process. + ``` syntax manage-bde –protectors -add C: -startupkey E: manage-bde -on C: ``` -**Note**   -After the encryption is completed, the USB startup key must be inserted before the operating system can be started. + +>**Note:**  After the encryption is completed, the USB startup key must be inserted before the operating system can be started.   An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. This is done with the command: + ``` syntax manage-bde -protectors -add C: -pw -sid ``` + This command will require you to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, you can then turn BitLocker on. + On computers with a TPM it is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is: + ``` syntax manage-bde -on C: ``` + This will encrypt the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command: + ``` syntax manage-bde -protectors -get ``` ### Using manage-bde with data volumes + Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or you can choose to add additional protectors to the volume first. It is recommended that at least one primary protector and a recovery protector be added to a data volume. + A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on. + ``` syntax manage-bde -protectors -add -pw C: manage-bde -on C: ``` + ## Repair-bde + You may experience a problem that damages an area of a hard disk on which BitLocker stores critical information. This kind of problem may be caused by a hard disk failure or if Windows exits unexpectedly. + The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS. -**Tip**   -If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume. + +>**Tip:**  If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume.   The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. You should use Repair-bde if the following conditions are true: + 1. You have encrypted the drive by using BitLocker Drive Encryption. 2. Windows does not start, or you cannot start the BitLocker recovery console. 3. You do not have a copy of the data that is contained on the encrypted drive. -**Note**   -Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. + +>**Note:**  Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.   The following limitations exist for Repair-bde: + - The Repair-bde command-line tool cannot repair a drive that failed during the encryption or decryption process. - The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted. -For more information about using repair-bde see [Repair-bde](http://technet.microsoft.com/library/ff829851.aspx) + +For more information about using repair-bde, see [Repair-bde](http://technet.microsoft.com/library/ff829851.aspx). + ## BitLocker cmdlets for Windows PowerShell + Windows PowerShell cmdlets provide a new way for administrators to use when working with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets. + @@ -205,72 +239,89 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets. A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLockerVolume` cmdlet. The `Get-BitLockerVolume` cmdlet output gives information on the volume type, protectors, protection status and other details. -**Tip**   -Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors. + +>**Tip:**  Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors. `Get-BitLockerVolume C: | fl`   If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed. + A simple script can pipe the values of each Get-BitLockerVolume return out to another variable as seen below: + ``` syntax $vol = Get-BitLockerVolume $keyprotectors = $vol.KeyProtector ``` + Using this, you can display the information in the $keyprotectors variable to determine the GUID for each protector. + Using this information, you can then remove the key protector for a specific volume using the command: + ``` syntax Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ``` -**Note**   -The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. + +>**Note:**  The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.   ### Using the BitLocker Windows PowerShell cmdlets with operating system volumes + Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them in BitLocker Windows PowerShell. + The following example shows how to enable BitLocker on an operating system drive using only the TPM protector: + ``` syntax Enable-BitLocker C: + ``` In the example below, adds one additional protector, the StartupKey protector and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot. + ``` syntax Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest ``` + ### Using the BitLocker Windows PowerShell cmdlets with data volumes -Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. + +Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a +SecureString value to store the user defined password. + ``` syntax $pw = Read-Host -AsSecureString Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw ``` ### Using an AD Account or Group protector in Windows PowerShell + The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover to and be unlocked by any member computer of the cluster. -**Warning**   -The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes + +>**Warning:**  The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes   To add an **ADAccountOrGroup** protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. + ``` syntax Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator ``` + For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command: -**Note**   -Use of this command requires the RSAT-AD-PowerShell feature. + +>**Note:**  Use of this command requires the RSAT-AD-PowerShell feature.   ``` syntax get-aduser -filter {samaccountname -eq "administrator"} ``` -**Tip**   -In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. + +>**Tip:**  In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.   The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account: + ``` syntax Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500 ``` -**Note**   -Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. + +>**Note:**  Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.   ## More information -[BitLocker overview](bitlocker-overview.md) -[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) -[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) -[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) -[BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) -  -  + +- [BitLocker overview](bitlocker-overview.md) +- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) +- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) +- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) +- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) diff --git a/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md index de1b0e8a2c..850c7507b0 100644 --- a/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md +++ b/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md @@ -2,40 +2,56 @@ title: BitLocker Use BitLocker Recovery Password Viewer (Windows 10) description: This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. ms.assetid: 04c93ac5-5dac-415e-b636-de81435753a2 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # BitLocker: Use BitLocker Recovery Password Viewer + **Applies to** - Windows 10 + This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. + The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets you locate and view BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. You can also search for a password by password identifier (ID). + ## Before you start + To complete the procedures in this scenario: + - You must have domain administrator credentials. - Your test computers must be joined to the domain. - On the test computers, BitLocker must have been turned on after joining the domain. + The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer. + **To view the recovery passwords for a computer** + 1. In **Active Directory Users and Computers**, locate and then click the container in which the computer is located. 2. Right-click the computer object, and then click **Properties**. 3. In the **Properties** dialog box, click the **BitLocker Recovery** tab to view the BitLocker recovery passwords that are associated with the computer. + **To copy the recovery passwords for a computer** + 1. Follow the steps in the previous procedure to view the BitLocker recovery passwords. 2. On the **BitLocker Recovery** tab of the **Properties** dialog box, right-click the BitLocker recovery password that you want to copy, and then click **Copy Details**. 3. Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet. + **To locate a recovery password by using a password ID** + 1. In Active Directory Users and Computers, right-click the domain container, and then click **Find BitLocker Recovery Password**. 2. In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and then click **Search**. By completing the procedures in this scenario, you have viewed and copied the recovery passwords for a computer and used a password ID to locate a recovery password. + ## More information -[BitLocker Overview](bitlocker-overview.md) -[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) -[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) -[BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) -[BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md) + +- [BitLocker Overview](bitlocker-overview.md) +- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) +- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) +- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) +- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)     diff --git a/windows/keep-secure/block-untrusted-fonts-in-enterprise.md b/windows/keep-secure/block-untrusted-fonts-in-enterprise.md index 032ef98517..83a3f113a9 100644 --- a/windows/keep-secure/block-untrusted-fonts-in-enterprise.md +++ b/windows/keep-secure/block-untrusted-fonts-in-enterprise.md @@ -2,9 +2,10 @@ title: Block untrusted fonts in an enterprise (Windows 10) description: To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. ms.assetid: a3354c8e-4208-4be6-bc19-56a572c361b4 -keywords: ["font blocking", "untrusted font blocking", "block fonts", "untrusted fonts"] -ms.prod: W10 +keywords: font blocking, untrusted font blocking, block fonts, untrusted fonts +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: security ms.sitesec: library author: eross-msft --- diff --git a/windows/keep-secure/bypass-traverse-checking.md b/windows/keep-secure/bypass-traverse-checking.md index 17fb337e5a..60df8885da 100644 --- a/windows/keep-secure/bypass-traverse-checking.md +++ b/windows/keep-secure/bypass-traverse-checking.md @@ -2,113 +2,90 @@ title: Bypass traverse checking (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Bypass traverse checking security policy setting. ms.assetid: 1c828655-68d3-4140-aa0f-caa903a7087e -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Bypass traverse checking + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Bypass traverse checking** security policy setting. + ## Reference + This policy setting determines which users (or a process that acts on behalf of the user’s account) have permission to navigate an object path in the NTFS file system or in the registry without being checked for the Traverse Folder special access permission. This user right does not allow the user to list the contents of a folder. It only allows the user to traverse folders to access permitted files or subfolders. + Constant: SeChangeNotifyPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + 1. Use access–based enumeration when you want to prevent users from seeing any folder or file to which they do not have access. 2. Use the default settings of this policy in most cases. If you change the settings, verify your intent through testing. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. -
---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not Defined

Default Domain Controller Policy

Administrators

-

Authenticated Users

-

Everyone

-

Local Service

-

Network Service

-

Pre-Windows 2000 Compatible Access

Stand-Alone Server Default Settings

Administrators

-

Backup Operators

-

Users

-

Everyone

-

Local Service

-

Network Service

Domain Controller Effective Default Settings

Administrators

-

Authenticated Users

-

Everyone

-

Local Service

-

Network Service

-

Pre-Windows 2000 Compatible Access

Member Server Effective Default Settings

Administrators

-

Backup Operators

-

Users

-

Everyone

-

Local Service

-

Network Service

Client Computer Effective Default Settings

Administrators

-

Backup Operators

-

Users

-

Everyone

-

Local Service

-

Network Service

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not Defined | +| Default Domain Controller Policy | Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access| +| Stand-Alone Server Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service| +| Domain Controller Effective Default Settings | Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access| +| Member Server Effective Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service| +| Client Computer Effective Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|   ## Policy management + Permissions to files and folders are controlled though the appropriate configuration of file system access control lists (ACLs).The ability to traverse the folder does not provide any Read or Write permissions to the user. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The default configuration for the **Bypass traverse checking** setting is to allow all users to bypass traverse checking. Permissions to files and folders are controlled though the appropriate configuration of file system access control lists (ACLs) because the ability to traverse the folder does not provide any Read or Write permissions to the user. The only scenario in which the default configuration could lead to a mishap would be if the administrator who configures permissions does not understand how this policy setting works. For example, the administrator might expect that users who are unable to access a folder are unable to access the contents of any child folders. Such a situation is unlikely, and, therefore, this vulnerability presents little risk. + ### Countermeasure + Organizations that are extremely concerned about security may want to remove the Everyone group, and perhaps the Users group, from the list of groups that have the **Bypass traverse checking** user right. Taking explicit control over traversal assignments can be an effective way to limit access to sensitive information. Access–based enumeration can also be used. If you use access–based enumeration, users cannot see any folder or file to which they do not have access. For more info about this feature, see [Access-based Enumeration](http://go.microsoft.com/fwlink/p/?LinkId=100745). + ### Potential impact + The Windows operating systems and many applications were designed with the expectation that anyone who can legitimately access the computer will have this user right. Therefore, we recommend that you thoroughly test any changes to assignments of the **Bypass traverse checking** user right before you make such changes to production systems. In particular, IIS requires this user right to be assigned to the Network Service, Local Service, IIS\_WPG, IUSR\_*<ComputerName>*, and IWAM\_*<ComputerName>* accounts. (It must also be assigned to the ASPNET account through its membership in the Users group.) We recommend that you leave this policy setting at its default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) + +- [User Rights Assignment](user-rights-assignment.md)     diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 5f96e1fcb1..53fc6a0ef7 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -2,9 +2,10 @@ title: Change history for Keep Windows 10 secure (Windows 10) description: This topic lists new and updated topics in the Keep Windows 10 secure documentation for Windows 10 and Windows 10 Mobile. ms.assetid: E50EC5E6-71AA-4FF1-8356-574CFDB8079B -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- @@ -15,10 +16,11 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| +| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Changed Internet Explorer to Microsoft Edge | | [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Added errors 0x80090029 and 0x80070057, and merged entries for error 0x801c03ed. | | [Microsoft Passport guide](microsoft-passport-guide.md) | Updated Roadmap section content | -| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview | |[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) |Updated info based on changes to the features and functionality.| +| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview | ## April 2016 diff --git a/windows/keep-secure/change-the-system-time.md b/windows/keep-secure/change-the-system-time.md index f34f347c76..e6f43e3f88 100644 --- a/windows/keep-secure/change-the-system-time.md +++ b/windows/keep-secure/change-the-system-time.md @@ -2,106 +2,105 @@ title: Change the system time (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Change the system time security policy setting. ms.assetid: f2f6637d-acbc-4352-8ca3-ec563f918e65 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Change the system time + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Change the system time** security policy setting. + ## Reference + This policy setting determines which users can adjust the time on the device's internal clock. This right allows the computer user to change the date and time associated with records in the event logs, database transactions, and the file system. This right is also required by the process that performs time synchronization. This setting does not impact the user’s ability to change the time zone or other display characteristics of the system time. For info about assigning the right to change the time zone, see [Change the time zone](change-the-time-zone.md). + Constant: SeSystemtimePrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - Restrict the **Change the system time** user right to users with a legitimate need to change the system time. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, members of the Administrators and Local Service groups have this right on workstations and servers. Members of the Administrators, Server Operators, and Local Service groups have this right on domain controllers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not Defined

Default Domain Controller Policy

Administrators

-

Server Operators

-

Local Service

Stand-Alone Server Default Settings

Administrators

-

Local Service

DC Effective Default Settings

Administrators

-

Server Operators

-

Local Service

Member Server Effective Default Settings

Administrators

-

Local Service

Client Computer Effective Default Settings

Administrators

-

Local Service

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not Defined | +| Default Domain Controller Policy | Administrators
Server Operators
Local Service| +| Stand-Alone Server Default Settings | Administrators
Local Service| +| DC Effective Default Settings | Administrators
Server Operators
Local Service| +| Member Server Effective Default Settings | Administrators
Local Service| +| Client Computer Effective Default Settings | Administrators
Local Service|   ## Policy management + This section describes features, tools and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users who can change the time on a computer could cause several problems. For example: + - Time stamps on event log entries could be made inaccurate - Time stamps on files and folders that are created or modified could be incorrect - Computers that belong to a domain might not be able to authenticate themselves - Users who try to log on to the domain from devices with inaccurate time might not be able to authenticate. + Also, because the Kerberos authentication protocol requires that the requester and authenticator have their clocks synchronized within an administrator-defined skew period, an attacker who changes a device's time may cause that computer to be unable to obtain or grant Kerberos protocol tickets. + The risk from these types of events is mitigated on most domain controllers, member servers, and end-user computers because the Windows Time Service automatically synchronizes time with domain controllers in the following ways: + - All desktop client devices and member servers use the authenticating domain controller as their inbound time partner. - All domain controllers in a domain nominate the primary domain controller (PDC) emulator operations master as their inbound time partner. - All PDC emulator operations masters follow the hierarchy of domains in the selection of their inbound time partner. - The PDC emulator operations master at the root of the domain is authoritative for the organization. Therefore, we recommend that you configure this computer to synchronize with a reliable external time server. + This vulnerability becomes much more serious if an attacker is able to change the system time and then stop the Windows Time Service or reconfigure it to synchronize with a time server that is not accurate. + ### Countermeasure + Restrict the **Change the system time** user right to users with a legitimate need to change the system time, such as members of the IT team. + ### Potential impact + There should be no impact because time synchronization for most organizations should be fully automated for all computers that belong to the domain. Computers that do not belong to the domain should be configured to synchronize with an external source, such as a web service. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/change-the-time-zone.md b/windows/keep-secure/change-the-time-zone.md index fafb6d6293..3eb72473a5 100644 --- a/windows/keep-secure/change-the-time-zone.md +++ b/windows/keep-secure/change-the-time-zone.md @@ -2,91 +2,85 @@ title: Change the time zone (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Change the time zone security policy setting. ms.assetid: 3b1afae4-68bb-472f-a43e-49e300d73e50 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Change the time zone + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Change the time zone** security policy setting. + ## Reference + This policy setting determines which users can adjust the time zone that is used by the device for displaying the local time, which includes the device's system time plus the time zone offset. + Constant: SeTimeZonePrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + None. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not Defined

Default Domain Controller Policy

Administrators

-

Users

Stand-Alone Server Default Settings

Administrators

-

Users

Domain Controller Effective Default Settings

Administrators

-

Users

Member Server Effective Default Settings

Administrators

-

Users

Client Computer Effective Default Settings

Administrators

-

Users

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not Defined| +| Default Domain Controller Policy | Administrators
Users| +| Stand-Alone Server Default Settings | Administrators
Users| +| Domain Controller Effective Default Settings | Administrators
Users| +| Member Server Effective Default Settings | Administrators
Users| +| Client Computer Effective Default Settings | Administrators
Users|   ## Policy management + A restart of the device is not required for this policy setting to be effective. + Any change to the account for this user right assignment becomes effective the next time the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Changing the time zone represents little vulnerability because the system time is not affected. This setting merely enables users to display their preferred time zone while being synchronized with domain controllers in different time zones. + ### Countermeasure + Countermeasures are not required because system time is not affected by this setting. + ### Potential impact + None. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/change-the-tpm-owner-password.md b/windows/keep-secure/change-the-tpm-owner-password.md index e76c48aac1..ba11bc7a8c 100644 --- a/windows/keep-secure/change-the-tpm-owner-password.md +++ b/windows/keep-secure/change-the-tpm-owner-password.md @@ -2,49 +2,66 @@ title: Change the TPM owner password (Windows 10) description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. ms.assetid: e43dcff3-acb4-4a92-8816-d6b64b7f2f45 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Change the TPM owner password + **Applies to** - Windows 10 + This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. -## About the TPM owner password + +## About the TPM owner password The owner of the TPM is the user who possesses the owner password and is able to set it and change it. Only one owner password exists per TPM. The owner of the TPM can make full use of TPM capabilities. When an owner is set, no other user or software can claim ownership of the TPM. Only the TPM owner can enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. Taking ownership of the TPM can be performed as part of the initialization process. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it. + Applications, including BitLocker Drive Encryption, can automatically start the initialization process. If you enable BitLocker without manually initializing the TPM, the TPM owner password is automatically created and saved in the same location as the BitLocker recovery password. The TPM owner password can be saved as a file on a removable storage device, or on another computer. The password can also be printed. The TPM MMC gives the TPM owner the sole ability to choose the appropriate option to type the password or to use the saved password. As with any password, you should change your TPM owner password if you suspect that it has become compromised and is no longer a secret. + **Other TPM management options** + Instead of changing your owner password, you can also use the following options to manage your TPM: + - **Clear the TPM**   If you want to invalidate all of the existing keys that have been created since you took ownership of the TPM, you can clear it. For more info, see [Initialize and Configure Ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md#bkmk-clear1). - **Important**   - Clearing the TPM can result in the loss of data. To avoid data loss, make sure you have a backup or recovery method for any data protected or encrypted by the TPM. + + >**Important:**  Clearing the TPM can result in the loss of data. To avoid data loss, make sure you have a backup or recovery method for any data protected or encrypted by the TPM.   - **Turn off the TPM**   If you want to keep all existing keys and data intact, and you want to disable the services that are provided by the TPM, you can turn it off. For more info, see [Initialize and Configure Ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md#bkmk-onoff). + ## Change the TPM owner password + The following procedure provides the steps that are necessary to change the TPM owner password. + **To change the TPM owner password** + 1. Open the TPM MMC (tpm.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. 2. In the **Actions** pane, click **Change Owner Password**. 3. In the **Manage the TPM security hardware** dialog box, select a method to enter your current TPM owner password. + - If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, use **Browse** to navigate to the .tpm file that is saved on your removable storage device. Click **Open**, and then click **Create New Password**. - If you do not have the removable storage device with your saved password, click **I want to enter the owner password**. In the **Type your TPM owner password** dialog box, enter your password (including hyphens), and click **Create New Password**. 4. On the **Create the TPM owner password** page, select a method for creating a new TPM owner password. + 1. Click **Automatically create the password** to have a new owner password generated for you. 2. Click **Manually create the password** if you want to specify a password. - **Note**   - The TPM owner password must have a minimum of eight characters. + >**Note:**  The TPM owner password must have a minimum of eight characters.   5. After the new password is created, you can choose **Save the password** to save the password in a password backup file on a removable storage device or **Print the password** to print a copy of the password for later reference. + 6. Click **Change password** to apply the new owner password to the TPM. -## Use the TPM cmdlets + +## Use the TPM cmdlets + If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command: **dism /online /enable-feature /FeatureName:tpm-psh-cmdlets** + For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). + ## Additional resources + For more info about TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md#bkmk-additionalresources). -  -  diff --git a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md index 374b255db6..0293f672ae 100644 --- a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md +++ b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md @@ -2,28 +2,46 @@ title: Choose the right BitLocker countermeasure (Windows 10) description: This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks. ms.assetid: b0b09508-7885-4030-8c61-d91458afdb14 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Choose the right BitLocker countermeasure + **Applies to** - Windows 10 + This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks. You can use BitLocker to protect your Windows 10 PCs. Whichever operating system you’re using, Microsoft and Windows-certified devices provide countermeasures to address attacks and improve your data security. In most cases, this protection can be implemented without the need for pre-boot authentication. -Figures 2, 3, and 4 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default settings. + +Figures 2, 3, and 4 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default +settings. + ![how to choose best countermeasures for windows 7](images/bitlockerprebootprotection-counterwin7.jpg) + **Figure 2.** How to choose the best countermeasures for Windows 7 + ![how to choose countermeasures for windows 8](images/bitlockerprebootprotection-counterwin8.jpg) + **Figure 3.** How to choose the best countermeasures for Windows 8 + ![how to choose countermeasures for windows 8.1](images/bitlockerprebootprotection-counterwin81.jpg) + **Figure 4.** How to choose the best countermeasures for Windows 8.1 -The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be, too. DMA port–based attacks, which represent the attack vector of choice, are not possible on InstantGo devices, because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case DMA ports can be disabled entirely, which is an increasingly popular option because the use of DMA ports is infrequent in the non-developer space. + +The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be, too. DMA port–based attacks, which represent the attack vector of choice, are not possible on InstantGo devices, because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case DMA ports can be disabled entirely, which is an increasingly popular option because the use of +DMA ports is infrequent in the non-developer space. + Memory remanence attacks can be mitigated with proper configuration; in cases where the system memory is fixed and non-removable, they are not possible using published techniques. Even in cases where system memory can be removed and loaded into another device, attackers will find the attack vector extremely unreliable, as has been shown in the DRDC Valcartier group’s analysis (see [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078)). + Windows 7 PCs share the same security risks as newer devices but are far more vulnerable to DMA and memory remanence attacks, because Windows 7 devices are more likely to include DMA ports, lack support for UEFI-based Secure Boot, and rarely have fixed memory. To eliminate the need for pre-boot authentication on Windows 7 devices, disable the ability to boot to external media, password-protect the BIOS configuration, and disable the DMA ports. If you believe that your devices may be a target of a memory remanence attack, where the system memory may be removed and put into another computer to gain access to its contents, consider testing your devices to determine whether they are susceptible to this type of attack. -In the end, many customers will find that pre-boot authentication improves security only for a shrinking subset of devices within their organization. Microsoft recommends a careful examination of the attack vectors and mitigations outlined in this document along with an evaluation of your devices before choosing to implement pre-boot authentication, which may not enhance the security of your devices and instead will only compromise the user experience and add to support costs. + +In the end, many customers will find that pre-boot authentication improves security only for a shrinking subset of devices within their organization. Microsoft recommends a careful examination of the attack vectors and mitigations +outlined in this document along with an evaluation of your devices before choosing to implement pre-boot authentication, which may not enhance the security of your devices and instead will only compromise the user experience and add to support costs. + ## See also - [Types of attacks for volume encryption keys](types-of-attacks-for-volume-encryption-keys.md) - [BitLocker Countermeasures](bitlocker-countermeasures.md) diff --git a/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md b/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md index 5de6e0fbde..206c0415fe 100644 --- a/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md +++ b/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md @@ -2,26 +2,31 @@ title: Configure an AppLocker policy for audit only (Windows 10) description: This topic for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker. ms.assetid: 10bc87d5-cc7f-4500-b7b3-9006e50afa50 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Configure an AppLocker policy for audit only + **Applies to** - Windows 10 + This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker. + After AppLocker rules are created within the rule collection, you can configure the enforcement setting to **Enforce rules** or **Audit only**. + When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log. -**Note**   -There is no audit mode for the DLL rule collection. DLL rules affect specific apps. Therefore, test the impact of these rules first before deploying them to production. To enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md). + +>**Note:**  There is no audit mode for the DLL rule collection. DLL rules affect specific apps. Therefore, test the impact of these rules first before deploying them to production. To enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md).   You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To audit rule collections** + 1. From the AppLocker console, right-click **AppLocker**, and then click **Properties**. 2. On the **Enforcement** tab, select the **Configured** check box for the rule collection that you want to enforce, and then verify that **Audit only** is selected in the list for that rule collection. 3. Repeat the above step to configure the enforcement setting to **Audit only** for additional rule collections. 4. Click **OK**. -  -  diff --git a/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md b/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md index cd7c80e04b..55e87ba39a 100644 --- a/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md +++ b/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md @@ -2,25 +2,30 @@ title: Configure an AppLocker policy for enforce rules (Windows 10) description: This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting. ms.assetid: 5dbbb290-a5ae-4f88-82b3-21e95972e66c -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Configure an AppLocker policy for enforce rules + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting. -**Note**   -When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. + +>**Note:**  When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited.   For info about how AppLocker policies are applied within a GPO structure, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md). + You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To enable the Enforce rules enforcement setting** + 1. From the AppLocker console, right-click **AppLocker**, and then click **Properties**. 2. On the **Enforcement** tab of the **AppLocker Properties** dialog box, select the **Configured** check box for the rule collection that you are editing, and then verify that **Enforce rules** is selected. 3. Click **OK**. + For info about viewing the events generated from rules enforcement, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). -  -  diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md index 8ac1ba2c6b..aede6f38ed 100644 --- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Configure Windows Defender ATP endpoints description: Use Group Policy or SCCM to deploy the configuration package or do manual registry changes on endpoints so that they are onboarded to the service. keywords: configure endpoints, client onboarding, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm, system center configuration manager search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: iaanw --- @@ -25,7 +26,7 @@ Using the GP configuration package ensures your endpoints will be correctly conf > **Note**  To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. The endpoints must be running Windows 10 Insider Preview Build 14332 or later. -1. Open the GP configuration package .zip file (*WindowsATPOnboardingPackage_GroupPolicy.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Client onboarding** on the **Navigation pane**. @@ -52,13 +53,13 @@ For additional settings, see the [Additional configuration settings section](add ## Configure with System Center Configuration Manager -1. Open the SCCM configuration package .zip file (*WindowsATPOnboardingPackage_ConfigurationManager.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Client onboarding** on the **Navigation pane**. b. Select **System Center Configuration Manager**, click **Download package**, and save the .zip file. -2. Copy the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. 3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. @@ -76,12 +77,12 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You a. Click **Client onboarding** on the **Navigation pane**. - b. Select **Manually on-board local machine**, click **Download package** and save the .zip file. + b. Select **Local Script**, click **Download package** and save the .zip file. 2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. -2. Open an elevated command-line prompt on the endpoint and run the script: +3. Open an elevated command-line prompt on the endpoint and run the script: a. Click **Start** and type **cmd**. @@ -89,9 +90,9 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) -3. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`* +4. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`* -4. Press the **Enter** key or click **OK**. +5. Press the **Enter** key or click **OK**. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry. diff --git a/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md b/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md index 34f5707623..be96e323ed 100644 --- a/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md +++ b/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md @@ -2,23 +2,31 @@ title: Add exceptions for an AppLocker rule (Windows 10) description: This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule. ms.assetid: d15c9d84-c14b-488d-9f48-bf31ff7ff0c5 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Add exceptions for an AppLocker rule + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule. + Rule exceptions allow you to specify files or folders to exclude from the rule. For more information about exceptions, see [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md). + You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To configure exceptions for a rule** + 1. Open the AppLocker console. 2. Expand the rule collection, right-click the rule that you want to configure exceptions for, and then click **Properties**. 3. Click the **Exceptions** tab. 4. In the **Add exception** box, select the rule type that you want to create, and then click **Add**. + - For a publisher exception, click **Browse**, select the file that contains the publisher to exclude, and then click **OK**. - For a path exception, choose the file or folder path to exclude, and then click **OK**. - For a file hash exception, edit the file hash rule, and click **Remove**. diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md index aef3743b8f..e0564e8606 100644 --- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Configure Windows Defender ATP endpoint proxy and Internet connection set description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service. keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, web proxy auto detect, wpad, netsh, winhttp, proxy server search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/configure-s-mime.md b/windows/keep-secure/configure-s-mime.md index 0f76c34cac..7b9906f26d 100644 --- a/windows/keep-secure/configure-s-mime.md +++ b/windows/keep-secure/configure-s-mime.md @@ -2,55 +2,84 @@ title: Configure S/MIME for Windows 10 and Windows 10 Mobile (Windows 10) description: In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05 -ms.pagetype: security -keywords: ["encrypt", "digital signature"] -ms.prod: W10 +keywords: encrypt, digital signature +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: jdeckerMS --- + + # Configure S/MIME for Windows 10 and Windows 10 Mobile + **Applies to** - Windows 10 - Windows 10 Mobile + S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. + ## About message encryption + Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows 10 Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. + Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipient(s) whose encryption certificate are not available, the app will prompt you to remove these recipients before sending the email. + ## About digital signatures + A digitally signed message reassures the recipient that the message hasn't been tampered with and verifies the identity of the sender. Recipients can only verify the digital signature if they’re using an email client that supports S/MIME. + ## Prerequisites + - [S/MIME is enabled for Exchange accounts](http://go.microsoft.com/fwlink/p/?LinkId=718217) (on-premises and Office 365). Users can’t use S/MIME signing and encryption with a personal account such as Outlook.com. - Valid Personal Information Exchange (PFX) certificates are installed on the device. + - [How to Create PFX Certificate Profiles in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkID=718215) - [Enable access to company resources using certificate profiles with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=718216) - [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) + ## Choose S/MIME settings + On the device, perform the following steps: (add select certificate) 1. Open the Mail app. (In Windows 10 Mobile, the app is Outlook Mail.) 2. Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone. + ![settings icon in mail app](images/mailsettings.png) + 3. Tap **Email security**. + ![email security settings](images/emailsecurity.png) + 4. In **Select an account**, select the account for which you want to configure S/MIME options. 5. Make a certificate selection for digital signature and encryption. + - Select **Automatically** to let the app choose the certificate. - Select **Manually** to specify the certificate yourself from the list of valid certificates on the device. 6. (Optional) Select **Always sign with S/MIME**, **Always encrypt with S/MIME**, or both, to automatically digitally sign or encrypt all outgoing messages. - **Note**  The option to sign or encrypt can be changed for individual messages, unless EAS policies prevent it. + + >**Note:**  The option to sign or encrypt can be changed for individual messages, unless EAS policies prevent it.   7. Tap the back arrow. + ## Encrypt or sign individual messages 1. While composing a message, choose **Options** from the ribbon. On phone, **Options** can be accessed by tapping the the ellipsis (...). + 2. Use **Sign** and **Encrypt** icons to turn on digital signature and encryption for this message. + ![sign or encrypt message](images/signencrypt.png) + ## Read signed or encrypted messages + When you receive an encrypted message, the mail app will check whether there is a certificate available on your computer. If there is a certificate available, the message will be decrypted when you open it. If your certificate is stored on a smartcard, you will be prompted to insert the smartcard to read the message. Your smartcard may also require a PIN to access the certificate. + ## Install certificates from a received message + When you receive a signed email, the app provide feature to install corresponding encryption certificate on your device if the certificate is available. This certificate can then be used to send encrypted email to this person. + 1. Open a signed email. 2. Tap or click the digital signature icon in the reading pane. 3. Tap **Install.** + ![message security information](images/installcert.png)     diff --git a/windows/keep-secure/configure-the-appLocker-reference-device.md b/windows/keep-secure/configure-the-appLocker-reference-device.md index d3dd0de7e5..97d6fd1361 100644 --- a/windows/keep-secure/configure-the-appLocker-reference-device.md +++ b/windows/keep-secure/configure-the-appLocker-reference-device.md @@ -2,35 +2,47 @@ title: Configure the AppLocker reference device (Windows 10) description: This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer. ms.assetid: 034bd367-146d-4956-873c-e1e09e6fefee -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Configure the AppLocker reference device + **Applies to** - Windows 10 + This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer. + An AppLocker reference device that is used for the development and deployment of AppLocker policies should mimic the directory structure and corresponding applications in the organizational unit (OU) or business group for the production environment. On a reference device, you can: + - Maintain an application list for each business group. - Develop AppLocker policies by creating individual rules or by creating a policy by automatically generating rules. - Create the default rules to allow the Windows system files to run properly. - Run tests and analyze the event logs to determine the affect of the policies that you intend to deploy. + The reference device does not need to be joined to a domain, but it must be able to import and export AppLocker policies in XML format. The reference computer must be running one of the supported editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). -**Warning**   -Do not use operating system snapshots when creating AppLocker rules. If you take a snapshot of the operating system, install an app, create AppLocker rules, and then revert to a clean snapshot and repeat the process for another app, there is a chance that duplicate rule GUIDs can be created. If duplicate GUIDs are present, AppLocker policies will not work as expected. + +>**Warning:**  Do not use operating system snapshots when creating AppLocker rules. If you take a snapshot of the operating system, install an app, create AppLocker rules, and then revert to a clean snapshot and repeat the process for another app, there is a chance that duplicate rule GUIDs can be created. If duplicate GUIDs are present, AppLocker policies will not work as expected.   **To configure a reference device** + 1. If the operating system is not already installed, install one of the supported editions of Windows on the device. - **Note**   - If you have the Group Policy Management Console (GPMC) installed on another device to test your implementation of AppLocker policies, you can export the policies to that device + + >**Note:**  If you have the Group Policy Management Console (GPMC) installed on another device to test your implementation of AppLocker policies, you can export the policies to that device   2. Configure the administrator account. + To update local policies, you must be a member of the local Administrators group. To update domain policies, you must be a member of the Domain Admins group or have been delegated privileges to use Group Policy to update a Group Policy Object (GPO). + 3. Install all apps that run in the targeted business group or OU by using the same directory structure. + The reference device should be configured to mimic the structure of your production environment. It depends on having the same apps in the same directories to accurately create the rules. + ### See also + - After you configure the reference computer, you can create the AppLocker rule collections. You can build, import, or automatically generate the rules. For procedures to do this, see [Working with AppLocker rules](working-with-applocker-rules.md). - [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)   diff --git a/windows/keep-secure/configure-the-application-identity-service.md b/windows/keep-secure/configure-the-application-identity-service.md index 2f0505366e..84a1d64b98 100644 --- a/windows/keep-secure/configure-the-application-identity-service.md +++ b/windows/keep-secure/configure-the-application-identity-service.md @@ -3,7 +3,7 @@ title: Configure the Application Identity service (Windows 10) description: This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually. ms.assetid: dc469599-37fd-448b-b23e-5b8e4f17e561 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft @@ -15,12 +15,13 @@ author: brianlic-msft - Windows 10 This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually. + The Application Identity service determines and verifies the identity of an app. Stopping this service will prevent AppLocker policies from being enforced. -**Important**   -When using Group Policy, you must configure it to start automatically in at least one Group Policy Object (GPO) that applies AppLocker rules. This is because AppLocker uses this service to verify the attributes of a file. +>**Important:**  When using Group Policy, you must configure it to start automatically in at least one Group Policy Object (GPO) that applies AppLocker rules. This is because AppLocker uses this service to verify the attributes of a file.   **To start the Application Identity service automatically using Group Policy** + 1. On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC). 2. Locate the GPO to edit, right-click the GPO, and then click **Edit**. 3. In the console tree under **Computer Configuration\\Windows Settings\\Security Settings**, click **System Services**. @@ -30,6 +31,7 @@ When using Group Policy, you must configure it to start automatically in at leas Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. **To start the Application Identity service manually** + 1. Right-click the taskbar, and click **Task Manager**. 2. Click the **Services** tab, right-click **AppIDSvc**, and then click **Start Service**. 3. Verify that the status for the Application Identity service is **Running**. diff --git a/windows/keep-secure/configure-windows-defender-in-windows-10.md b/windows/keep-secure/configure-windows-defender-in-windows-10.md index b4f9e3572b..b52b5f6c57 100644 --- a/windows/keep-secure/configure-windows-defender-in-windows-10.md +++ b/windows/keep-secure/configure-windows-defender-in-windows-10.md @@ -2,33 +2,48 @@ title: Configure Windows Defender in Windows 10 (Windows 10) description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS). ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +ms.pagetype: security author: jasesso --- + # Configure Windows Defender in Windows 10 + **Applies to** - Windows 10 + IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS). + ## Configure definition updates + It is important to update definitions regularly to ensure that your endpoints are protected. Definition updates can be configured to suit the requirements of your organization. + Windows Defender supports the same updating options (such as using multiple definition sources) as other Microsoft endpoint protection products; for more information, see [Configuring Definition Updates](https://technet.microsoft.com/library/gg412502.aspx). + When you configure multiple definition sources in Windows Defender, you can configure the fallback order using the following values through *Group Policy* settings: + - InternalDefinitionUpdateServer - WSUS - MicrosoftUpdateServer - Microsoft Update - MMPC - [Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx) - FileShares - file share + Read about deploying administrative template files for Windows Defender in the article [Description of the Windows Defender Group Policy administrative template settings](https://support.microsoft.com/kb/927367). + You can also manage your Windows Defender update configuration settings through System Center Configuration Manager. See [How to Configure Definition Updates for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/jj822983.aspx) for details. + ## Definition update logic + You can update Windows Defender definitions in four ways depending on your business requirements: + - WSUS, the managed server. You can manage the distribution of updates that are released through Microsoft Update to computers in your enterprise environment; read more on the [Windows Server Update Services](https://technet.microsoft.com/windowsserver/bb332157.aspx) website. - Microsoft Update, the unmanaged server. You can use this method to get regular updates from Microsoft Update. - The [Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx), as an alternate download location. You can use this method if you want to download the latest definitions. - File share, where the definition package is downloaded. You can retrieve definition updates from a file share. The file share must be provisioned on a regular basis with the update files. + ## Update Windows Defender definitions through Active Directory and WSUS + This section details how to update Windows Defender definitions for Windows 10 endpoints through Active Directory and WSUS. @@ -109,50 +124,78 @@ This section details how to update Windows Defender definitions for Windows 10
  ## Manage cloud-based protection + Windows Defender offers improved cloud-based protection and threat intelligence for endpoint protection clients using the Microsoft Active Protection Service. Read more about the Microsoft Active Protection Service community in [Join the Microsoft Active Protection Service community](http://windows.microsoft.com/windows-8/join-maps-community). + You can enable or disable the Microsoft Active Protection Service using *Group Policy* settings and administrative template files. + More information on deploying administrative template files for Windows Defender is available in the article [Description of the Windows Defender Group Policy administrative template settings](https://support.microsoft.com/kb/927367). + The Microsoft Active Protection Service can be configured with the following *Group Policy* settings: + 1. Open the **Group Policy Editor**. 2. In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**. 3. Click on **MAPS**. 4. Double-click on **Join Microsoft MAPS**. 5. Select your configuration option from the **Join Microsoft MAPS** list. - **Note**  Any settings modified on an endpoint will be overridden by the administrator's policy setting. + + >**Note:**  Any settings modified on an endpoint will be overridden by the administrator's policy setting.   Use the Windowsdefender.adm *Group Policy* template file to control the policy settings for Windows Defender in Windows 10: + Policy setting: **Configure Microsoft SpyNet Reporting** + Registry key name: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SpyNetReporting** + Policy description: **Adjusts membership in Microsoft Active Protection Service** + You can also configure preferences using the following PowerShell parameters: + - Turn Microsoft Active Protection Service off: *Set-MpPreference -MAPSReporting 0* - Turn Microsoft Active Protection Service on: *Set-MpPreference -MAPSReporting 2* + Read more about this in: + - [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx) - [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx) -**Note**  Any information that Windows Defender collects is encrypted in transit to our servers, and then stored in secure facilities. Microsoft takes several steps to avoid collecting any information that directly identifies you, such as your name, email address, or account ID. + +>**Note:**  Any information that Windows Defender collects is encrypted in transit to our servers, and then stored in secure facilities. Microsoft takes several steps to avoid collecting any information that directly identifies you, such as your name, email address, or account ID.   Read more about how to manage your privacy settings in [Setting your preferences for Windows 10 services](http://windows.microsoft.com/windows-10/services-setting-preferences). + ## Opt-in to Microsoft Update + You can use Microsoft Update to keep definitions on mobile computers running Windows Defender in Windows 10 up to date when they are not connected to the corporate network. If the mobile computer doesn't have a [Windows Server Update Service](https://technet.microsoft.com/windowsserver/bb332157.aspx) (WSUS) connection, the signatures will still come from Microsoft Update. This means that signatures can be pushed down (via Microsoft Update) even if WSUS overrides Windows Update. + You need to opt-in to Microsoft Update on the mobile computer before it can retrieve the definition updates from Microsoft Update. + There are two ways you can opt-in to Microsoft Update in Windows Defender for Windows 10: + 1. Use a VBScript to create a script, then run it on each computer in your network. 2. Manually opt-in every computer on your network through the **Settings** menu. + You can create a VBScript and run it on each computer on your network; this is an efficient way to opt-in to Microsoft Update. + **Use a VBScript to opt in to Microsoft Update** + 1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript. 2. Run the VBScript you created on each computer in your network. + You can manually opt-in each individual computer on your network to receive Microsoft Update. + **Manually opt-in to Microsoft Update** + 1. Open **Windows Update** in **Update & security** settings on the computer you want to opt-in. 2. Click **Advanced** options. 3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**. + ## Schedule updates for Microsoft Update + Opting-in to Microsoft Update means that your system administrator can schedule updates to your mobile computer, so that it keeps up-to-date with the latest software versions and security definitions, even when you’re on the road. + For more information on scheduling updates, see [Configure definition updates](https://technet.microsoft.com/library/mt622088.aspx#configure-definition-updates). + ## Related topics -[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) -[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md) -  -  + +- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) +- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md) diff --git a/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md index 08b1dfb88d..69742a74b0 100644 --- a/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md +++ b/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md @@ -2,26 +2,36 @@ title: Create a basic audit policy for an event category (Windows 10) description: By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create a basic audit policy for an event category + **Applies to** - Windows 10 + By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default. + To complete this procedure, you must be logged on as a member of the built-in Administrators group. + **To define or modify auditing policy settings for an event category for your local computer** + 1. Open the Local Security Policy snap-in (secpol.msc), and then click **Local Policies**. 2. Click **Audit Policy**. 3. In the results pane, double-click an event category that you want to change the auditing policy settings for. 4. Do one or both of the following, and then click **OK.** + - To audit successful attempts, select the **Success** check box. - To audit unsuccessful attempts, select the **Failure** check box. + To complete this procedure, you must be logged on as a member of the Domain Admins group. + **To define or modify auditing policy settings for an event category for a domain or organizational unit, when you are on a member server or on a workstation that is joined to a domain** + 1. Open the Group Policy Management Console (GPMC). 2. In the console tree, double-click **Group Policy objects** in the forest and domain containing the **Default Domain Policy** Group Policy object (GPO) that you want to edit. 3. Right-click the **Default Domain Policy** GPO, and then click **Edit**. @@ -29,11 +39,12 @@ To complete this procedure, you must be logged on as a member of the Domain Admi 5. In the results pane, double-click an event category that you want to change the auditing policy settings for. 6. If you are defining auditing policy settings for this event category for the first time, select the **Define these policy settings** check box. 7. Do one or both of the following, and then click **OK.** + - To audit successful attempts, select the **Success** check box. - To audit unsuccessful attempts, select the **Failure** check box. + ## Additional considerations + - To audit object access, enable auditing of the object access event category by following the steps above. Then, enable auditing on the specific object. - After your audit policy is configured, events will be recorded in the Security log. Open the Security log to view these events. - The default auditing policy setting for domain controllers is **No Auditing**. This means that even if auditing is enabled in the domain, the domain controllers do not inherit auditing policy locally. If you want domain auditing policy to apply to domain controllers, you must modify this policy setting. -  -  diff --git a/windows/keep-secure/create-a-pagefile.md b/windows/keep-secure/create-a-pagefile.md index 31839c324f..a8c65abbab 100644 --- a/windows/keep-secure/create-a-pagefile.md +++ b/windows/keep-secure/create-a-pagefile.md @@ -2,88 +2,89 @@ title: Create a pagefile (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create a pagefile security policy setting. ms.assetid: dc087897-459d-414b-abe0-cd86c8dccdea -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create a pagefile + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Create a pagefile** security policy setting. + ## Reference + Windows designates a section of the hard drive as virtual memory known as the page file, or more specifically, as pagefile.sys. It is used to supplement the computer’s Random Access Memory (RAM) to improve performance for programs and data that are used frequently. Although the file is hidden from browsing, you can manage it using the system settings. + This policy setting determines which users can create and change the size of a page file. It determines whether users can specify a page file size for a particular drive in the **Performance Options** box located on the **Advanced** tab of the **System Properties** dialog box or through using internal application interfaces (APIs). + Constant: SeCreatePagefilePrivilege + ### Possible values + - User-defined list of accounts - Administrators + ### Best practices + - Restrict the **Create a pagefile** user right to Administrators, which is the default. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, members of the Administrators group have this right. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Administrators

Default Domain Controller Policy

Administrators

Stand-Alone Server Default Settings

Administrators

Domain Controller Effective Default Settings

Administrators

Member Server Effective Default Settings

Administrators

Client Computer Effective Default Settings

Administrators

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Administrators | +| Default Domain Controller Policy | Administrators | +| Stand-Alone Server Default Settings | Administrators | +| Domain Controller Effective Default Settings | Administrators | +| Member Server Effective Default Settings | Administrators | +| Client Computer Effective Default Settings | Administrators |   ## Policy management + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users who can change the page file size could make it extremely small or move the file to a highly fragmented storage volume, which could cause reduced device performance. + ### Countermeasure + Restrict the **Create a pagefile** user right to members of the Administrators group. + ### Potential impact + None. Restricting this right to members of the Administrators group is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/create-a-rule-for-packaged-apps.md b/windows/keep-secure/create-a-rule-for-packaged-apps.md index 2474296f59..f0ed699e79 100644 --- a/windows/keep-secure/create-a-rule-for-packaged-apps.md +++ b/windows/keep-secure/create-a-rule-for-packaged-apps.md @@ -2,24 +2,34 @@ title: Create a rule for packaged apps (Windows 10) description: This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. ms.assetid: e4ffd400-7860-47b3-9118-0e6853c3dfa0 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create a rule for packaged apps + **Applies to** - Windows 10 + This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. + Packaged apps, also known as Universal Windows apps, are based on an app model that ensures that all the files within an app package share the same identity. Therefore, it is possible to control the entire app using a single AppLocker rule as opposed to the non-packaged apps where each file within the app could have a unique identity. Windows does not support unsigned packaged apps which implies all packaged apps must be signed. AppLocker supports only publisher rules for packaged apps. A publisher rule for a packaged app is based on the following information: + - Publisher of the package - Package name - Package version + All the files within a package as well as the package installer share these attributes. Therefore, an AppLocker rule for a packaged app controls both the installation as well as the running of the app. Otherwise, the publisher rules for packaged apps are no different than the rest of the rule collections; they support exceptions, can be increased or decreased in scope, and can be assigned to users and groups. + For info about the publisher condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md). + You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To create a packaged app rule** + 1. Open the AppLocker console. 2. On the **Action** menu, or by right-clicking on **Packaged app Rules**, click **Create New Rule**. 3. On the **Before You Begin** page, click **Next**. @@ -99,5 +109,3 @@ You can perform this task by using the Group Policy Management Console for an Ap 6. Click **Next**. 7. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**. 8. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**. -  -  diff --git a/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md index f5a2a1ed28..4a1038f165 100644 --- a/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md +++ b/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md @@ -2,30 +2,37 @@ title: Create a rule that uses a file hash condition (Windows 10) description: This topic for IT professionals shows how to create an AppLocker rule with a file hash condition. ms.assetid: eb3b3524-1b3b-4979-ba5a-0a0b1280c5c7 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create a rule that uses a file hash condition + **Applies to** - Windows 10 + This topic for IT professionals shows how to create an AppLocker rule with a file hash condition. + File hash rules use a system-computed cryptographic hash of the identified file. + For info about the file hash condition, see [Understanding the File Hash Rule Condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md). -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer +AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To create a new rule with a file hash condition** + 1. Open the AppLocker console, and then click the rule collection that you want to create the rule for. 2. On the **Action** menu, click **Create New Rule**. 3. On the **Before You Begin** page, click **Next**. 4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**. 5. On the **Conditions** page, select the **File hash** rule condition, and then click **Next**. 6. **Browse Files** to locate the targeted application file. - **Note**   - You can also click **Browse Folders** which calculates the hash for all the appropriate files relative to the rule collection. To remove hashes individually, click the **Remove** button. + + >**Note:**  You can also click **Browse Folders** which calculates the hash for all the appropriate files relative to the rule collection. To remove hashes individually, click the **Remove** button.   7. Click **Next**. 8. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**. -  -  diff --git a/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md index 3130eeb9a7..89a34500cd 100644 --- a/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md +++ b/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md @@ -2,34 +2,39 @@ title: Create a rule that uses a path condition (Windows 10) description: This topic for IT professionals shows how to create an AppLocker rule with a path condition. ms.assetid: 9b2093f5-5976-45fa-90c3-da1e0e845d95 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create a rule that uses a path condition + **Applies to** - Windows 10 + This topic for IT professionals shows how to create an AppLocker rule with a path condition. + The path condition identifies an app by its location in the file system of the computer or on the network. -**Important**   -When creating a rule that uses a deny action, path conditions are less secure for preventing access to a file because a user could easily copy the file to a different location than what is specified in the rule. Because path rules correspond to locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file within C:\\ will be allowed to run, including users' profiles. + +>**Important:**  When creating a rule that uses a deny action, path conditions are less secure for preventing access to a file because a user could easily copy the file to a different location than what is specified in the rule. Because path rules correspond to locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file within C:\\ will be allowed to run, including users' profiles.   For info about the path condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). + You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To create a new rule with a path condition** + 1. Open the AppLocker console, and then click the rule collection that you want to create the rule for. 2. On the **Action** menu, click **Create New Rule**. 3. On the **Before You Begin** page, click **Next**. 4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**. 5. On the **Conditions** page, select the **Path** rule condition, and then click **Next**. 6. Click **Browse Files** to locate the targeted folder for the app. - **Note**   - When you browse to a file or folder location, the wizard automatically converts absolute file paths to use AppLocker path variables. You may edit the path after browsing to specify an absolute path, or you may type the path directly into the **Path** box. To learn more about AppLocker path variables, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). + + >**Note:**  When you browse to a file or folder location, the wizard automatically converts absolute file paths to use AppLocker path variables. You may edit the path after browsing to specify an absolute path, or you may type the path directly into the **Path** box. To learn more about AppLocker path variables, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).   7. Click **Next**. 8. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. Click **Next**. 9. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**. -  -  diff --git a/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md index 11baddf574..214dca0f70 100644 --- a/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md +++ b/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md @@ -2,21 +2,30 @@ title: Create a rule that uses a publisher condition (Windows 10) description: This topic for IT professionals shows how to create an AppLocker rule with a publisher condition. ms.assetid: 345ad45f-2bc1-4c4c-946f-17804e29f55b -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create a rule that uses a publisher condition + **Applies to** - Windows 10 + This topic for IT professionals shows how to create an AppLocker rule with a publisher condition. + You can use publisher conditions only for files that are digitally signed; the publisher condition identifies an app based on its digital signature and extended attributes. The digital signature contains information about the company that created the app (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the file is part of and the version number of the application. The publisher may be a software development company, such as Microsoft, or the information technology department of your organization. Packaged app rules are by definition rules that use publisher conditions. For info about creating a packaged app rule, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md). + For info about the publisher condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md). -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer +AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To create a new rule with a publisher condition** + 1. Open the AppLocker console, and then click the rule collection that you want to create the rule for. 2. On the **Action** menu, click **Create New Rule**. 3. On the **Before You Begin** page, click **Next**. @@ -26,5 +35,3 @@ You can perform this task by using the Group Policy Management Console for an Ap 7. Click **Next**. 8. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. Click **Next**. 9. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**. -  -  diff --git a/windows/keep-secure/create-a-token-object.md b/windows/keep-secure/create-a-token-object.md index 1c972b491b..8decf358bf 100644 --- a/windows/keep-secure/create-a-token-object.md +++ b/windows/keep-secure/create-a-token-object.md @@ -2,91 +2,91 @@ title: Create a token object (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create a token object security policy setting. ms.assetid: bfbf52fc-6ba4-442a-9df7-bd277e55729c -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create a token object + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Create a token object** security policy setting. + ## Reference + This policy setting determines which accounts a process can use to create a token, and which accounts it can then use to gain access to local resources when the process uses NtCreateToken() or other token-creation APIs. + When a user logs on to the local device or connects to a remote device through a network, Windows builds the user’s access token. Then the system examines the token to determine the level of the user's privileges. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. + Constant: SeCreateTokenPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + This user right is used internally by the operating system. By default, it is not assigned to any user groups. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not Defined

Default Domain Controller Policy

Not Defined

Stand-Alone Server Default Settings

Not Defined

Domain Controller Effective Default Settings

Local System

Member Server Effective Default Settings

Local System

Client Computer Effective Default Settings

Local System

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not Defined | +| Default Domain Controller Policy | Not Defined | +| Stand-Alone Server Default Settings | Not Defined | +| Domain Controller Effective Default Settings | Local System | +| Member Server Effective Default Settings | Local System | +| Client Computer Effective Default Settings | Local System |   ## Policy management + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -**Caution**   -A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts. + +>**Caution:**  A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts.   Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users log on to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any account on a computer if they are currently logged on. They could escalate their privileges or create a DoS condition. + ### Countermeasure + Do not assign the **Create a token object** user right to any users. Processes that require this user right should use the Local System account, which already includes it, instead of a separate user account that has this user right assigned. + ### Potential impact + None. Not Defined is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/create-applocker-default-rules.md b/windows/keep-secure/create-applocker-default-rules.md index 15c82719f5..930d2bc4d7 100644 --- a/windows/keep-secure/create-applocker-default-rules.md +++ b/windows/keep-secure/create-applocker-default-rules.md @@ -2,24 +2,28 @@ title: Create AppLocker default rules (Windows 10) description: This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run. ms.assetid: 21e9dc68-a6f4-4ebe-ac28-4c66a7ab6e18 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create AppLocker default rules + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run. + AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed to run. -**Important**   -You can use the default rules as a template when creating your own rules to allow files within the Windows folders to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules. The default rules can be modified in the same way as other AppLocker rule types. + +>**Important:**  You can use the default rules as a template when creating your own rules to allow files within the Windows folders to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules. The default rules can be modified in the same way as other AppLocker rule types.   You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To create default rules** + 1. Open the AppLocker console. 2. Right-click the appropriate rule type for which you want to automatically generate default rules. You can automatically generate rules for executable, Windows Installer, script rules and Packaged app rules. 3. Click **Create Default Rules**. -  -  diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md index e2dab16028..c5d390ea1c 100644 --- a/windows/keep-secure/create-edp-policy-using-intune.md +++ b/windows/keep-secure/create-edp-policy-using-intune.md @@ -2,9 +2,10 @@ title: Create an enterprise data protection (EDP) policy using Microsoft Intune (Windows 10) description: Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/create-edp-policy-using-sccm.md b/windows/keep-secure/create-edp-policy-using-sccm.md index 9e4288873e..fa412028a7 100644 --- a/windows/keep-secure/create-edp-policy-using-sccm.md +++ b/windows/keep-secure/create-edp-policy-using-sccm.md @@ -2,10 +2,11 @@ title: Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager (Windows 10) description: Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529 -keywords: ["EDP", "Enterprise Data Protection", "SCCM", "System Center Configuration Manager", Configuration Manager"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/create-global-objects.md b/windows/keep-secure/create-global-objects.md index 7e51c7a813..c131685bec 100644 --- a/windows/keep-secure/create-global-objects.md +++ b/windows/keep-secure/create-global-objects.md @@ -2,106 +2,91 @@ title: Create global objects (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create global objects security policy setting. ms.assetid: 9cb6247b-44fc-4815-86f2-cb59b6f0221e -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create global objects + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Create global objects** security policy setting. + ## Reference + This policy setting determines which users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. + A global object is an object that is created to be used by any number of processes or threads, even those not started within the user’s session. Remote Desktop Services uses global objects in its processes to facilitate connections and access. + Constant: SeCreateGlobalPrivilege + ### Possible values + - User-defined list of accounts - Default accounts listed below + ### Best practices + - Do not assign any user accounts this right. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, members of the Administrators group have this right, as do Local Service and Network Service accounts on the supported versions of Windows. Service is included for backwards compatibility with earlier versions of Windows. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not Defined

Default Domain Controller Policy

Administrators

-

Local Service

-

Network Service

-

Service

Stand-Alone Server Default Settings

Administrators

-

Local Service

-

Network Service

-

Service

Domain Controller Effective Default Settings

Administrators

-

Local Service

-

Network Service

-

Service

Member Server Effective Default Settings

Administrators

-

Local Service

-

Network Service

-

Service

Client Computer Effective Default Settings

Administrators

-

Local Service

-

Network Service

-

Service

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not Defined | +| Default Domain Controller Policy | Administrators
Local Service
Network Service
Service| +| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service
Service| +| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service
Service| +| Member Server Effective Default Settings | Administrators
Local Service
Network Service
Service| +| Client Computer Effective Default Settings | Administrators
Local Service
Network Service
Service|   ## Policy management + A restart of the device is not required for this policy setting to take effect. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -**Caution**   -A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts. + +>**Caution:**  A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts.   Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users log on to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any currently logged on account. They could escalate their privileges or create a denial-of-service (DoS) condition. + ### Countermeasure + Do not assign the **Create a token object** user right to any users. Processes that require this user right should use the Local System account, which already includes it, instead of a separate user account with this user right assigned. + ### Potential impact + None. Not Defined is the default domain policy configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md b/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md index 6afbbb8eb8..c623dd725f 100644 --- a/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md @@ -2,46 +2,69 @@ title: Create a list of apps deployed to each business group (Windows 10) description: This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. ms.assetid: d713aa07-d732-4bdc-8656-ba616d779321 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create a list of apps deployed to each business group + **Applies to** - Windows 10 + This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. + ## Determining app usage + For each business group, determine the following: + - The complete list of apps used, including different versions of an app - The full installation path of the app - The publisher and signed status of each app - The type of requirement the business groups set for each app, such as business critical, business productivity, optional, or personal. It might also be helpful during this effort to identify which apps are supported or unsupported by your IT department, or supported by others outside your control. - A list of files or apps that require administrative credentials to install or run. If the file requires administrative credentials to install or run, users who cannot provide administrative credentials will be prevented from running the file even if the file is explicitly allowed by an AppLocker policy. Even with AppLocker policies enforced, only members of the Administrators group can install or run files that require administrative credentials. + ### How to perform the app usage assessment -Although you might already have a method in place to understand app usage for each business group, you will need to use this information to help create your AppLocker rule collection. AppLocker includes the Automatically Generate Rules wizard and the **Audit only** enforcement configuration to assist you with planning and creating your rule collection. + +Although you might already have a method in place to understand app usage for each business group, you will need to use this information to help create your AppLocker rule collection. AppLocker includes the Automatically Generate +Rules wizard and the **Audit only** enforcement configuration to assist you with planning and creating your rule collection. + **Application inventory methods** + Using the Automatically Generate Rules wizard quickly creates rules for the applications you specify. The wizard is designed specifically to build a rule collection. You can use the Local Security Policy snap-in to view and edit the rules. This method is very useful when creating rules from a reference computer, and when creating and evaluating AppLocker policies in a testing environment. However, it does require that the files be accessible on the reference computer or through a network drive. This might mean additional work in setting up the reference computer and determining a maintenance policy for that computer. -Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is very important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully. -**Tip**   -If you run Application Verifier against a custom application with any AppLocker policies enabled, it might prevent the application from running. You should either disable Application Verifier or AppLocker. + +Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is very important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules +initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully. + +>**Tip:**  If you run Application Verifier against a custom application with any AppLocker policies enabled, it might prevent the application from running. You should either disable Application Verifier or AppLocker. You can create an inventory of Universal Windows apps on a device by using two methods: the **Get-AppxPackage** Windows PowerShell cmdlet or the AppLocker console.   The following topics in the [AppLocker Step-by-Step Guide](http://go.microsoft.com/fwlink/p/?LinkId=160261) describe how to perform each method: + - [Automatically generating executable rules from a reference computer](http://go.microsoft.com/fwlink/p/?LinkId=160264) - [Using auditing to track which apps are used](http://go.microsoft.com/fwlink/p/?LinkId=160281) + ### Prerequisites to completing the inventory + Identify the business group and each organizational unit (OU) within that group to which you will apply application control policies. In addition, you should have identified whether or not AppLocker is the most appropriate solution for these policies. For info about these steps, see the following topics: + - [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) - [Determine your application control objectives](determine-your-application-control-objectives.md) + ## Next steps + Identify and develop the list of apps. Record the name of the app, whether it is signed or not as indicated by the publisher's name, and whether or not it is a mission critical, business productivity, optional, or personal application. Record the installation path of the apps. For info about how to do this, see [Document your app list](document-your-application-list.md). + After you have created the list of apps, the next step is to identify the rule collections, which will become the policies. This information can be added to the table under columns labeled: + - Use default rule or define new rule condition - Allow or deny - GPO name + To do this, see the following topics: + - [Select the types of rules to create](select-types-of-rules-to-create.md) - [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)   diff --git a/windows/keep-secure/create-permanent-shared-objects.md b/windows/keep-secure/create-permanent-shared-objects.md index ee6979dbe5..bcc0896951 100644 --- a/windows/keep-secure/create-permanent-shared-objects.md +++ b/windows/keep-secure/create-permanent-shared-objects.md @@ -2,88 +2,89 @@ title: Create permanent shared objects (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create permanent shared objects security policy setting. ms.assetid: 6a58438d-65ca-4c4a-a584-450eed976649 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create permanent shared objects + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Create permanent shared objects** security policy setting. + ## Reference + This user right determines which accounts can be used by processes to create a directory object by using the object manager. Directory objects include Active Directory objects, files and folders, printers, registry keys, processes, and threads. Users who have this capability can create permanent shared objects, including devices, semaphores, and mutexes. This user right is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel-mode inherently have this user right assigned to them, it is not necessary to specifically assign it. + Constant: SeCreatePermanentPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - Users who have the **Create permanent shared objects** user right could create new shared objects and expose sensitive data to the network. Therefore, do not assign this right to any users. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, **LocalSystem** is the only account that has this right. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not Defined

Default Domain Controller Policy

Not Defined

Stand-Alone Server Default Settings

Not Defined

Domain Controller Effective Default Settings

LocalSystem

Member Server Effective Default Settings

LocalSystem

Client Computer Effective Default Settings

LocalSystem

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not Defined| +| Default Domain Controller Policy | Not Defined | +| Stand-Alone Server Default Settings | Not Defined| +| Domain Controller Effective Default Settings | **LocalSystem**| +| Member Server Effective Default Settings | **LocalSystem**| +| Client Computer Effective Default Settings | **LocalSystem**|   ## Policy management + This section describes different features and tools available to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users who have the **Create permanent shared objects** user right could create new shared objects and expose sensitive data to the network. + ### Countermeasure + Do not assign the **Create permanent shared objects** user right to any users. Processes that require this user right should use the System account, which already includes this user right, instead of a separate user account. + ### Potential impact + None. Not Defined is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/create-symbolic-links.md b/windows/keep-secure/create-symbolic-links.md index 618cd6c90a..994d8de789 100644 --- a/windows/keep-secure/create-symbolic-links.md +++ b/windows/keep-secure/create-symbolic-links.md @@ -2,92 +2,96 @@ title: Create symbolic links (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create symbolic links security policy setting. ms.assetid: 882922b9-0ff8-4ee9-8afc-4475515ee3fd -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create symbolic links + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Create symbolic links** security policy setting. + ## Reference + This user right determines if users can create a symbolic link from the device they are logged on to. + A symbolic link is a file-system object that points to another file-system object. The object that is pointed to is called the target. Symbolic links are transparent to users. The links appear as normal files or directories, and they can be acted upon by the user or application in exactly the same manner. Symbolic links are designed to aid in migration and application compatibility with UNIX operating systems. Microsoft has implemented symbolic links to function just like UNIX links. -**Warning**   This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. + +>**Warning:**   This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Constant: SeCreateSymbolicLinkPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - This user right should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that are not designed to handle them. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, members of the Administrators group have this right. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not Defined

Default Domain Controller Policy

Not Defined

Stand-Alone Server Default Settings

Not Defined

Domain Controller Effective Default Settings

Administrators

Member Server Effective Default Settings

Administrators

Client Computer Effective Default Settings

Administrators

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not Defined| +| Default Domain Controller Policy | Not Defined| +| Stand-Alone Server Default Settings | Not Defined| +| Domain Controller Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes different features and tools available to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ### Command-line tools + This setting can be used in conjunction with a symbolic link file system setting that can be manipulated with the command-line tool to control the kinds of symlinks that are allowed on the device. For more info, type **fsutil behavior set symlinkevalution /?** at the command prompt. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users who have the **Create symbolic links** user right could inadvertently or maliciously expose your system to symbolic link attacks. Symbolic link attacks can be used to change the permissions on a file, to corrupt data, to destroy data, or as a DoS attack. + ### Countermeasure + Do not assign the **Create symbolic links** user right to standard users. Restrict this right to trusted administrators. You can use the **fsutil** command to establish a symbolic link file system setting that controls the kind of symbolic links that can be created on a computer. + ### Potential impact + None. Not defined is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md index 16034ac23d..760968b092 100644 --- a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md +++ b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md @@ -2,10 +2,11 @@ title: Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune (Windows 10) description: After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy. ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b -keywords: ["EDP", "Enterprise Data Protection"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/create-your-applocker-planning-document.md b/windows/keep-secure/create-your-applocker-planning-document.md index 990887b439..f2b23f5937 100644 --- a/windows/keep-secure/create-your-applocker-planning-document.md +++ b/windows/keep-secure/create-your-applocker-planning-document.md @@ -2,26 +2,37 @@ title: Create your AppLocker planning document (Windows 10) description: This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document. ms.assetid: 41e49644-baf4-4514-b089-88adae2d624e -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create your AppLocker planning document + **Applies to** + - Windows 10 + This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document. + ## The AppLocker deployment design + The design process and the planning document help you investigate application usage in your organization and record your findings so you can effectively deploy and maintain application control policies by using AppLocker. + You should have completed these steps in the design and planning process: + 1. [Determine your application control objectives](determine-your-application-control-objectives.md) 2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) 3. [Select types of rules to create](select-types-of-rules-to-create.md) 4. [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) 5. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) + ### AppLocker planning document contents + Your planning document should contain: + - A list of business groups that will participate in the application control policy project, their requirements, a description of their business processes, and contact information. - Application control policy project target dates, both for planning and deployment. - A complete list of apps used by each business group (or organizational unit), including version information and installation paths. @@ -29,10 +40,15 @@ Your planning document should contain: - A strategy for using Group Policy to deploy the AppLocker policies. - A strategy in processing the application usage events generated by AppLocker. - A strategy to maintain and manage AppLocker polices after deployment. + ### Sample template for an AppLocker planning document + You can use the following form to construct your own AppLocker planning document. + **Business group**: + **Operating system environment**: (Windows and non-Windows) + @@ -69,6 +85,7 @@ You can use the following form to construct your own AppLocker planning document
  **Rules** + @@ -110,6 +127,7 @@ You can use the following form to construct your own AppLocker planning document
  **Event processing** + @@ -139,6 +157,7 @@ You can use the following form to construct your own AppLocker planning document
  **Policy maintenance** + @@ -169,7 +188,9 @@ You can use the following form to construct your own AppLocker planning document
  ### Example of an AppLocker planning document + **Rules** + @@ -268,6 +289,7 @@ You can use the following form to construct your own AppLocker planning document
  **Event processing** + @@ -304,6 +326,7 @@ You can use the following form to construct your own AppLocker planning document
  **Policy maintenance** + @@ -348,6 +371,7 @@ You can use the following form to construct your own AppLocker planning document
  ### Additional resources + - The AppLocker Policies Design Guide is the predecessor to the AppLocker Policies Deployment Guide. When planning is complete, see the [AppLocker policies deployment guide](applocker-policies-deployment-guide.md). - For more general info, see [AppLocker](applocker-overview.md).   diff --git a/windows/keep-secure/create-your-applocker-policies.md b/windows/keep-secure/create-your-applocker-policies.md index cc275dc563..e4ecc44cee 100644 --- a/windows/keep-secure/create-your-applocker-policies.md +++ b/windows/keep-secure/create-your-applocker-policies.md @@ -2,19 +2,26 @@ title: Create Your AppLocker policies (Windows 10) description: This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. ms.assetid: d339dee2-4da2-4d4a-b46e-f1dfb7cb4bf0 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create Your AppLocker policies + **Applies to** - Windows 10 + This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. + Creating effective application control policies with AppLocker starts by creating the rules for each app. Rules are grouped into one of five rule collections. The rule collection can be configured to be enforced or to run in **Audit only** mode. An AppLocker policy includes the rules in the five rule collections and the enforcement settings for each rule collection. + ## Step 1: Use your plan + You can develop an application control policy plan to guide you in making successful deployment decisions. For more info about how to do this and what you should consider, see the [AppLocker Design Guide](applocker-policies-design-guide.md). This guide is intended for security architects, security administrators, and system administrators. It contains the following topics to help you create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group: + 1. [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) 2. [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) 3. [Determine your application control objectives](determine-your-application-control-objectives.md) @@ -23,24 +30,40 @@ You can develop an application control policy plan to guide you in making succes 6. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) 7. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) 8. [Create your AppLocker planning document](create-your-applocker-planning-document.md) + ## Step 2: Create your rules and rule collections + Each rule applies to one or more apps, and it imposes a specific rule condition on them. Rules can be created individually or they can be generated by the Automatically Generate Rules Wizard. For the steps to create the rules, see [Create Your AppLocker rules](create-your-applocker-rules.md). + ## Step 3: Configure the enforcement setting -An AppLocker policy is a set of rule collections that are configured with a rule enforcement setting. The enforcement setting can be **Enforce rules**, **Audit only**, or **Not configured**. If an AppLocker policy has at least one rule, and it is set to **Not configured**, all the rules in that policy will be enforced. For info about configuring the rule enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) and [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md). + +An AppLocker policy is a set of rule collections that are configured with a rule enforcement setting. The enforcement setting can be **Enforce rules**, **Audit only**, or **Not configured**. If an AppLocker policy has at least one rule, and it is set to **Not configured**, all the rules in that +policy will be enforced. For info about configuring the rule enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) and [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md). + ## Step 4: Update the GPO + AppLocker policies can be defined locally on a device or applied through Group Policy. To use Group Policy to apply AppLocker policies, you must create a new Group Policy Object (GPO) or you must update an existing GPO. You can create or modify AppLocker policies by using the Group Policy Management Console (GPMC), or you can import an AppLocker policy into a GPO. For the procedure to do this, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). + ## Step 5: Test the effect of the policy + In a test environment or with the enforcement setting set at **Audit only**, verify that the results of the policy are what you intended. For info about testing a policy, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). + ## Step 6: Implement the policy + Depending on your deployment method, import the AppLocker policy to the GPO in your production environment, or if the policy is already deployed, change the enforcement setting to your production environment value—**Enforce rules** or **Audit only**. + ## Step 7: Test the effect of the policy and adjust Validate the effect of the policy by analyzing the AppLocker logs for application usage, and then modify the policy as necessary. To do this, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). + ## Next steps + Follow the steps described in the following topics to continue the deployment process: + 1. [Create Your AppLocker rules](create-your-applocker-rules.md) 2. [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) 3. [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) + ## See also -[AppLocker deployment guide](applocker-policies-deployment-guide.md) -  -  + +- [AppLocker deployment guide](applocker-policies-deployment-guide.md) + diff --git a/windows/keep-secure/create-your-applocker-rules.md b/windows/keep-secure/create-your-applocker-rules.md index 15de4246f0..8bcb7daf24 100644 --- a/windows/keep-secure/create-your-applocker-rules.md +++ b/windows/keep-secure/create-your-applocker-rules.md @@ -2,54 +2,73 @@ title: Create Your AppLocker rules (Windows 10) description: This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules. ms.assetid: b684a3a5-929c-4f70-8742-04088022f232 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create Your AppLocker rules + **Applies to** - Windows 10 + This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules. + ## Creating AppLocker rules + AppLocker rules apply to the targeted app, and they are the components that make up the AppLocker policy. Depending on your IT environment and the business group that requires application control policies, setting these access rules for each application can be time-consuming and prone to error. With AppLocker, you can generate rules automatically or create rules individually. Creating rules that are derived from your planning document can help you avoid unintended results. For info about this planning document and other planning activities, see [AppLocker Design Guide](applocker-policies-design-guide.md). + ### Automatically generate your rules + You can use a reference device to automatically create a set of default rules for each of the installed apps, test and modify each rule as necessary, and deploy the policies. Creating most of the rules for all the installed apps gives you a starting point to build and test your policies. For info about performing this task, see the following topics: + - [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md) - [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md) - [Create AppLocker default rules](create-applocker-default-rules.md) - [Edit AppLocker rules](edit-applocker-rules.md) - [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) + ### Create your rules individually + You can create rules and set the mode to **Audit only** for each installed app, test and update each rule as necessary, and then deploy the policies. Creating rules individually might be best when you are targeting a small number of applications within a business group. -**Note**   -AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You can also edit the default rules. For information about creating the default rules for the Windows operating system, see [Create AppLocker default rules](create-applocker-default-rules.md). + +>**Note:**  AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You can also edit the default rules. For information about creating the default rules for the Windows operating system, see [Create AppLocker default rules](create-applocker-default-rules.md).   For information about performing this task, see: + 1. [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) 2. [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) 3. [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) 4. [Edit AppLocker rules](edit-applocker-rules.md) 5. [Enforce AppLocker rules](enforce-applocker-rules.md) 6. [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) + ## About selecting rules + AppLocker policies are composed of distinct rules for specific apps. These rules are grouped by collection, and they are implemented through an AppLocker policy definition. AppLocker policies are managed by using Group Policy or by using the Local Security Policy snap-in for a single computer. + When you determine what types of rules to create for each of your business groups or organizational units (OUs), you should also determine what enforcement setting to use for each group. Certain rule types are more applicable for some apps, depending on how the apps are deployed in a specific business group. + For info about how to determine and document your AppLocker rules, see [AppLocker Design Guide](applocker-policies-design-guide.md). + For info about AppLocker rules and AppLocker policies, see the following topics: + - [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) - [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md) - [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md) - [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md) - [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md) - [Understanding AppLocker default rules](understanding-applocker-default-rules.md) + ## Next steps + 1. [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) 2. [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md) 3. [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) 4. [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) + ## Related topics -[Create Your AppLocker policies](create-your-applocker-policies.md) -  -  + +- [Create Your AppLocker policies](create-your-applocker-policies.md) diff --git a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md index ee2f72275b..a1b2db57b3 100644 --- a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md +++ b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md @@ -2,7 +2,7 @@ title: Create a Device Guard code integrity policy based on a reference device (Windows 10) description: To implement Device Guard app protection, you will need to create a code integrity policy. Code integrity policies determine what apps are considered trustworthy and are allowed to run on a protected device. ms.assetid: 6C94B14E-E2CE-4F6C-8939-4B375406E825 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index cd7d9d5707..1202cb6ae3 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -2,7 +2,7 @@ title: Protect derived domain credentials with Credential Guard (Windows 10) description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security @@ -169,7 +169,7 @@ If you don't use Group Policy, you can enable Credential Guard by using the regi 2. Enable virtualization-based security: - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard. - Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it. - - Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 2 to use **Secure Boot and DMA protection**. + - Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**. 3. Enable Credential Guard: - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA. - Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it. @@ -239,6 +239,10 @@ You can use System Information to ensure that Credential Guard is running on a P - Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. - Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials. - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. + +### Kerberos Considerations + +When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead. ## Scenarios not protected by Credential Guard diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md index aa142cc631..07afd4227c 100644 --- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md @@ -3,9 +3,11 @@ title: View the Windows Defender Advanced Threat Protection Dashboard description: Use the Dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts. keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security +author: mjcaparas --- # View the Windows Defender Advanced Threat Protection Dashboard diff --git a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md index 1286313495..a5d2bec8ce 100644 --- a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -3,9 +3,11 @@ title: Windows Defender ATP data storage and privacy description: Learn about how Windows Defender ATP handles privacy and data that it collects. keywords: Windows Defender ATP data storage and privacy, storage, privacy search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security +author: mjcaparas --- # Windows Defender ATP data storage and privacy diff --git a/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index 5d4da312b6..99fd9c7f66 100644 --- a/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -2,86 +2,91 @@ title: DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax (Windows 10) description: Describes the best practices, location, values, and security considerations for the DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting. ms.assetid: 0fe3521a-5252-44df-8a47-8d92cf936e7c -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting. + ## Reference + This policy setting allows you to define additional computer-wide controls that govern access to all Distributed Component Object Model (DCOM)–based applications on a device. These controls restrict call, activation, or launch requests on the device. A simple way to think about these access controls is as an additional access check that is performed against a device-wide access control list (ACL) on each call, activation, or launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to access any COM-based server. This policy setting controls access permissions to cover call rights. + These device-wide ACLs provide a way to override weak security settings that are specified by an application through the CoInitializeSecurity function or application-specific security settings. They provide a minimum security standard that must be passed, regardless of the settings of the specific server. + These ACLs also provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers on the device. + This policy setting allows you to specify an ACL in two different ways. You can type the security descriptor in SDDL, or you can grant or deny Local Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you are running. + ### Possible values + - *User-defined input* of the SDDL representation of the groups and privileges + When you specify the users or groups that are to be given permissions, the security descriptor field is populated with the Security Descriptor Definition Language representation of those groups and privileges. Users and groups can be given explicit Allow or Deny privileges for local access and remote access. + - Blank + This represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it as Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Blank

Default Domain Controller Policy

Blank

Stand-Alone Server Default Settings

Blank

DC Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value +| - | - | +| Default Domain Policy | Blank | +| Default Domain Controller Policy | Blank | +| Stand-Alone Server Default Settings | Blank | +| DC Effective Default Settings | Not defined | +| Member Server Effective Default Settings | Not defined | +| Client Computer Effective Default Settings | Not defined |   ## Policy management + This section describes features and tools that are available to help you manage this policy. ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Group Policy + The registry settings that are created as a result of enabling the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting take precedence over the previous registry settings when this policy setting was configured. The Remote Procedure Call (RPC) service checks the new registry keys in the Policies section for the computer restrictions, and these registry entries take precedence over the existing registry keys under OLE. This means that previously existing registry settings are no longer effective, and if you make changes to the existing settings, device access permissions for users are not changed. Use care in configuring the list of users and groups. -If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This will restore control of the DCOM application to the administrator and users. To do this, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click **Edit Security**. Specify the users or groups you want to include and the computer access permissions for those users or groups. This defines the setting and sets the appropriate SDDL value. + +If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This will restore control of the DCOM application to the administrator and users. To do this, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click +**Edit Security**. Specify the users or groups you want to include and the computer access permissions for those users or groups. This defines the setting and sets the appropriate SDDL value. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Many COM applications include some security-specific code (for example, to call CoInitializeSecurity), but they use weak settings that allow unauthenticated access to the process. Administrators cannot override these settings to force stronger security in earlier versions of Windows without modifying the application. An attacker could attempt to exploit weak security in an individual application by attacking it through COM calls. + Also, the COM infrastructure includes the Remote Procedure Call Services (RPCSS), a system service that runs during and after computer startup. This service manages activation of COM objects and the running object table and provides helper services to DCOM remoting. It exposes RPC interfaces that can be called remotely. Because some COM-based servers allow unauthenticated remote access, these interfaces can be called by anyone, including unauthenticated users. As a result, RPCSS can be attacked by malicious users who use remote, unauthenticated computers. + ### Countermeasure + To protect individual COM-based applications or services, set the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting to an appropriate device-wide ACL. + ### Potential impact + Windows implements default COM ACLs when they are installed. Modifying these ACLs from the default may cause some applications or components that communicate by using DCOM to fail. If you implement a COM-based server and you override the default security settings, confirm that the application-specific call permissions that ACL assigns are the correct permissions for appropriate users. If it does not, you must change your application-specific permission ACL to provide appropriate users with activation rights so that applications and Windows components that use DCOM do not fail. + ## Related topics -[Security Options](security-options.md) + +- [Security Options](security-options.md)     diff --git a/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index ec95e60bb9..6b5d3ee2c2 100644 --- a/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -2,86 +2,90 @@ title: DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax (Windows 10) description: Describes the best practices, location, values, and security considerations for the DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax security policy setting. ms.assetid: 4b95d45f-dd62-4c34-ba32-43954528dabe -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft + --- + # DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** security policy setting. + ## Reference + This policy setting is similar to the [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) setting in that it allows you to define additional computer-wide controls that govern access to all DCOM–based applications on a device. However, the ACLs that are specified in this policy setting control local and remote COM launch requests (not access requests) on the device. A simple way to think about this access control is as an additional access check that is performed against a device-wide ACL on each launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to launch any COM-based server. The DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting differs in that it provides a minimum access check that is applied to attempts to access an already launched COM-based server. + These device-wide ACLs provide a way to override weak security settings that are specified by an application through CoInitializeSecurity or application-specific security settings. They provide a minimum security standard that must be passed, regardless of the settings of the specific COM-based server. These ACLs provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers. -The **DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax** setting allows you to specify an ACL in two ways. You can type the security descriptor in SDDL, or you can grant or deny Local Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you are running. +The **DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax** setting allows you to specify an ACL in two ways. You can type the security descriptor in SDDL, or you can grant or deny Local +Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you are running. + ### Possible values + - Blank + This represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it to Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK. + - *User-defined input* of the SDDL representation of the groups and privileges + When you specify the users or groups that are to be given permission, the security descriptor field is populated with the Security Descriptor Definition Language representation of those groups and privileges. Users and groups can be given explicit Allow or Deny privileges on both local access and remote access. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Blank

Default Domain Controller Policy

Blank

Stand-Alone Server Default Settings

Blank

DC Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Blank | +| Default Domain Controller Policy | Blank| +| Stand-Alone Server Default Settings |Blank | +| DC Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined | +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Group Policy + The registry settings that are created as a result of this policy take precedence over the previous registry settings in this area. The Remote Procedure Call (RPC) service (RpcSs) checks the new registry keys in the Policies section for the computer restrictions; these entries take precedence over the existing registry keys under OLE. + If you are denied access to activate and launch DCOM applications due to the changes made to DCOM in the Windows operating system, this policy setting can be used to control the DCOM activation and launch to the device. + You can specify which users and groups can launch and activate DCOM applications on the device locally and remotely by using the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting. This restores control of the DCOM application to the administrator and specified users. To do this, open the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click **Edit Security**. Specify the groups that you want to include and the device launch permissions for those groups. This defines the setting and sets the appropriate SDDL value. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Many COM applications include some security-specific code (for example, to call CoInitializeSecurity), but they use weak settings that allow unauthenticated access to the process. You cannot override these settings to force stronger security in earlier versions of Windows without modifying the application. An attacker could attempt to exploit weak security in an individual application by attacking it through COM calls. + Also, the COM infrastructure includes the Remote Procedure Call Service (RPCSS), a system service that runs during computer startup and always runs after that. This service manages activation of COM objects and the running object table and provides helper services to DCOM remoting. It exposes RPC interfaces that can be called remotely. Because some COM-based servers allow unauthenticated remote component activation, these interfaces can be called by anyone, including unauthenticated users. As a result, RPCSS can be attacked by malicious users using remote, unauthenticated computers. + ### Countermeasure + To protect individual COM-based applications or services, set this policy setting to an appropriate computer-wide ACL. + ### Potential impact + Windows implements default COM ACLs when they are installed. Modifying these ACLs from the default may cause some applications or components that communicate by using DCOM to fail. If you implement a COM-based server and you override the default security settings, confirm that the application-specific launch permissions ACL assigns include activation permissions to appropriate users. If it does not, you must change your application-specific launch permission ACL to provide appropriate users with activation rights so that applications and Windows components that use DCOM do not fail. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/debug-programs.md b/windows/keep-secure/debug-programs.md index cfcafef2b9..810c6a21b5 100644 --- a/windows/keep-secure/debug-programs.md +++ b/windows/keep-secure/debug-programs.md @@ -2,88 +2,91 @@ title: Debug programs (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Debug programs security policy setting. ms.assetid: 594d9f2c-8ffc-444b-9522-75615ec87786 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Debug programs + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Debug programs** security policy setting. + ## Reference + This policy setting determines which users can attach to or open any process, even those they do not own. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating-system components. + Constant: SeDebugPrivilege + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + - Assign this user right only to trusted users to reduce security vulnerabilities. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, members of the Administrators group have this right. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Administrators

Stand-Alone Server Default Settings

Administrators

Domain Controller Effective Default Settings

Administrators

Member Server Effective Default Settings

Administrators

Client Computer Effective Default Settings

Administrators

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Administrators | +| Stand-Alone Server Default Settings | Administrators | +| Domain Controller Effective Default Settings | Administrators | +| Member Server Effective Default Settings | Administrators | +| Client Computer Effective Default Settings | Administrators |   ## Policy management + This section describes features and tools that are available to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -The **Debug programs** user right can be exploited to capture sensitive device information from system memory or to access and modify kernel or application structures. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert malware. By default, the **Debug programs** user right is assigned only to administrators, which helps mitigate risk from this vulnerability. + +The **Debug programs** user right can be exploited to capture sensitive device information from system memory or to access and modify kernel or application structures. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert malware. +By default, the **Debug programs** user right is assigned only to administrators, which helps mitigate risk from this vulnerability. + ### Countermeasure + Remove the accounts of all users and groups that do not require the **Debug programs** user right. + ### Potential impact -If you revoke this user right, no one can debug programs. However, typical circumstances rarely require this capability on production devices. If an issue arises that requires an application to be debugged on a production server, you can move the server to a different organizational unit (OU) temporarily and assign the **Debug programs** user right to a separate Group Policy for that OU. + +If you revoke this user right, no one can debug programs. However, typical circumstances rarely require this capability on production devices. If an issue arises that requires an application to be debugged on a production server, you can move the server to a different organizational unit (OU) +temporarily and assign the **Debug programs** user right to a separate Group Policy for that OU. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/delete-an-applocker-rule.md b/windows/keep-secure/delete-an-applocker-rule.md index 7b34477fad..3d4888fb73 100644 --- a/windows/keep-secure/delete-an-applocker-rule.md +++ b/windows/keep-secure/delete-an-applocker-rule.md @@ -2,26 +2,33 @@ title: Delete an AppLocker rule (Windows 10) description: This topic for IT professionals describes the steps to delete an AppLocker rule. ms.assetid: 382b4be3-0df9-4308-89b2-dcf9df351eb5 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Delete an AppLocker rule + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to delete an AppLocker rule. + As older apps are retired and new apps are deployed in your organization, it will be necessary to modify the application control policies. If an app becomes unsupported by the IT department or is no longer allowed due to the organization's security policy, then deleting the rule or rules associated with that app will prevent the app from running. + For info about testing an AppLocker policy to see what rules affect which files or applications, see [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer +AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To delete a rule in an AppLocker policy** + 1. Open the AppLocker console. 2. Click the appropriate rule collection for which you want to delete the rule. 3. In the details pane, right-click the rule to delete, click **Delete**, and then click **Yes**. -**Note**   -When using Group Policy, for the rule deletion to take effect on computers within the domain, the GPO must be distributed or refreshed. + +>**Note:**  When using Group Policy, for the rule deletion to take effect on computers within the domain, the GPO must be distributed or refreshed. + When this procedure is performed on the local device, the AppLocker policy takes effect immediately. -  -  -  diff --git a/windows/keep-secure/deny-access-to-this-computer-from-the-network.md b/windows/keep-secure/deny-access-to-this-computer-from-the-network.md index 07247e4be1..fbad5a0ca8 100644 --- a/windows/keep-secure/deny-access-to-this-computer-from-the-network.md +++ b/windows/keep-secure/deny-access-to-this-computer-from-the-network.md @@ -2,94 +2,99 @@ title: Deny access to this computer from the network (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny access to this computer from the network security policy setting. ms.assetid: 935e9f89-951b-4163-b186-fc325682bb0b -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Deny access to this computer from the network + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Deny access to this computer from the network** security policy setting. + ## Reference + This security setting determines which users are prevented from accessing a device over the network. + Constant: SeDenyNetworkLogonRight + ### Possible values + - User-defined list of accounts - Guest + ### Best practices + - Because all Active Directory Domain Services programs use a network logon for access, use caution when you assign this user right on domain controllers. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, this setting is Guest on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Guest

Stand-Alone Server Default Settings

Guest

Domain Controller Effective Default Settings

Guest

Member Server Effective Default Settings

Guest

Client Computer Effective Default Settings

Guest

+ + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Guest | +| Stand-Alone Server Default Settings | Guest | +| Domain Controller Effective Default Settings | Guest | +| Member Server Effective Default Settings | Guest | +| Client Computer Effective Default Settings | Guest |   ## Policy management + This section describes features and tools available to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + This policy setting supersedes the **Access this computer from the network** policy setting if a user account is subject to both policies. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users who can log on to the device over the network can enumerate lists of account names, group names, and shared resources. Users with permission to access shared folders and files can connect over the network and possibly view or modify data. + ### Countermeasure + Assign the **Deny access to this computer from the network** user right to the following accounts: + - Anonymous logon - Built-in local Administrator account - Local Guest account - All service accounts + An important exception to this list is any service accounts that are used to start services that must connect to the device over the network. For example, let’s say you have configured a shared folder for web servers to access, and you present content within that folder through a website. You may need to allow the account that runs IIS to log on to the server with the shared folder from the network. This user right is particularly effective when you must configure servers and workstations on which sensitive information is handled because of regulatory compliance concerns. + ### Potential impact + If you configure the **Deny access to this computer from the network** user right for other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should verify that delegated tasks are not negatively affected. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/deny-log-on-as-a-batch-job.md b/windows/keep-secure/deny-log-on-as-a-batch-job.md index 11dbb9313f..5edb8ca898 100644 --- a/windows/keep-secure/deny-log-on-as-a-batch-job.md +++ b/windows/keep-secure/deny-log-on-as-a-batch-job.md @@ -2,92 +2,98 @@ title: Deny log on as a batch job (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a batch job security policy setting. ms.assetid: 0ac36ebd-5e28-4b6a-9b4e-8924c6ecf44b -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Deny log on as a batch job + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Deny log on as a batch job** security policy setting. + ## Reference -This policy setting determines which accounts are prevented from logging on by using a batch-queue tool to schedule and start jobs automatically in the future. The ability to log on by using a batch-queue tool is needed for any account that is used to start scheduled jobs by means of the Task Scheduler. + +This policy setting determines which accounts are prevented from logging on by using a batch-queue tool to schedule and start jobs automatically in the future. The ability to log on by using a batch-queue tool is needed for any account that is used to start scheduled jobs by means of the Task +Scheduler. + Constant: SeDenyBatchLogonRight + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + 1. When you assign this user right, thoroughly test that the effect is what you intended. 2. Within a domain, modify this setting on the applicable Group Policy Object (GPO). 3. **Deny log on as a batch job** prevents administrators or operators from using their personal accounts to schedule tasks, which helps with business continuity when that person transitions to other positions or responsibilities. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

Domain Controller Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Not defined | +| Domain Controller Effective Default Settings | Not defined | +| Member Server Effective Default Settings | Not defined | +| Client Computer Effective Default Settings | Not defined |   ## Policy management + This section describes features and tools available to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + This policy setting might conflict with and negate the **Log on as a batch job** setting. + ### Group Policy + On a domain-joined device, including the domain controller, this policy can be overwritten by a domain policy, which will prevent you from modifying the local policy setting. -For example, if you are trying to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account is not present in the **Deny log on as a batch job** User Rights Assignment and also correctly configured in the **Log on as a batch job** setting. + +For example, if you are trying to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account is not present in the **Deny log on as a batch job** + +User Rights Assignment and also correctly configured in the **Log on as a batch job** setting. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Accounts that have the **Deny log on as a batch job** user right could be used to schedule jobs that could consume excessive computer resources and cause a denial-of-service condition. + ### Countermeasure + Assign the **Deny log on as a batch job** user right to the local Guest account. + ### Potential impact + If you assign the **Deny log on as a batch job** user right to other accounts, you could deny the ability to perform required job activities to users who are assigned specific administrative roles. You should confirm that delegated tasks are not affected adversely. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/deny-log-on-as-a-service.md b/windows/keep-secure/deny-log-on-as-a-service.md index af4556d1b8..7acdea2a4c 100644 --- a/windows/keep-secure/deny-log-on-as-a-service.md +++ b/windows/keep-secure/deny-log-on-as-a-service.md @@ -2,91 +2,95 @@ title: Deny log on as a service (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a service security policy setting. ms.assetid: f1114964-df86-4278-9b11-e35c66949794 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Deny log on as a service + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Deny log on as a service** security policy setting. + ## Reference + This policy setting determines which users are prevented from logging on to the service applications on a device. + A service is an application type that runs in the system background without a user interface. It provides core operating system features, such as web serving, event logging, file serving, printing, cryptography, and error reporting. + Constant: SeDenyServiceLogonRight + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + 1. When you assign this user right, thoroughly test that the effect is what you intended. 2. Within a domain, modify this setting on the applicable Group Policy Object (GPO). + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

Domain Controller Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined | +| Domain Controller Effective Default Settings | Not defined | +| Member Server Effective Default Settings | Not defined | +| Client Computer Effective Default Settings | Not defined |   ## Policy management + This section describes features and tools available to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + On a domain-joined device, including the domain controller, this policy can be overwritten by a domain policy, which will prevent you from modifying the local policy setting. + This policy setting might conflict with and negate the **Log on as a service** setting. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -Accounts that can log on to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is somewhat reduced by the fact that only users with administrative rights can install and configure services, and an attacker who has already attained that level of access could configure the service to run by using the System account. + +Accounts that can log on to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is somewhat reduced by the fact that only users with administrative rights can install and configure +services, and an attacker who has already attained that level of access could configure the service to run by using the System account. + ### Countermeasure + We recommend that you not assign the **Deny log on as a service** user right to any accounts. This is the default configuration. Organizations that are extremely concerned about security might assign this user right to groups and accounts when they are certain that they will never need to log on to a service application. + ### Potential impact + If you assign the **Deny log on as a service** user right to specific accounts, services may not start and a denial-of-service condition could result. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/deny-log-on-locally.md b/windows/keep-secure/deny-log-on-locally.md index e8bc095116..cd84f05560 100644 --- a/windows/keep-secure/deny-log-on-locally.md +++ b/windows/keep-secure/deny-log-on-locally.md @@ -2,90 +2,92 @@ title: Deny log on locally (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on locally security policy setting. ms.assetid: 00150e88-ec9c-43e1-a70d-33bfe10434db -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Deny log on locally + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Deny log on locally** security policy setting. + ## Reference + This policy setting determines which users are prevented from logging on directly at the device's console. + Constant: SeDenyInteractiveLogonRight + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + 1. Assign the **Deny log on locally** user right to the local guest account to restrict access by potentially unauthorized users. 2. Test your modifications to this policy setting in conjunction with the **Allow log on locally** policy setting to determine if the user account is subject to both policies. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

Domain Controller Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| Domain Controller Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + If you apply this policy setting to the Everyone group, no one will be able to log on locally. + ### Group Policy + This policy setting supersedes the **Allow log on locally** policy setting if a user account is subject to both policies. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Any account with the ability to log on locally could be used to log on at the console of the device. If this user right is not restricted to legitimate users who must log on to the console of the device, unauthorized users might download and run malicious software that elevates their user rights. + ### Countermeasure + Assign the **Deny log on locally** user right to the local Guest account. If you have installed optional components such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components. + ### Potential impact + If you assign the **Deny log on locally** user right to additional accounts, you could limit the abilities of users who are assigned to specific roles in your environment. However, this user right should explicitly be assigned to the ASPNET account on device that are configured with the Web Server role. You should confirm that delegated activities are not adversely affected. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/deny-log-on-through-remote-desktop-services.md b/windows/keep-secure/deny-log-on-through-remote-desktop-services.md index 85f6651839..8e5065b443 100644 --- a/windows/keep-secure/deny-log-on-through-remote-desktop-services.md +++ b/windows/keep-secure/deny-log-on-through-remote-desktop-services.md @@ -2,89 +2,91 @@ title: Deny log on through Remote Desktop Services (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on through Remote Desktop Services security policy setting. ms.assetid: 84bbb807-287c-4acc-a094-cf0ffdcbca67 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Deny log on through Remote Desktop Services + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Deny log on through Remote Desktop Services** security policy setting. + ## Reference + This policy setting determines which users are prevented from logging on to the device through a Remote Desktop connection through Remote Desktop Services. It is possible for a user to establish a Remote Desktop connection to a particular server, but not be able to log on to the console of that server. + Constant: SeDenyRemoteInteractiveLogonRight + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + - To control who can open a Remote Desktop connection and log on to the device, add the user account to or remove user accounts from the Remote Desktop Users group. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

Domain Controller Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| Domain Controller Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + The **Remote System** property controls settings for Remote Desktop Services (**Allow or prevent remote connections to the computer**) and for Remote Assistance (**Allow Remote Assistance connections to this computer**). + ### Group Policy + This policy setting supersedes the [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md) policy setting if a user account is subject to both policies. + Group Policy settings are applied in the following order. They overwrite settings on the local device at the next Group Policy update. + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. Organizational unit policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Any account with the right to log on through Remote Desktop Services could be used to log on to the remote console of the device. If this user right is not restricted to legitimate users who need to log on to the console of the computer, malicious users might download and run software that elevates their user rights. + ### Countermeasure + Assign the **Deny log on through Remote Desktop Services** user right to the built-in local guest account and all service accounts. If you have installed optional components, such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components. + ### Potential impact + If you assign the **Deny log on through Remote Desktop Services** user right to other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Accounts that have this user right cannot connect to the device through Remote Desktop Services or Remote Assistance. You should confirm that delegated tasks are not negatively affected. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index cfd595104f..b5ecdf6702 100644 --- a/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -2,34 +2,54 @@ title: Deploy AppLocker policies by using the enforce rules setting (Windows 10) description: This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. ms.assetid: fd3a3d25-ff3b-4060-8390-6262a90749ba -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + + # Deploy AppLocker policies by using the enforce rules setting + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. + ## Background and prerequisites + These procedures assume that you have already deployed AppLocker policies with the enforcement set to **Audit only**, and you have been collecting data through the AppLocker event logs and other channels to determine what effect these policies have on your environment and the policy's adherence to your application control design. + For info about the AppLocker policy enforcement setting, see [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md). + For info about how to plan an AppLocker policy deployment, see [AppLocker Design Guide](applocker-policies-design-guide.md). + ## Step 1: Retrieve the AppLocker policy + Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Using Group Policy, you can export the policy from the Group Policy Object (GPO) and then update the rule or rules by using AppLocker on your AppLocker reference or test PC. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). For local AppLocker policies, you can update the rule or rules by using the Local Security policy snap-in (secpol.msc) on your AppLocker reference or test PC. For the procedures to do this, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). + ## Step 2: Alter the enforcement setting + Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. For information about the enforcement setting, see [Understand AppLocker Enforcement Settings](understand-applocker-enforcement-settings.md). For the procedure to alter the enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). + ## Step 3: Update the policy -You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](http://go.microsoft.com/fwlink/p/?LinkId=145013) feature from the Microsoft Desktop Optimization Pack. -**Caution**   -You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. + +You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](http://go.microsoft.com/fwlink/p/?LinkId=145013) feature from the +Microsoft Desktop Optimization Pack. + +>**Caution:**  You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.   For the procedure to update the GPO, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). + For the procedures to distribute policies for local PCs by using the Local Security Policy snap-in (secpol.msc), see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). + ## Step 4: Monitor the effect of the policy + When a policy is deployed, it is important to monitor the actual implementation of that policy. You can do this by monitoring your support organization's app access request activity and reviewing the AppLocker event logs. To monitor the effect of the policy, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md). + ## Additional resources + - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).     diff --git a/windows/keep-secure/deploy-edp-policy-using-intune.md b/windows/keep-secure/deploy-edp-policy-using-intune.md index 6893478523..7b23a44cf2 100644 --- a/windows/keep-secure/deploy-edp-policy-using-intune.md +++ b/windows/keep-secure/deploy-edp-policy-using-intune.md @@ -2,10 +2,11 @@ title: Deploy your enterprise data protection (EDP) policy using Microsoft Intune (Windows 10) description: After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211 -keywords: ["EDP", "Enterprise Data Protection", "Intune"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection, Intune +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/deploy-the-applocker-policy-into-production.md b/windows/keep-secure/deploy-the-applocker-policy-into-production.md index 1fbb0a2cc3..e56061213f 100644 --- a/windows/keep-secure/deploy-the-applocker-policy-into-production.md +++ b/windows/keep-secure/deploy-the-applocker-policy-into-production.md @@ -2,31 +2,45 @@ title: Deploy the AppLocker policy into production (Windows 10) description: This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. ms.assetid: ebbb1907-92dc-499e-8cee-8e637483c9ae -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Deploy the AppLocker policy into production + **Applies to** - Windows 10 + This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. + After successfully testing and modifying the AppLocker policy for each Group Policy Object (GPO), you are ready to deploy the enforcement settings into production. For most organizations, this means switching the AppLocker enforcement setting from **Audit only** to **Enforce rules**. However, it is important to follow the deployment plan that you created earlier. For more info, see the [AppLocker Design Guide](applocker-policies-design-guide.md). Depending on the needs of different business groups in your organization, you might deploy different enforcement settings for linked GPOs. + ### Understand your design decisions + Before you deploy an AppLocker policy, you should determine: + - For each business group, which applications will be controlled and in what manner. For more info, see [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md). - How to handle requests for application access. For info about what to consider when developing your support policies, see [Plan for AppLocker policy management](plan-for-applocker-policy-management.md). - How to manage events, including forwarding events. For info about event management in AppLocker, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). - Your GPO structure, including how to include policies generated by Software Restriction Policies and AppLocker policies. For more info, see [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md). + For info about how AppLocker deployment is dependent on design decisions, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md). + ### AppLocker deployment methods -If you have configured a reference device, you can create and update your AppLocker policies on this device, test the policies, and then export the policies to the appropriate GPO for distribution. Another method is to create the policies and set the enforcement setting on **Audit only**, then observe the events that are generated. + +If you have configured a reference device, you can create and update your AppLocker policies on this device, test the policies, and then export the policies to the appropriate GPO for distribution. Another method is to create the policies and set the enforcement setting on **Audit only**, then +observe the events that are generated. - [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md) + This topic describes the steps to use an AppLocker reference computer to prepare application control policies for deployment by using Group Policy or other means. + - [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) + This topic describes the steps to deploy the AppLocker policy by changing the enforcement setting to **Audit only** or to **Enforce rules**. + ## See also -[AppLocker deployment guide](applocker-policies-deployment-guide.md) -  -  + +- [AppLocker deployment guide](applocker-policies-deployment-guide.md) diff --git a/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md b/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md index 68200b376d..1544475c03 100644 --- a/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md @@ -2,51 +2,33 @@ title: Determine the Group Policy structure and rule enforcement (Windows 10) description: This overview topic describes the process to follow when you are planning to deploy AppLocker rules. ms.assetid: f435fcbe-c7ac-4ef0-9702-729aab64163f -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Determine the Group Policy structure and rule enforcement + **Applies to** - Windows 10 + This overview topic describes the process to follow when you are planning to deploy AppLocker rules. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)

This topic describes the AppLocker enforcement settings for rule collections.

[Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)

This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.

[Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md)

This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.

+ +| Topic | Description | +| - | - | +| [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) | This topic describes the AppLocker enforcement settings for rule collections. | +| [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) | This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.| +| [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md) | This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. |   When you are determining how many Group Policy Objects (GPOs) to create when you apply an AppLocker policy in your organization, you should consider the following: + - Whether you are creating new GPOs or using existing GPOs - Whether you are implementing Software Restriction Policies (SRP) policies and AppLocker policies in the same GPO - GPO naming conventions - GPO size limits -**Note**   -There is no default limit on the number of AppLocker rules that you can create. However, in Windows Server 2008 R2, GPOs have a 2 MB size limit for performance. In subsequent versions, that limit is raised to 100 MB. -  -  -  + +>**Note:**  There is no default limit on the number of AppLocker rules that you can create. However, in Windows Server 2008 R2, GPOs have a 2 MB size limit for performance. In subsequent versions, that limit is raised to 100 MB. diff --git a/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index ad2925ee0a..ccf2483c4d 100644 --- a/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -2,24 +2,35 @@ title: Determine which apps are digitally signed on a reference device (Windows 10) description: This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. ms.assetid: 24609a6b-fdcb-4083-b234-73e23ff8bcb8 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Determine which apps are digitally signed on a reference device + **Applies to** - Windows 10 + This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. + The Windows PowerShell cmdlet **Get-AppLockerFileInformation** can be used to determine which apps installed on your reference devices are digitally signed. Perform the following steps on each reference computer that you used to define the AppLocker policy. The device does not need to be joined to the domain. + Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. + **To determine which apps are digitally signed on a reference device** 1. Run **Get-AppLockerFileInformation** with the appropriate parameters. + The **Get-AppLockerFileInformation** cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information. + 2. Analyze the publisher's name and digital signature status from the output of the command. + For command parameters, syntax, and examples, see [Get-AppLockerFileInformation](http://technet.microsoft.com/library/ee460961.aspx). + ## Related topics -[Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md) + +- [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)     diff --git a/windows/keep-secure/determine-your-application-control-objectives.md b/windows/keep-secure/determine-your-application-control-objectives.md index 55e77bdb3b..a74a000710 100644 --- a/windows/keep-secure/determine-your-application-control-objectives.md +++ b/windows/keep-secure/determine-your-application-control-objectives.md @@ -2,19 +2,26 @@ title: Determine your application control objectives (Windows 10) description: This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. ms.assetid: 0e84003e-6095-46fb-8c4e-2065869bb53b -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Determine your application control objectives + **Applies to** - Windows 10 + This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. + AppLocker is very effective for organizations with app restriction requirements whose environments have a simple topography and the application control policy goals are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the PCs that they manage for a relatively small number of apps. + There are management and maintenance costs associated with a list of allowed apps. In addition, the purpose of application control policies is to allow or prevent employees from using apps that might actually be productivity tools. Keeping employees or users productive while implementing the policies can cost time and effort. Lastly, creating user support processes and network support processes to keep the organization productive are also concerns. + Use the following table to develop your own objectives and determine which application control feature best addresses those objectives. + @@ -149,5 +156,3 @@ Use the following table to develop your own objectives and determine which appli
  For more general info, see [AppLocker](applocker-overview.md). -  -  diff --git a/windows/keep-secure/device-guard-certification-and-compliance.md b/windows/keep-secure/device-guard-certification-and-compliance.md index 9edecd273d..6ac463047e 100644 --- a/windows/keep-secure/device-guard-certification-and-compliance.md +++ b/windows/keep-secure/device-guard-certification-and-compliance.md @@ -3,7 +3,7 @@ title: Device Guard certification and compliance (Windows 10) description: Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. ms.assetid: 94167ECA-AB08-431D-95E5-7A363F42C7E3 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft diff --git a/windows/keep-secure/device-guard-deployment-guide.md b/windows/keep-secure/device-guard-deployment-guide.md index 3d9a53be0e..f98d7216ea 100644 --- a/windows/keep-secure/device-guard-deployment-guide.md +++ b/windows/keep-secure/device-guard-deployment-guide.md @@ -3,9 +3,9 @@ title: Device Guard deployment guide (Windows 10) description: Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. ms.assetid: 4BA52AA9-64D3-41F3-94B2-B87EC2717486 keywords: virtualization, security, malware -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy -ms.pagetype: devices +ms.pagetype: security, devices author: challum --- diff --git a/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md b/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md index 1283cb2181..d8f1d31192 100644 --- a/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md +++ b/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md @@ -2,84 +2,78 @@ title: Devices Allow undock without having to log on (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Allow undock without having to log on security policy setting. ms.assetid: 1d403f5d-ad41-4bb4-9f4a-0779c1c14b8c -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Devices: Allow undock without having to log on + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Devices: Allow undock without having to log on** security policy setting. + ## Reference + This policy setting enables or disables the ability of a user to remove a portable device from a docking station without logging on. If you enable this policy setting, users can press a docked portable device's physical eject button to safely undock the device. If you disable this policy setting, the user must log on to receive permission to undock the device. Only users who have the **Remove Computer from Docking Station** privilege can obtain this permission. -**Note**   -Disabling this policy setting only reduces theft risk for portable devices that cannot be mechanically undocked. Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality. + +>**Note:**  Disabling this policy setting only reduces theft risk for portable devices that cannot be mechanically undocked. Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality.   Enabling this policy setting means that anyone with physical access to a device that has been placed in its docking station can remove the computer and possibly tamper with it. For devices that do not have docking stations, this policy setting has no impact. However, for users with a mobile computer that is normally docked while they are in the office, this policy setting will help lower the risk of equipment theft or a malicious user gaining physical access to these devices + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + It is advisable to disable the **Devices: Allow undock without having to log on** policy setting. Users who have docked their devices will have to log on to the local console before they can undock their systems. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings | Enabled| +| Client Computer Effective Default Settings| Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If this policy setting is enabled, anyone with physical access to portable computers in docking stations could remove them and possibly tamper with them. + ### Countermeasure + Disable the **Devices: Allow undock without having to log on** setting. ### Potential impact + Users who have docked their device must log on to the local console before they can undock their computers. For devices that do not have docking stations, this policy setting has no impact. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md b/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md index 146ef13dde..bffc76a5e9 100644 --- a/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md +++ b/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md @@ -2,82 +2,79 @@ title: Devices Allowed to format and eject removable media (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Allowed to format and eject removable media security policy setting. ms.assetid: d1b42425-7244-4ab1-9d46-d68de823459c -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Devices: Allowed to format and eject removable media + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Devices: Allowed to format and eject removable media** security policy setting. + ## Reference + This policy setting determines who is allowed to format and eject removable media. + Users can move removable disks to a different device where they have administrative user rights and then take ownership of any file, assign themselves full control, and view or modify any file. The advantage of configuring this policy setting is diminished by the fact that most removable storage devices will eject media with the press of a button. + ### Possible values + - Administrators - Administrators and Power Users - Administrators and Interactive Users (not applicable to Windows Server 2008 R2 or Windows 7 and later) - Not defined + ### Best practices + - It is advisable to set **Allowed to format and eject removable media** to **Administrators**. Only administrators will be able to eject NTFS-formatted removable media. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Administrators

DC Effective Default Settings

Administrators

Member Server Effective Default Settings

Administrators

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Administrators| +| DC Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -Users could move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices eject media when a mechanical button is pressed diminishes the advantage of this policy setting. + +Users could move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices eject media when a mechanical button +is pressed diminishes the advantage of this policy setting. + ### Countermeasure + Configure the **Devices: Allowed to format and eject removable media** setting to **Administrators**. + ### Potential impact + Only administrators can format and eject removable media. If users are in the habit of using removable media for file transfers and storage, they must be informed of the change in policy. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md b/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md index 9a31968fed..0bf0ba89a9 100644 --- a/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md +++ b/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md @@ -2,82 +2,80 @@ title: Devices Prevent users from installing printer drivers (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Prevent users from installing printer drivers security policy setting. ms.assetid: ab70a122-f7f9-47e0-ad8c-541f30a27ec3 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Devices: Prevent users from installing printer drivers + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Devices: Prevent users from installing printer drivers** security policy setting. + ## Reference + For a device to print to a network printer, the driver for that network printer must be installed locally. The **Devices: Prevent users from installing printer drivers** policy setting determines who can install a printer driver as part of adding a network printer. When you set the value to **Enabled**, only Administrators and Power Users can install a printer driver as part of adding a network printer. Setting the value to **Disabled** allows any user to install a printer driver as part of adding a network printer. This setting prevents unprivileged users from downloading and installing an untrusted printer driver. + This setting has no impact if you have configured a trusted path for downloading drivers. When using trusted paths, the print subsystem attempts to use the trusted path to download the driver. If the trusted path download succeeds, the driver is installed on behalf of any user. If the trusted path download fails, the driver is not installed and the network printer is not added. + Although it might be appropriate in some organizations to allow users to install printer drivers on their own workstations, this is not suitable for servers. Installing a printer driver on a server can cause the system to become less stable. Only administrators should have this user right on servers. A malicious user might deliberately try to damage the system by installing inappropriate printer drivers. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - It is advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting does not affect a user's ability to add a local printer. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Disabled

+ +Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings | Enabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only administrators, not users, to do so on servers because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. + +It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only administrators, not users, to do so on servers because printer driver installation on a server may unintentionally cause the computer to become less +stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. + ### Countermeasure + Enable the **Devices: Prevent users from installing printer drivers** setting. + ### Potential impact + Only members of the Administrator, Power Users, or Server Operator groups can install printers on the servers. If this policy setting is enabled but the driver for a network printer already exists on the local computer, users can still add the network printer. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md index d4a806d762..5e399e075e 100644 --- a/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md +++ b/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md @@ -2,82 +2,79 @@ title: Devices Restrict CD-ROM access to locally logged-on user only (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Restrict CD-ROM access to locally logged-on user only security policy setting. ms.assetid: 8b8f44bb-84ce-4f18-af30-ab89910e234d -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Devices: Restrict CD-ROM access to locally logged-on user only + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Devices: Restrict CD-ROM access to locally logged-on user only** security policy setting. + ## Reference + This policy setting determines whether a CD is accessible to local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is allowed to access removable CDs. If this policy setting is enabled and no one is logged on interactively, the CD can be accessed over the network. + The security benefit of enabling this policy setting is small because it only prevents network users from accessing the drive when someone is logged on to the local console of the system at the same time. Additionally, CD drives are not automatically made available as network shared drives; you must deliberately choose to share the drive. This is important when administrators are installing software or copying data from a CD-ROM, and they do not want network users to be able to execute the applications or view the data. + If this policy setting is enabled, users who connect to the server over the network will not be able to use any CD drives that are installed on the server when anyone is logged on to the local console of the server. Enabling this policy setting is not suitable for a system that serves as a CD jukebox for network users. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Best practices are dependent on your security and user accessibility requirements for CD drives. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Disabled | +| DC Effective Default Settings | Disabled | +| Member Server Effective Default Settings | Disabled | +| Client Computer Effective Default Settings | Disabled |   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives are not automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server. + +A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives are not automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run +applications from removable media on the server. + ### Countermeasure Enable the **Devices: Restrict CD-ROM drive access to locally logged-on user only** setting. + ### Potential impact Users who connect to the server over the network cannot use any CD drives that are installed on the server when anyone is logged on to the local console of the server. System tools that require access to the CD drive will fail. For example, the Volume Shadow Copy service attempts to access all CD and floppy disk drives that are present on the computer when it initializes, and if the service cannot access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail. This policy setting would not be suitable for a computer that serves as a CD jukebox for network users. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md index c031c438a6..1716725907 100644 --- a/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md +++ b/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md @@ -2,82 +2,79 @@ title: Devices Restrict floppy access to locally logged-on user only (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Restrict floppy access to locally logged-on user only security policy setting. ms.assetid: 92997910-da95-4c03-ae6f-832915423898 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Devices: Restrict floppy access to locally logged-on user only + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Devices: Restrict floppy access to locally logged-on user only** security policy setting. + ## Reference + This policy setting determines whether removable floppy disks are accessible to local and remote users simultaneously. Enabling this policy setting allows only the interactively logged-on user to access removable floppy disks. If this policy setting is enabled and no one is logged on interactively, the floppy disk can be accessed over the network. + The security benefit of enabling this policy setting is small because it only prevents network users from accessing the floppy disk drive when someone is logged on to the local console of the system at the same time. Additionally, floppy disk drives are not automatically made available as network shared drives; you must deliberately choose to share the drive. This becomes important when you are installing software or copying data from a floppy disk and they do not want network users to be able to execute the applications or view the data. + If this policy setting is enabled, users who connect to the server over the network will not be able to use any floppy disk drives that are installed on the server when anyone is logged on to the local console of the server. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Best practices are dependent on your security and user accessibility requirements for CD drives. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + A remote user could potentially access a mounted floppy disk that contains sensitive information. This risk is small because floppy disk drives are not automatically shared; administrators must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server. + ### Countermeasure + Enable the **Devices: Restrict floppy access to locally logged-on user only** setting. + ### Potential impact + Users who connect to the server over the network cannot use any floppy disk drives that are installed on the device when anyone is logged on to the local console of the server. System tools that require access to floppy disk drives fail. For example, the Volume Shadow Copy service attempts to access all CD-ROM and floppy disk drives that are present on the computer when it initializes, and if the service cannot access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md index ea5e8e17a8..85c56528b1 100644 --- a/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md +++ b/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md @@ -3,18 +3,25 @@ title: Display a custom URL message when users try to run a blocked app (Windows description: This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. ms.assetid: 9a2534a5-d1fa-48a9-93c6-989d4857cf85 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft --- + # Display a custom URL message when users try to run a blocked app + **Applies to** - Windows 10 + This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. + Using Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you do not display a custom message when an apps is blocked, the default access denied message is displayed. + To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. + **To display a custom URL message when users try to run a blocked app** + 1. On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC). 2. Navigate to the Group Policy Object (GPO) that you want to edit. 3. Right-click the GPO, and then click **Edit**. @@ -22,5 +29,3 @@ To complete this procedure, you must have the **Edit Setting** permission to ed 5. In the details pane, double-click **Set a support web page link**. 6. Click **Enabled**, and then type the URL of the custom Web page in the **Support Web page URL** box. 7. Click **OK** to apply the setting. -  -  diff --git a/windows/keep-secure/dll-rules-in-applocker.md b/windows/keep-secure/dll-rules-in-applocker.md index 545d8c5359..b6e4cd9e93 100644 --- a/windows/keep-secure/dll-rules-in-applocker.md +++ b/windows/keep-secure/dll-rules-in-applocker.md @@ -2,64 +2,40 @@ title: DLL rules in AppLocker (Windows 10) description: This topic describes the file formats and available default rules for the DLL rule collection. ms.assetid: a083fd08-c07e-4534-b0e7-1e15d932ce8f -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # DLL rules in AppLocker + **Applies to** - Windows 10 + This topic describes the file formats and available default rules for the DLL rule collection. + AppLocker defines DLL rules to include only the following file formats: + - .dll - .ocx + The following table lists the default rules that are available for the DLL rule collection. - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PurposeNameUserRule condition type

Allows members of the local Administrators group to run all DLLs

(Default Rule) All DLLs

BUILTIN\Administrators

Path: *

Allow all users to run DLLs in the Windows folder

(Default Rule) Microsoft Windows DLLs

Everyone

Path: %windir%\*

Allow all users to run DLLs in the Program Files folder

(Default Rule) All DLLs located in the Program Files folder

Everyone

Path: %programfiles%\*

+ +| Purpose | Name | User | Rule condition type | +| - | - | - | - | +| Allows members of the local Administrators group to run all DLLs | (Default Rule) All DLLs| +| BUILTIN\Administrators | Path: *| +| Allow all users to run DLLs in the Windows folder| (Default Rule) Microsoft Windows DLLs | +| Everyone | Path: %windir%\*| +| Allow all users to run DLLs in the Program Files folder | (Default Rule) All DLLs located in the Program Files folder| +| Everyone | Path: %programfiles%\*|   -**Important**   -If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps +>**Important:**  If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps   -**Caution**   -When DLL rules are used, AppLocker must check each DLL that an app loads. Therefore, users may experience a reduction in performance if DLL rules are used. +>**Caution:**  When DLL rules are used, AppLocker must check each DLL that an app loads. Therefore, users may experience a reduction in performance if DLL rules are used.   ## Related topics -[Understanding AppLocker default rules](understanding-applocker-default-rules.md) -  -  + +- [Understanding AppLocker default rules](understanding-applocker-default-rules.md) \ No newline at end of file diff --git a/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md index e97b186290..72c1c10193 100644 --- a/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -2,23 +2,31 @@ title: Document the Group Policy structure and AppLocker rule enforcement (Windows 10) description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft +ms.pagetype: security --- + # Document the Group Policy structure and AppLocker rule enforcement + **Applies to** - Windows 10 + This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. + ## Record your findings + To complete this AppLocker planning document, you should first complete the following steps: + 1. [Determine your application control objectives](determine-your-application-control-objectives.md) 2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) 3. [Select the types of rules to create](select-types-of-rules-to-create.md) 4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) + After you determine how to structure your Group Policy Objects (GPOs) so that you can apply AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they are linked to. If you decided to create custom rules to allow system files to run, note the high-level rule configuration in the **Use default rule or define new rule condition** column. + The following table includes the sample data that was collected when you determined your enforcement settings and the GPO structure for your AppLocker policies. @@ -111,6 +119,7 @@ The following table includes the sample data that was collected when you determi
  ## Next steps + After you have determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain: - [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) - [Create your AppLocker planning document](create-your-applocker-planning-document.md) diff --git a/windows/keep-secure/document-your-application-control-management-processes.md b/windows/keep-secure/document-your-application-control-management-processes.md index b5a9cd95a7..6e2a75390d 100644 --- a/windows/keep-secure/document-your-application-control-management-processes.md +++ b/windows/keep-secure/document-your-application-control-management-processes.md @@ -2,31 +2,46 @@ title: Document your application control management processes (Windows 10) description: This planning topic describes the AppLocker policy maintenance information to record for your design document. ms.assetid: 6397f789-0e36-4933-9f86-f3f6489cf1fb -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Document your application control management processes + **Applies to** - Windows 10 + This planning topic describes the AppLocker policy maintenance information to record for your design document. + ## Record your findings + To complete this AppLocker planning document, you should first complete the following steps: + 1. [Determine your application control objectives](determine-your-application-control-objectives.md) 2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) 3. [Select the types of rules to create](select-types-of-rules-to-create.md) 4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) 5. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) + The three key areas to determine for AppLocker policy management are: + 1. Support policy + Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel know recommended troubleshooting steps and escalation points for your policy. + 2. Event processing + Document whether events will be collected in a central location, how that store will be archived, and whether the events will be processed for analysis. + 3. Policy maintenance + Detail how rules will be added to the policy, in which Group Policy Object (GPO) the rules should be defined, and how to modify rules when apps are retired, updated, or added. + The following table contains the added sample data that was collected when determining how to maintain and manage AppLocker policies. + @@ -125,9 +140,13 @@ The following table contains the added sample data that was collected when deter
  The following two tables illustrate examples of documenting considerations to maintain and manage AppLocker policies. + **Event processing policy** + One discovery method for app usage is to set the AppLocker enforcement mode to **Audit only**. This will write events to the AppLocker logs, which can be managed and analyzed like other Windows logs. After apps have been identified, you can begin to develop policies regarding the processing and access to AppLocker events. + The following table is an example of what to consider and record. + @@ -210,7 +229,6 @@ The following table is an example of what to consider and record.
  ## Next steps + After you have determined your application control management strategy for each of the business group's applications, the following task remains: - [Create your AppLocker planning document](create-your-applocker-planning-document.md) -  -  diff --git a/windows/keep-secure/document-your-application-list.md b/windows/keep-secure/document-your-application-list.md index 1b7c7906fa..735dc55515 100644 --- a/windows/keep-secure/document-your-application-list.md +++ b/windows/keep-secure/document-your-application-list.md @@ -2,21 +2,30 @@ title: Document your app list (Windows 10) description: This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies. ms.assetid: b155284b-f75d-4405-aecf-b74221622dc0 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Document your app list + **Applies to** - Windows 10 + This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies. + ## Record your findings + **Apps** + Record the name of the app, whether it is signed as indicated by the publisher's name, and whether it is a mission critical, business productivity, optional, or personal app. Later, as you manage your rules, AppLocker displays this information in the format shown in the following example: *MICROSOFT OFFICE INFOPATH signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US*. + **Installation path** + Record the installation path of the apps. For example, Microsoft Office 2016 installs files to *%programfiles%\\Microsoft Office\\Office16\\*, which is *C:\\Program Files\\Microsoft Office\\Office16\\* on most devices. + The following table provides an example of how to list applications for each business group at the early stage of designing your application control policies. Eventually, as more planning information is added to the list, the information can be used to build AppLocker rules. @@ -81,29 +90,36 @@ The following table provides an example of how to list applications for each bus
  -**Note**   -AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary. +>**Note:**  AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.   **Event processing** + As you create your list of apps, you need to consider how to manage the events that are generated by user access, or you need to deny running those apps to make your users as productive as possible. The following list is an example of what to consider and what to record: + - Will event forwarding be implemented for AppLocker events? - What is the location of the AppLocker event collection? - Should an event archival policy be implemented? - Will the events be analyzed and how often? - Should a security policy be in place for event collection? + **Policy maintenance** + As you create your list of apps, you need to consider how to manage and maintain the policies that you will eventually create. The following list is an example of what to consider and what to record: + - How will rules be updated for emergency app access and permanent access? - How will apps be removed? - How many older versions of the same app will be maintained? - How will new apps be introduced? + ## Next steps + After you have created the list of applications, the next step is to identify the rule collections, which will become the application control policies. This information can be added to the table under the following columns: + - Use default rule or define new rule condition - Allow or deny - GPO name + To identify the rule collections, see the following topics: + - [Select the types of rules to create](select-types-of-rules-to-create.md) - [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) -  -  diff --git a/windows/keep-secure/document-your-applocker-rules.md b/windows/keep-secure/document-your-applocker-rules.md index 97bd6545ef..68d32d07d7 100644 --- a/windows/keep-secure/document-your-applocker-rules.md +++ b/windows/keep-secure/document-your-applocker-rules.md @@ -2,25 +2,35 @@ title: Document your AppLocker rules (Windows 10) description: This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded. ms.assetid: 91a198ce-104a-45ff-b49b-487fb40cd2dd -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Document your AppLocker rules + **Applies to** - Windows 10 + This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded. + ## Record your findings + To complete this AppLocker planning document, you should first complete the following steps: + 1. [Determine your application control objectives](determine-your-application-control-objectives.md) 2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) 3. [Select the types of rules to create](select-types-of-rules-to-create.md) + Document the following items for each business group or organizational unit: + - Whether your organization will use the built-in default AppLocker rules to allow system files to run. - The types of rule conditions that you will use to create rules, stated in order of preference. + The following table details sample data for documenting rule type and rule condition findings. In addition, you should now consider whether to allow an app to run or deny permission for it to run. For info about these settings, see [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md). + @@ -101,9 +111,9 @@ The following table details sample data for documenting rule type and rule condi
  ## Next steps + For each rule, determine whether to use the allow or deny option. Then, three tasks remain: + - [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) - [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) - [Create your AppLocker planning document](create-your-applocker-planning-document.md) -  -  diff --git a/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md index 9830087bd1..feafcec116 100644 --- a/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md +++ b/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md @@ -2,87 +2,85 @@ title: Domain controller Allow server operators to schedule tasks (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain controller Allow server operators to schedule tasks security policy setting. ms.assetid: 198b12a4-8a5d-48e8-a752-2073b8a2cb0d -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain controller: Allow server operators to schedule tasks + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain controller: Allow server operators to schedule tasks** security policy setting. + ## Reference + This policy setting determines whether server operators can use the**at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators by means of the **at** command run in the context of the account that runs the Task Scheduler service. By default, that is the Local System account. -**Note**   -This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool. + +>**Note:**  This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool.   Enabling this policy setting means jobs that are created by server operators through the **at** command will be executed in the context of the account that is running that service—by default, that is the Local System account. This means that server operators can perform tasks that the Local System account is able to do, but server operators would normally not be able to do, such as add their account to the local Administrators group. + The impact of enabling this policy setting should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by using the Task Scheduler Wizard, but those jobs will run in the context of the account that the user authenticates with when setting up the job. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Best practices for this policy are dependent on your security and operational requirements for task scheduling. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

DC Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Command-line tools + The **at** command schedules commands and programs to run on a computer at a specified time and date. The Schedule service must be running to use the **at** command. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Tasks that run under the context of the Local System account can affect resources that are at a higher privilege level than the user account that scheduled the task. + ### Countermeasure + Disable the **Domain controller: Allow server operators to schedule tasks** setting. + ### Potential impact + The impact should be small for most organizations. Users (including those in the Server Operators group) can still create jobs by means of the Task Scheduler snap-in. However, those jobs run in the context of the account that the user authenticates with when setting up the job. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md index 50f94a37d3..10001b50e6 100644 --- a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md +++ b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md @@ -2,86 +2,83 @@ title: Domain controller LDAP server signing requirements (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server signing requirements security policy setting. ms.assetid: fe122179-7571-465b-98d0-b8ce0f224390 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain controller: LDAP server signing requirements + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server signing requirements** security policy setting. + ## Reference + This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. + Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, this means that a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower the risk of a malicious user accomplishing this in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks extremely difficult. + This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL. + If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected. -**Caution**   -If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server. + +>**Caution:**  If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server.   ### Possible values + - None. Data signatures are not required to bind with the server. If the client computer requests data signing, the server supports it. - Require signature. The LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Sockets Layer (TLS/SSL) is in use. - Not defined. + ### Best practices + - It is advisable to set **Domain controller: LDAP server signing requirements** to **Require signature**. Clients that do not support LDAP signing will be unable to execute LDAP queries against the domain controllers. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

DC Effective Default Settings

None

Member Server Effective Default Settings

None

Client Computer Effective Default Settings

None

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | None| +| Member Server Effective Default Settings | None| +| Client Computer Effective Default Settings | None|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Where LDAP servers are concerned, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks extremely difficult. + ### Countermeasure + Configure the **Domain controller: LDAP server signing requirements** setting to **Require signature**. + ### Potential impact + Client device that do not support LDAP signing cannot run LDAP queries against the domain controllers. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md b/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md index acab069b02..563e0956a9 100644 --- a/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md +++ b/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md @@ -2,83 +2,83 @@ title: Domain controller Refuse machine account password changes (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain controller Refuse machine account password changes security policy setting. ms.assetid: 5a7fa2e2-e1a8-4833-90f7-aa83e3b456a9 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain controller: Refuse machine account password changes + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain controller: Refuse machine account password changes** security policy setting. + ## Reference + This policy setting enables or disables blocking a domain controller from accepting password change requests for machine accounts. By default, devices joined to the domain change their machine account passwords every 30 days. If enabled, the domain controller will refuse machine account password change requests. + ### Possible values + - Enabled + When enabled, this setting does not allow a domain controller to accept any changes to a machine account's password. + - Disabled + When disabled, this setting allows a domain controller to accept any changes to a machine account's password. + - Not defined + Same as Disabled. + ### Best practices + - Enabling this policy setting on all domain controllers in a domain prevents domain members from changing their machine account passwords. This, in turn, leaves those passwords susceptible to attack. Make sure that this conforms to your overall security policy for the domain. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Not applicable

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Not applicable|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If you enable this policy setting on all domain controllers in a domain, domain members cannot change their machine account passwords, and those passwords are more susceptible to attack. + ### Countermeasure + Disable the **Domain controller: Refuse machine account password changes** setting. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md index b6ebe0166a..b748e75485 100644 --- a/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md +++ b/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md @@ -2,103 +2,114 @@ title: Domain member Digitally encrypt or sign secure channel data (always) (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt or sign secure channel data (always) security policy setting. ms.assetid: 4480c7cb-adca-4f29-b4b8-06eb68d272bf -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain member: Digitally encrypt or sign secure channel data (always) + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt or sign secure channel data (always)** security policy setting. + ## Reference -This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. Logon information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. + +This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. Logon information that is +transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. + The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic: + - Domain member: Digitally encrypt or sign secure channel data (always) - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) + Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data. + To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a device running Windows othat has joined a domain to have access to the user account database in its domain and in any trusted domains. + To enable the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of signing or encrypting all secure-channel data. + Enabling the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting automatically enables the [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) policy setting. + When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass-through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + ### Possible values + - Enabled - The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. + + The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure + channel traffic. + - Disabled + The encryption and signing of all secure channel traffic is negotiated with the domain controller, in which case the level of signing and encryption depends on the version of the domain controller and the settings of the following policies: + 1. [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) 2. [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) + - Not defined ### Best practices + - Set **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled**. - Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**. - Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**. -**Note**   -You can enable the policy settings [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) on all devices in the domain that support these policy settings without affecting earlier-version clients and applications. + +>**Note:**  You can enable the policy settings [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) on all devices in the domain that support these policy settings without affecting earlier-version clients and applications.   ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Enabled

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Enabled | +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings | Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Distribution of this policy through Group Policy overrides the Local Security Policy setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + +When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and +sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + ### Countermeasure + Select one of the following settings as appropriate for your environment to configure the computers in your domain to encrypt or sign secure channel data. + - **Domain member: Digitally encrypt or sign secure channel data (always)** - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) + ### Potential impact + Digital encryption and signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md index 693a34601d..241c83b30b 100644 --- a/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md +++ b/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md @@ -2,99 +2,107 @@ title: Domain member Digitally encrypt secure channel data (when possible) (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt secure channel data (when possible) security policy setting. ms.assetid: 73e6023e-0af3-4531-8238-82f0f0e4965b -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain member: Digitally encrypt secure channel data (when possible) + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt secure channel data (when possible)** security policy setting. + ## Reference -This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Logon information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. + +This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Logon information that is transmitted over +the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. + In addition to this policy setting, the following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic: + - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) + Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data. + To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains. + Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting. + When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + ### Possible values + - Enabled + The domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information that is transmitted over the secure channel will be encrypted. + - Disabled + The domain member will not attempt to negotiate secure channel encryption. - **Note**   - If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten. + + >**Note:**  If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten.   - Not defined + ### Best practices + - Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled**. - Set **Domain member: Digitally encrypt secure channel data (when possible)** to **Enabled**. - Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Enabled

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Enabled| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Distribution of this policy through Group Policy does not override the Local Security Policy setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + ### Countermeasure + Select one of the following settings as appropriate for your environment to configure the computers in your domain to encrypt or sign secure channel data: + - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - **Domain member: Digitally encrypt secure channel data (when possible)** - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) + ### Potential impact + Digital signing of the secure channel is a good idea because it protects domain credentials as they are sent to the domain controller. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md index 670f0b9024..dfa36d1360 100644 --- a/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md +++ b/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md @@ -2,100 +2,105 @@ title: Domain member Digitally sign secure channel data (when possible) (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Digitally sign secure channel data (when possible) security policy setting. ms.assetid: a643e491-4f45-40ea-b12c-4dbe47e54f34 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain member: Digitally sign secure channel data (when possible) + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain member: Digitally sign secure channel data (when possible)** security policy setting. + ## Reference -This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Logon information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. + +This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Logon information that is transmitted over the +secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. + The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic: - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - Domain member: Digitally sign secure channel data (when possible) + Setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data. + To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate computer accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains. + Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting. When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + ### Possible values + - Enabled + The domain member will request signing of all secure channel traffic. If the domain controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit. + - Disabled + Signing will not be negotiated unless the policy [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled. + - Not defined + ### Best practices + - Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled**. - Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**. - Set **Domain member: Digitally sign secure channel data (when possible)** to **Enabled**. -**Note**   -You can enable the other two policy settings, Domain member: [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and **Domain member: Digitally sign secure channel data (when possible)**, on all devices joined to the domain that support these policy settings without affecting earlier-version clients and applications. +>**Note:**  You can enable the other two policy settings, Domain member: [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and **Domain member: Digitally sign secure channel data (when possible)**, on all devices joined to the domain that support these policy settings without affecting earlier-version clients and applications.   ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Enabled

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Enabled | +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Distribution of this policy through Group Policy does not override the Local Security Policy setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + ### Countermeasure + Because these policies are closely related and useful depending on your environment, select one of the following settings as appropriate to configure the devices in your domain to encrypt or sign secure channel data when possible. + - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - **Domain member: Digitally sign secure channel data (when possible)** + ### Potential impact + Digital signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-member-disable-machine-account-password-changes.md b/windows/keep-secure/domain-member-disable-machine-account-password-changes.md index 39fdae996b..e933a14786 100644 --- a/windows/keep-secure/domain-member-disable-machine-account-password-changes.md +++ b/windows/keep-secure/domain-member-disable-machine-account-password-changes.md @@ -2,82 +2,79 @@ title: Domain member Disable machine account password changes (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Disable machine account password changes security policy setting. ms.assetid: 1f660300-a07a-4243-a09f-140aa1ab8867 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain member: Disable machine account password changes + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain member: Disable machine account password changes** security policy setting. + ## Reference + The **Domain member: Disable machine account password changes** policy setting determines whether a domain member periodically changes its machine account password. Setting its value to **Enabled** prevents the domain member from changing the machine account password. Setting it to **Disabled** allows the domain member to change the machine account password as specified by the value of the [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md) policy setting, which is every 30 days by default. + By default, devices that belong to a domain are automatically required to change the passwords for their accounts every 30 days. Devices that are no longer able to automatically change their machine password are at risk of a malicious user determining the password for the system's domain account. Verify that the **Domain member: Disable machine account password changes** option is set to **Disabled**. + ### Possible values + - Enabled - Disabled + ### Best practices + 1. Do not enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions. 2. Do not use this policy setting in an attempt to support dual-boot scenarios that use the same machine account. If you want to dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to make it easier for organizations that stockpile pre-built computers that are put into production months later; those devices do not have to be rejoined to the domain. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Disabled

Default Domain Controller Policy

Disabled

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Disabled | +| Default Domain Controller Policy | Disabled| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices that cannot automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account. + +By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices +that cannot automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account. + ### Countermeasure + Verify that the **Domain member: Disable machine account password changes** setting is configured to **Disabled**. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-member-maximum-machine-account-password-age.md b/windows/keep-secure/domain-member-maximum-machine-account-password-age.md index 9deffaa2c2..841729d203 100644 --- a/windows/keep-secure/domain-member-maximum-machine-account-password-age.md +++ b/windows/keep-secure/domain-member-maximum-machine-account-password-age.md @@ -2,81 +2,77 @@ title: Domain member Maximum machine account password age (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Maximum machine account password age security policy setting. ms.assetid: 0ec6f7c1-4d82-4339-94c0-debb2d1ac109 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain member: Maximum machine account password age + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain member: Maximum machine account password age** security policy setting. + ## Reference + The **Domain member: Maximum machine account password age** policy setting determines the maximum allowable age for a machine account password. + In Active Directory–based domains, each device has an account and password, just like every user. By default, the domain members automatically change their domain password every 30 days. Increasing this interval significantly, or setting it to **0** so that the device no longer change their passwords, gives a malicious user more time to undertake a brute-force password-guessing attack against one of the machine accounts. + ### Possible values + - User-defined number of days between 0 and 999 - Not defined. + ### Best practices + 1. It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days. 2. Some organizations pre-build devices and then store them for later use or ship them to remote locations. If the machine's account has expired, it will no longer be able to authenticate with the domain. Devices that cannot authenticate with the domain must be removed from the domain and rejoined to it. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and configure the value for this policy setting to a larger number of days. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

30 days

DC Effective Default Settings

30 days

Member Server Effective Default Settings

30 days

Client Computer Effective Default Settings

30 days

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | 30 days| +| DC Effective Default Settings | 30 days| +| Member Server Effective Default Settings|30 days| +| Client Computer Effective Default Settings | 30 days|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -In Active Directory–based domains, each device has an account and password, just as every user does. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their passwords, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts. + +In Active Directory–based domains, each device has an account and password, just as every user does. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their +passwords, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts. + ### Countermeasure + Configure the **Domain member: Maximum machine account password age** setting to 30 days. + ### Potential impact + None. This is the default configuration. ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md index 2a95144b2d..2d179f76d3 100644 --- a/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md +++ b/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md @@ -2,88 +2,95 @@ title: Domain member Require strong (Windows 2000 or later) session key (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Require strong (Windows 2000 or later) session key security policy setting. ms.assetid: 5ab8993c-5086-4f09-bc88-1b27454526bd -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain member: Require strong (Windows 2000 or later) session key + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain member: Require strong (Windows 2000 or later) session key** security policy setting. + ## Reference + The **Domain member: Require strong (Windows 2000 or later) session key** policy setting determines whether a secure channel can be established with a domain controller that is not capable of encrypting secure channel traffic with a strong, 128-bit session key. Enabling this policy setting prevents establishing a secure channel with any domain controller that cannot encrypt secure channel data with a strong key. Disabling this policy setting allows 64-bit session keys. + Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from eavesdropping and session-hijacking network attacks. Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the name of the sender, or it can be redirected. + ### Possible values + - Enabled + When enabled on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of encrypting secure channel data with a strong, 128-bit key. This means that all such domain controllers must be running at least Windows 2000 Server. + - Disabled + Allows 64-bit session keys to be used. + - Not defined. + ### Best practices + - It is advisable to set **Domain member: Require strong (Windows 2000 or later) session key** to Enabled. Enabling this policy setting ensures that all outgoing secure channel traffic will require a strong encryption key. Disabling this policy setting requires that key strength be negotiated. Only enable this option if the domain controllers in all trusted domains support strong keys. By default, this value is disabled. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO +| Default value +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. + You will you be able to join devices that do not support this policy setting to domains where the domain controllers have this policy setting enabled. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Session keys that are used to establish secure channel communications between domain controllers and member computers are much stronger starting with Windows 2000. + Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdrop. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.) + ### Countermeasure + Enable the **Domain member: Require strong (Windows 2000 or later) session key** setting. + If you enable this policy setting, all outgoing secure channel traffic requires a strong encryption key. If you disable this policy setting, the key strength is negotiated. You should enable this policy setting only if the domain controllers in all trusted domains support strong keys. By default, this policy setting is disabled. + ### Potential impact + Devices that do not support this policy setting cannot join domains in which the domain controllers have this policy setting enabled. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/edit-an-applocker-policy.md b/windows/keep-secure/edit-an-applocker-policy.md index 725e1f5ac0..8bd9ebfcea 100644 --- a/windows/keep-secure/edit-an-applocker-policy.md +++ b/windows/keep-secure/edit-an-applocker-policy.md @@ -2,70 +2,99 @@ title: Edit an AppLocker policy (Windows 10) description: This topic for IT professionals describes the steps required to modify an AppLocker policy. ms.assetid: dbc72d1f-3fe0-46c2-aeeb-96621fce7637 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Edit an AppLocker policy + **Applies to** - Windows 10 + This topic for IT professionals describes the steps required to modify an AppLocker policy. + You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot create a new version of the policy by importing additional rules. To modify an AppLocker policy that is in production, you should use Group Policy management software that allows you to version Group Policy Objects (GPOs). If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You cannot automatically merge policies by using the AppLocker snap-in. You must create one rule collection from two or more policies. The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. For info about merging policies, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) or [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). + There are two methods you can use to edit an AppLocker policy: + - [Editing an AppLocker policy by using Group Policy](#bkmk-editapppolingpo) - [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo) + ## Editing an AppLocker policy by using Group Policy + The steps to edit an AppLocker policy distributed by Group Policy include the following: + ### Step 1: Use Group Policy management software to export the AppLocker policy from the GPO -AppLocker provides a feature to export and import AppLocker policies as an XML file. This allows you to modify an AppLocker policy outside your production environment. Because updating an AppLocker policy in a deployed GPO could have unintended consequences, you should first export the AppLocker policy to an XML file. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). + +AppLocker provides a feature to export and import AppLocker policies as an XML file. This allows you to modify an AppLocker policy outside your production environment. Because updating an AppLocker policy in a deployed GPO could have unintended consequences, you should first export the AppLocker +policy to an XML file. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). + ### Step 2: Import the AppLocker policy into the AppLocker reference PC or the PC you use for policy maintenance + After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). -**Caution**   -Importing a policy onto another PC will overwrite the existing policy on that PC. + +>**Caution:**  Importing a policy onto another PC will overwrite the existing policy on that PC.   ### Step 3: Use AppLocker to modify and test the rule + AppLocker provides ways to modify, delete, or add rules to a policy by modifying the rules within the collection. + - For the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md). - For the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md). - For procedures to create rules, see: + - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) - [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) - [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) - [Enable the DLL rule collection](enable-the-dll-rule-collection.md) + - For steps to test an AppLocker policy, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). - For procedures to export the updated policy from the reference computer back into the GPO, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). + ### Step 4: Use AppLocker and Group Policy to import the AppLocker policy back into the GPO + For procedures to export the updated policy from the reference computer back into the GPO, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). -**Caution**   -You should never edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed run, making changes to a live policy can create unexpected behavior. For info about testing policies, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). + +>**Caution:**  You should never edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed run, making changes to a live policy can create unexpected behavior. For info about testing policies, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md).   -**Note**   -If you are performing these steps by using Microsoft Advanced Group Policy Management (AGPM), check out the GPO before exporting the policy. +>**Note:**  If you are performing these steps by using Microsoft Advanced Group Policy Management (AGPM), check out the GPO before exporting the policy.   ## Editing an AppLocker policy by using the Local Security Policy snap-in + The steps to edit an AppLocker policy distributed by using the Local Security Policy snap-in (secpol.msc) include the following tasks. + ### Step 1: Import the AppLocker policy + On the PC where you maintain policies, open the AppLocker snap-in from the Local Security Policy snap-in (secpol.msc). If you exported the AppLocker policy from another PC, use AppLocker to import it onto the PC. + After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). -**Caution**   -Importing a policy onto another PC will overwrite the existing policy on that PC. + +>**Caution:**  Importing a policy onto another PC will overwrite the existing policy on that PC.   ### Step 2: Identify and modify the rule to change, delete, or add + AppLocker provides ways to modify, delete, or add rules to a policy by modifying the rules within the collection. + - For the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md). - For the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md). - For procedures to create rules, see: + - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) - [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) - [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) - [Enable the DLL rule collection](enable-the-dll-rule-collection.md) + ### Step 3: Test the effect of the policy + For steps to test an AppLocker policy, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). + ### Step 4: Export the policy to an XML file and propagate it to all targeted computers + For procedures to export the updated policy from the reference computer to targeted computers, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). + ## Additional resources + - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). -  -  diff --git a/windows/keep-secure/edit-applocker-rules.md b/windows/keep-secure/edit-applocker-rules.md index 69c9a61c3a..3fcada9c5e 100644 --- a/windows/keep-secure/edit-applocker-rules.md +++ b/windows/keep-secure/edit-applocker-rules.md @@ -2,42 +2,55 @@ title: Edit AppLocker rules (Windows 10) description: This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker. ms.assetid: 80016cda-b915-46a0-83c6-5e6b0b958e32 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Edit AppLocker rules + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker. + For more info about these rule types, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). + You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To edit a publisher rule** + 1. Open the AppLocker console, and then click the appropriate rule collection. 2. In the **Action** pane, right-click the publisher rule, and then click **Properties**. 3. Click the appropriate tab to edit the rule properties. + - Click the **General** tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group for which this rule should apply. - Click the **Publisher** tab to configure the certificate's common name, the product name, the file name, or file version of the publisher. - Click the **Exceptions** tab to create or edit exceptions. - When you finish updating the rule, click **OK**. + **To edit a file hash rule** + 1. Open the AppLocker console, and then click the appropriate rule collection. 2. Choose the appropriate rule collection. 3. In the **Action** pane, right-click the file hash rule, and then click **Properties**. 4. Click the appropriate tab to edit the rule properties. + - Click the **General** tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group in which this rule should apply. - Click the **File Hash** tab to configure the files that should be used to enforce the rule. You can click **Browse Files** to add a specific file or click **Browse Folders** to add all files in a specified folder. To remove hashes individually, click **Remove**. - When you finish updating the rule, click **OK**. + **To edit a path rule** + 1. Open the AppLocker console, and then click the appropriate rule collection. 2. Choose the appropriate rule collection. 3. In the **Action** pane, right-click the path rule, and then click **Properties**. 4. Click the appropriate tab to edit the rule properties. + - Click the **General** tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group in which this rule should apply. - Click the **Path** tab to configure the path on the computer in which the rule should be enforced. - Click the **Exceptions** tab to create exceptions for specific files in a folder. - When you finish updating the rule, click **OK**. -  -  + \ No newline at end of file diff --git a/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md index af9eb0fbc6..6e5addb821 100644 --- a/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md +++ b/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md @@ -2,95 +2,99 @@ title: Enable computer and user accounts to be trusted for delegation (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Enable computer and user accounts to be trusted for delegation security policy setting. ms.assetid: 524062d4-1595-41f3-8ce1-9c85fd21497b -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Enable computer and user accounts to be trusted for delegation + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Enable computer and user accounts to be trusted for delegation** security policy setting. + ## Reference + This policy setting determines which users can set the **Trusted for Delegation** setting on a user or computer object. Security account delegation provides the ability to connect to multiple servers, and each server change retains the authentication credentials of the original client. Delegation of authentication is a capability that client and server applications use when they have multiple tiers. It allows a public-facing service to use client credentials to authenticate to an application or database service. For this configuration to be possible, the client and the server must run under accounts that are trusted for delegation. + Only administrators who have the **Enable computer and user accounts to be trusted for delegation** credential can set up delegation. Domain admins and Enterprise admins have this credential. The procedure to allow a user to be trusted for delegation depends on the functionality level of the domain. + The user or machine object that is granted this right must have write access to the account control flags. A server process running on a device (or under a user context) that is trusted for delegation can access resources on another computer by using the delegated credentials of a client. However, the client account must have Write access to the account control flags on the object. + Constant: SeEnableDelegationPrivilege + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + - There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone devices. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

Domain Controller Effective Default Settings

Administrators

Member Server Effective Default Settings

Administrators

Client Computer Effective Default Settings

Administrators

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| Domain Controller Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes features, tools and guidance to help you manage this policy. + Modifying this setting might affect compatibility with clients, services, and applications. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + This user right is defined in the Default Domain Controller Group Policy Object (GPO) and in the local security policy of workstations and servers. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -Misuse of the **Enable computer and user accounts to be trusted for delegation** user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened after a security incident. + +Misuse of the **Enable computer and user accounts to be trusted for delegation** user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened +after a security incident. + ### Countermeasure + The **Enable computer and user accounts to be trusted for delegation** user right should be assigned only if there is a clear need for its functionality. When you assign this right, you should investigate the use of constrained delegation to control what the delegated accounts can do. On domain controllers, this right is assigned to the Administrators group by default. -**Note**   -There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone computers. + +>**Note:**  There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone computers.   ### Potential impact + None. Not defined is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/enable-the-dll-rule-collection.md b/windows/keep-secure/enable-the-dll-rule-collection.md index bf0a849440..3a23c140a8 100644 --- a/windows/keep-secure/enable-the-dll-rule-collection.md +++ b/windows/keep-secure/enable-the-dll-rule-collection.md @@ -2,24 +2,29 @@ title: Enable the DLL rule collection (Windows 10) description: This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker. ms.assetid: 88ef9561-6eb2-491a-803a-b8cdbfebae27 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Enable the DLL rule collection + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker. + The DLL rule collection includes the .dll and .ocx file formats. + For info about these rules, see [DLL rules in AppLocker](dll-rules-in-applocker.md). -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer +AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To enable the DLL rule collection** 1. From the AppLocker console, right-click **AppLocker**, and then click **Properties.** 2. Click the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then click **OK**. - **Important**   - Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps. -   -  -  + + >**Important:**  Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps. diff --git a/windows/keep-secure/encrypted-hard-drive.md b/windows/keep-secure/encrypted-hard-drive.md index a47495f67c..7de2f367e0 100644 --- a/windows/keep-secure/encrypted-hard-drive.md +++ b/windows/keep-secure/encrypted-hard-drive.md @@ -2,66 +2,93 @@ title: Encrypted Hard Drive (Windows 10) description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Encrypted Hard Drive + **Applies to** - Windows 10 + Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. + By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. + Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. In Windows 8, Windows Server 2012, and later you can install to these devices without additional modification. + Some of the benefits of Encrypted Hard Drives include: + - **Better performance**: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation. - **Strong security based in hardware**: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system - **Ease of use**: Encryption is transparent to the user because it is on by default. There is no user interaction needed to enable encryption. Encrypted Hard Drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive. - **Lower cost of ownership**: There is no need for new infrastructure to manage encryption keys, since BitLocker leverages your Active Directory Domain Services infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process. + Encrypted Hard Drives are supported natively in the operating system through the following mechanisms: + - **Identification**: The operating system can identify that the drive is an Encrypted Hard Drive device type - **Activation**: The operating system disk management utility can activate, create and map volumes to ranges/bands as appropriate - **Configuration**: The operating system can create and map volumes to ranges/bands as appropriate - **API**: API support for applications to manage Encrypted Hard Drives independently of BitLocker Drive Encryption (BDE) - **BitLocker support**: Integration with the BitLocker Control Panel provides a seamless BitLocker end user experience. -**Warning**   -Self-Encrypting Hard Drives and Encrypted Hard Drives for Windows are not the same type of device. Encrypted Hard Drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-Encrypting Hard Drives do not have these requirements. It is important to confirm the device type is an Encrypted Hard Drive for Windows when planning for deployment. + +>**Warning:**  Self-Encrypting Hard Drives and Encrypted Hard Drives for Windows are not the same type of device. Encrypted Hard Drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-Encrypting Hard Drives do not have these requirements. It is important to confirm the device type is an Encrypted Hard Drive for Windows when planning for deployment.   If you are a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](http://msdn.microsoft.com/library/windows/hardware/dn653989.aspx). + ## System Requirements + To use Encrypted Hard Drive, the following system requirements apply: + For Encrypted Hard Drives used as **data drives**: + - The drive must be in an uninitialized state. - The drive must be in a security inactive state. + For Encrypted Hard Drives used as **startup drives**: + - The drive must be in an uninitialized state. - The drive must be in a security inactive state. - The computer must be UEFI 2.3.1 based and have the EFI\_STORAGE\_SECURITY\_COMMAND\_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive). - The computer must have the Compatibility Support Module (CSM) disabled in UEFI. - The computer must always boot natively from UEFI. -**Warning**   -All Encrypted Hard Drives must be attached to non-RAID controllers to function properly. + +>**Warning:**  All Encrypted Hard Drives must be attached to non-RAID controllers to function properly.   ## Technical overview + Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering significantly improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later, Encrypted Hard Drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system an Encrypted Hard Drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk. + ## Configuring Encrypted Hard Drives as Startup drives + Configuration of Encrypted Hard Drives as startup drives is done using the same methods as standard hard drives. These methods include: + - **Deploy from media**: Configuration of Encrypted Hard Drives happens automatically through the installation process. - **Deploy from network**: This deployment method involves booting a Windows PE environment and using imaging tools to apply a Windows image from a network share. Using this method, the Enhanced Storage optional component needs to be included in the Windows PE image. You can enable this component using Server Manager, Windows PowerShell, or the DISM command line tool. If this component is not present, configuration of Encrypted Hard Drives will not work. - **Deploy from server**: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the [TCGSecurityActivationDisabled](http://msdn.microsoft.com/library/windows/hardware/dn923247.aspx) setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives. - **Disk Duplication**: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators will not work. + ### Encrypted Hard Drive Architecture + Encrypted Hard Drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These are the Data Encryption Key (DEK) and the Authentication Key (AK). + The Data Encryption Key is the key used to encrypt all of the data on the drive. The drive generates the DEK and it never leaves the device. It is stored in an encrypted format at a random location on the drive. If the DEK is changed or erased, data encrypted using the DEK is irrecoverable. + The Authentication Key is the key used to unlock data on the drive. A hash of the key is stored on drive and requires confirmation to decrypt the DEK. -When a computer with an Encrypted Hard Drive is in a powered off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the Authentication Key decrypts the Data Encryption Key. Once the Authentication Key decrypts the Data Encryption Key, read-write operations can take place on the device. + +When a computer with an Encrypted Hard Drive is in a powered off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the Authentication Key decrypts the Data Encryption Key. Once the Authentication Key decrypts the Data +Encryption Key, read-write operations can take place on the device. + When writing data to the drive, it passes through an encryption engine before the write operation completes. Likewise, reading data from the drive requires the encryption engine to decrypt the data before passing that data back to the user. In the event that the DEK needs to be changed or erased, the data on the drive does not need to be re-encrypted. A new Authentication Key needs to be created and it will re-encrypt the DEK. Once completed, the DEK can now be unlocked using the new AK and read-writes to the volume can continue. + ## Re-configuring Encrypted Hard Drives + Many Encrypted Hard Drive devices come pre-configured for use. If reconfiguration of the drive is required, use the following procedure after removing all available volumes and reverting the drive to an uninitialized state: + 1. Open Disk Management (diskmgmt.msc) 2. Initialize the disk and select the appropriate partition style (MBR or GPT) 3. Create one or more volumes on the disk. 4. Use the BitLocker setup wizard to enable BitLocker on the volume. -  -  diff --git a/windows/keep-secure/enforce-applocker-rules.md b/windows/keep-secure/enforce-applocker-rules.md index e71f69a725..31ab2aa2b8 100644 --- a/windows/keep-secure/enforce-applocker-rules.md +++ b/windows/keep-secure/enforce-applocker-rules.md @@ -2,22 +2,29 @@ title: Enforce AppLocker rules (Windows 10) description: This topic for IT professionals describes how to enforce application control rules by using AppLocker. ms.assetid: e1528b7b-77f2-4419-8e27-c9cc3721d96d -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Enforce AppLocker rules + **Applies to** - Windows 10 + This topic for IT professionals describes how to enforce application control rules by using AppLocker. + After AppLocker rules are created within the rule collection, you can configure the enforcement setting to **Enforce rules** or **Audit only** on the rule collection. + When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log. + There is no audit mode for the DLL rule collection. DLL rules affect specific apps. Therefore, test the impact of these rules first before deploying them to production. + To enforce AppLocker rules by configuring an AppLocker policy to **Enforce rules**, see [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md). -**Caution**   -AppLocker rules will be enforced immediately on the local device or when the Group Policy object (GPO) is updated by performing this procedure. If you want to see the effect of applying an AppLocker policy before setting the enforcement setting to **Enforce rules**, configure the policy to **Audit only**. For info about how to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)or [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). + +>**Caution:**  AppLocker rules will be enforced immediately on the local device or when the Group Policy object (GPO) is updated by performing this procedure. If you want to see the effect of applying an AppLocker policy before setting the enforcement setting to **Enforce rules**, configure the policy to **Audit only**. For info about how to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)or [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).       diff --git a/windows/keep-secure/enforce-password-history.md b/windows/keep-secure/enforce-password-history.md index aaf1fdefe7..a52801d820 100644 --- a/windows/keep-secure/enforce-password-history.md +++ b/windows/keep-secure/enforce-password-history.md @@ -2,88 +2,85 @@ title: Enforce password history (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Enforce password history security policy setting. ms.assetid: 8b2ab871-3e52-4dd1-9776-68bb1e935442 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Enforce password history + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting. + ## Reference + The **Enforce password history** policy setting determines the number of unique new passwords that must be associated with a user account before an old password can be reused. Password reuse is an important concern in any organization. Many users want to reuse the same password for their account over a long period of time. The longer the same password is used for a particular account, the greater the chance that an attacker will be able to determine the password through brute force attacks. If users are required to change their password, but they can reuse an old password, the effectiveness of a good password policy is greatly reduced. + Specifying a low number for **Enforce password history** allows users to continually use the same small number of passwords repeatedly. If you do not also set [Minimum password age](minimum-password-age.md), users can change their password as many times in a row as necessary to reuse their original password. + ### Possible values + - User-specified number from 0 through 24 - Not defined + ### Best practices + - Set **Enforce password history** to 24. This will help mitigate vulnerabilities that are caused by password reuse. - Set [Maximum password age](maximum-password-age.md) to expire passwords between 60 and 90 days. Try to expire the passwords between major business cycles to prevent work loss. - Configure [Minimum password age](minimum-password-age.md) so that you do not allow passwords to be changed immediately. + ### Location + **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default domain policy

24 passwords remembered

Default domain controller policy

Not defined

Stand-alone server default settings

0 passwords remembered

Domain controller effective default settings

24 passwords remembered

Member server effective default settings

24 passwords remembered

Effective GPO default settings on client computers

24 passwords remembered

+ +| Server type or GPO | Default value | +| - | - | +| Default domain policy | 24 passwords remembered| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | 0 passwords remembered| +| Domain controller effective default settings | 24 passwords remembered| +| Member server effective default settings | 24 passwords remembered| +| Effective GPO default settings on client computers | 24 passwords remembered|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced. + If you specify a low number for this policy setting, users can use the same small number of passwords repeatedly. If you do not also configure the [Minimum password age](minimum-password-age.md) policy setting, users might repeatedly change their passwords until they can reuse their original password. -**Note**   -After an account has been compromised, a simple password reset might not be enough to restrict a malicious user because the malicious user might have modified the user's environment so that the password is changed back to a known value automatically at a certain time. If an account has been compromised, it is best to delete the account and assign the user a new account after all affected systems have been restored to normal operations and verified that they are no longer compromised. + +>**Note:**  After an account has been compromised, a simple password reset might not be enough to restrict a malicious user because the malicious user might have modified the user's environment so that the password is changed back to a known value automatically at a certain time. If an account has been compromised, it is best to delete the account and assign the user a new account after all affected systems have been restored to normal operations and verified that they are no longer compromised.   ### Countermeasure + Configure the **Enforce password history** policy setting to 24 (the maximum setting) to help minimize the number of vulnerabilities that are caused by password reuse. + For this policy setting to be effective, you should also configure effective values for the [Minimum password age](minimum-password-age.md) and [Maximum password age](maximum-password-age.md) policy settings. + ### Potential impact + The major impact of configuring the **Enforce password history** setting to 24 is that users must create a new password every time they are required to change their old one. If users are required to change their passwords to new unique values, there is an increased risk of users who write their passwords somewhere so that they do not forget them. Another risk is that users may create passwords that change incrementally (for example, password01, password02, and so on) to facilitate memorization, but this makes them easier for an attacker to guess. Also, an excessively low value for the [Maximum password age](maximum-password-age.md) policy setting is likely to increase administrative overhead because users who forget their passwords might ask the Help Desk to reset them frequently. + ## Related topics -[Password Policy](password-policy.md) -  -  + +- [Password Policy](password-policy.md) diff --git a/windows/keep-secure/enforce-user-logon-restrictions.md b/windows/keep-secure/enforce-user-logon-restrictions.md index ed3f79446b..39f83bb850 100644 --- a/windows/keep-secure/enforce-user-logon-restrictions.md +++ b/windows/keep-secure/enforce-user-logon-restrictions.md @@ -2,88 +2,88 @@ title: Enforce user logon restrictions (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Enforce user logon restrictions security policy setting. ms.assetid: 5891cb73-f1ec-48b9-b703-39249e48a29f -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Enforce user logon restrictions + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Enforce user logon restrictions** security policy setting. + ## Reference + The **Enforce user logon restrictions** policy setting determines whether the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the user account. Validating each request for a session ticket is optional because the extra step takes time, and that can slow network access to services. + The possible values for this Group Policy setting are: + - Enabled - Disabled - Not defined + ### Best practices + - If this policy setting is disabled, users might be granted session tickets for services that they do not have the right to use. - It is advisable to set **Enforce user logon restrictions** to Enabled. + + We recommend to set **Enforce user logon restrictions** to Enabled. + ### Location + **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy** + ### Default Values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server Type or GPODefault Value

Default Domain Policy

Enabled

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not applicable

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Not applicable

Client Computer Effective Default Settings

Not applicable

+ +| Server Type or GPO | Default Value | +| - | - | +| Default Domain Policy | Enabled| +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings| Not applicable | +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Not applicable| +| Client Computer Effective Default Settings | Not applicable|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + ### Group Policy + Client devices will get the new setting during the next scheduled and successful Group Policy refresh. But for domain controllers to assign these new settings immediately, a gpupdate.exe /force is required. On the local device, the Security Configuration Engine will refresh this setting in about five minutes. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If you disable this policy setting, users could receive session tickets for services that they no longer have the right to use because the right was removed after they logged on. + ### Countermeasure + Enable the **Enforce user logon restrictions** setting. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Kerberos Policy](kerberos-policy.md) -  -  + +- [Kerberos Policy](kerberos-policy.md) diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md index c0cd2aac59..bf8d546f56 100644 --- a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md +++ b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md @@ -2,10 +2,11 @@ title: List of enlightened Microsoft apps for use with enterprise data protection (EDP) (Windows 10) description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list. ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f -keywords: ["EDP", "Enterprise Data Protection"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md index f6244f66e0..6e239a2aea 100644 --- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Review events and errors on endpoints with Event Viewer description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service. keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Advanced Threat Protection service, cannot start, broken, can't start search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: iaanw --- diff --git a/windows/keep-secure/executable-rules-in-applocker.md b/windows/keep-secure/executable-rules-in-applocker.md index b215d8ffe5..ebad0e1645 100644 --- a/windows/keep-secure/executable-rules-in-applocker.md +++ b/windows/keep-secure/executable-rules-in-applocker.md @@ -2,55 +2,28 @@ title: Executable rules in AppLocker (Windows 10) description: This topic describes the file formats and available default rules for the executable rule collection. ms.assetid: 65e62f90-6caa-48f8-836a-91f8ac9018ee -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Executable rules in AppLocker + **Applies to** - Windows 10 + This topic describes the file formats and available default rules for the executable rule collection. + AppLocker defines executable rules as any files with the .exe and .com extensions that are associated with an app. Because all of the default rules for the executable rule collection are based on folder paths, all files under those paths will be allowed. The following table lists the default rules that are available for the executable rule collection. - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PurposeNameUserRule condition type

Allow members of the local Administrators group access to run all executable files

(Default Rule) All files

BUILTIN\Administrators

Path: *

Allow all users to run executable files in the Windows folder

(Default Rule) All files located in the Windows folder

Everyone

Path: %windir%\*

Allow all users to run executable files in the Program Files folder

(Default Rule) All files located in the Program Files folder

Everyone

Path: %programfiles%\*

+ +| Purpose | Name | User | Rule condition type | +| - | - | - | - | +| Allow members of the local Administrators group access to run all executable files | (Default Rule) All files| BUILTIN\Administrators | Path: * | +| Allow all users to run executable files in the Windows folder| (Default Rule) All files located in the Windows folder| Everyone| Path: %windir%\*| +| Allow all users to run executable files in the Program Files folder | (Default Rule) All files located in the Program Files folder| Everyone | Path: %programfiles%\*|   ## Related topics -[Understanding AppLocker Default Rules](understanding-applocker-default-rules.md) -  -  + +- [Understanding AppLocker Default Rules](understanding-applocker-default-rules.md) diff --git a/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md b/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md index 565c1d0597..6476c88d16 100644 --- a/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md +++ b/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md @@ -2,23 +2,28 @@ title: Export an AppLocker policy from a GPO (Windows 10) description: This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. ms.assetid: 7db59719-a8be-418b-bbfd-22cf2176c9c0 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Export an AppLocker policy from a GPO + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. + Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Therefore, export the policy from the GPO and update the rule or rules by using AppLocker on your AppLocker reference device + To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. + **Export the policy from the GPO** + 1. In the Group Policy Management Console (GPMC), open the GPO that you want to edit. 2. In the console tree under **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Application Control Policies**, click **AppLocker**. 3. Right-click **AppLocker**, and then click **Export Policy**. 4. In the **Export Policy** dialog box, type a name for the exported policy (for example, the name of the GPO), select a location to save the policy, and then click **Save**. 5. The **AppLocker** dialog box will notify you of how many rules were exported. Click **OK**. -  -  diff --git a/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md b/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md index 5812fda7ae..f3f9d22190 100644 --- a/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md +++ b/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md @@ -2,20 +2,23 @@ title: Export an AppLocker policy to an XML file (Windows 10) description: This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. ms.assetid: 979bd23f-6815-478b-a6a4-a25239cb1080 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Export an AppLocker policy to an XML file + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. + **To export an AppLocker policy to an XML file** + 1. From the AppLocker console, right-click **AppLocker**, and then click **Export Policy**. 2. Browse to the location where you want to save the XML file. -3. In the **File name** box, type a file name for the XML file, and then click **Save**. -  -  +3. In the **File name** box, type a file name for the XML file, and then click **Save**. \ No newline at end of file diff --git a/windows/keep-secure/file-system-global-object-access-auditing.md b/windows/keep-secure/file-system-global-object-access-auditing.md index 8d1bf75dc2..13e7b15ca7 100644 --- a/windows/keep-secure/file-system-global-object-access-auditing.md +++ b/windows/keep-secure/file-system-global-object-access-auditing.md @@ -2,20 +2,25 @@ title: File System (Global Object Access Auditing) (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, File System (Global Object Access Auditing), which enables you to configure a global system access control list (SACL) on the file system for an entire computer. ms.assetid: 4f215d61-0e23-46e4-9e58-08511105d25b -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # File System (Global Object Access Auditing) + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **File System (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the file system for an entire computer. + If you select the **Configure security** check box on the policy’s property page, you can add a user or group to the global SACL. This enables you to define computer system access control lists (SACLs) per object type for the file system. The specified SACL is then automatically applied to every file system object type. + If both a file or folder SACL and a global SACL are configured on a computer, the effective SACL is derived by combining the file or folder SACL and the global SACL. This means that an audit event is generated if an activity matches either the file or folder SACL or the global SACL. This policy setting must be used in combination with the **File System** security policy setting under Object Access. For more information, see [Audit File System](audit-file-system.md). + ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) -  -  + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) diff --git a/windows/keep-secure/force-shutdown-from-a-remote-system.md b/windows/keep-secure/force-shutdown-from-a-remote-system.md index 4f4d1d9ed6..e635eb56d3 100644 --- a/windows/keep-secure/force-shutdown-from-a-remote-system.md +++ b/windows/keep-secure/force-shutdown-from-a-remote-system.md @@ -2,92 +2,93 @@ title: Force shutdown from a remote system (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Force shutdown from a remote system security policy setting. ms.assetid: 63129243-31ea-42a4-a598-c7064f48a3df -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Force shutdown from a remote system + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Force shutdown from a remote system** security policy setting. + ## Reference + This security setting determines which users are allowed to shut down a device from a remote location on the network. This allows members of the Administrators group or specific users to manage computers (for tasks such as a restart) from a remote location. + Constant: SeRemoteShutdownPrivilege + ### Possible values + - User-defined list of accounts - Administrators + ### Best practices + - Explicitly restrict this user right to members of the Administrators group or other specifically assigned roles that require this capability, such as non-administrative operations staff. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators and Server Operators on domain controllers and Administrators on stand-alone servers. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Administrators

-

Server Operators

Stand-Alone Server Default Settings

Administrators

Domain Controller Effective Default Settings

Administrators

-

Server Operators

Member Server Effective Default Settings

Administrators

Client Computer Effective Default Settings

Administrators

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Administrators
Server Operators| +| Stand-Alone Server Default Settings | Administrators| +| Domain Controller Effective Default Settings | Administrators
Server Operators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + This policy setting must be applied on the computer that is being accessed remotely. + ### Group Policy + This user right is defined in the Default Domain Controller Group Policy Object (GPO) and in the local security policy of workstations and servers. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Any user who can shut down a device could cause a denial-of-service condition to occur. Therefore, this user right should be tightly restricted. + ### Countermeasure + Restrict the **Force shutdown from a remote system** user right to members of the Administrators group or other specifically assigned roles that require this capability, such as non-administrative operations staff. + ### Potential impact + On a domain controller, if you remove the **Force shutdown from a remote system** user right from the Server Operator group, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should confirm that delegated activities are not adversely affected. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/generate-security-audits.md b/windows/keep-secure/generate-security-audits.md index 71e55bf774..437bdc47d0 100644 --- a/windows/keep-secure/generate-security-audits.md +++ b/windows/keep-secure/generate-security-audits.md @@ -2,95 +2,92 @@ title: Generate security audits (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Generate security audits security policy setting. ms.assetid: c0e1cd80-840e-4c74-917c-5c2349de885f -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Generate security audits + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Generate security audits** security policy setting. + ## Reference + This policy setting determines which accounts can be used by a process to generate audit records in the security event log. The Local Security Authority Subsystem Service (LSASS) writes events to the log. You can use the information in the security event log to trace unauthorized device access. + Constant: SeAuditPrivilege + ### Possible values + - User-defined list of accounts - Local Service - Network Service + ### Best practices + - Because the audit log can potentially be an attack vector if an account is compromised, ensure that only the Local Service and Network Service accounts have the **Generate security audits** user right assigned to them. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, this setting is Local Service and Network Service on domain controllers and stand-alone servers. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Local Service

-

Network Service

Stand-Alone Server Default Settings

Local Service

-

Network Service

Domain Controller Effective Default Settings

Local Service

-

Network Service

Member Server Effective Default Settings

Local Service

-

Network Service

Client Computer Effective Default Settings

Local Service

-

Network Service

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Local Service
Network Service| +| Stand-Alone Server Default Settings | Local Service
Network Service| +| Domain Controller Effective Default Settings | Local Service
Network Service| +| Member Server Effective Default Settings | Local Service
Network Service| +| Client Computer Effective Default Settings | Local Service
Network Service|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial-of-service (DoS) if the [Audit: Shut down system immediately if unable to log security audits](audit-shut-down-system-immediately-if-unable-to-log-security-audits.md) security policy setting is enabled. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + A malicious user could use accounts that can write to the Security log to fill that log with meaningless events. If the computer is configured to overwrite events as needed, malicious users could use this method to remove evidence of their unauthorized activities. If the computer is configured to shut down when it is unable to write to the Security log, and it is not configured to automatically back up the log files, this method could be used to create a DoS condition. + ### Countermeasure + Ensure that only the Local Service and Network Service accounts have the **Generate security audits** user right assigned to them. + ### Potential impact + None. Restricting the **Generate security audits** user right to the Local Service and Network Service accounts is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md index f7b4350a6f..9f8709dce5 100644 --- a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md +++ b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md @@ -2,7 +2,7 @@ title: Update and manage Windows Defender in Windows 10 (Windows 10) description: IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using Group Policy SettingsWindows Management Instrumentation (WMI)PowerShell. ms.assetid: 045F5BF2-87D7-4522-97E1-C1D508E063A7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md index f9af00d1cd..42e7d1cff1 100644 --- a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md +++ b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md @@ -3,7 +3,7 @@ title: Get apps to run on Device Guard-protected devices (Windows 10) description: Windows 10 introduces several new features and settings that when combined all equal what we're calling, Device Guard. ms.assetid: E62B68C3-8B9F-4842-90FC-B4EE9FF8A67E keywords: Package Inspector, packageinspector.exe, sign catalog file -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/guidance-and-best-practices-edp.md b/windows/keep-secure/guidance-and-best-practices-edp.md index cf4d35de03..805ac84dfc 100644 --- a/windows/keep-secure/guidance-and-best-practices-edp.md +++ b/windows/keep-secure/guidance-and-best-practices-edp.md @@ -2,10 +2,11 @@ title: General guidance and best practices for enterprise data protection (EDP) (Windows 10) description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP). ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0 -keywords: ["EDP", "Enterprise Data Protection"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/how-applocker-works-techref.md b/windows/keep-secure/how-applocker-works-techref.md index c482e1a4bc..f9bf8450f5 100644 --- a/windows/keep-secure/how-applocker-works-techref.md +++ b/windows/keep-secure/how-applocker-works-techref.md @@ -2,37 +2,47 @@ title: How AppLocker works (Windows 10) description: This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. ms.assetid: 24bb1d73-0ff5-4af7-8b8a-2fa44d4ddbcd -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # How AppLocker works + **Applies to** - Windows 10 + This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. + The following topics explain how AppLocker policies for each of the rule condition types are evaluated: + - [AppLocker architecture and components](applocker-architecture-and-components.md) - [AppLocker processes and interactions](applocker-processes-and-interactions.md) + The following topics explain how AppLocker rules and policies work: + - [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) - [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md) - [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md) - [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md) - [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md) + - [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md) - [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md) - [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md) + - [Understanding AppLocker default rules](understanding-applocker-default-rules.md) + - [Executable rules in AppLocker](executable-rules-in-applocker.md) - [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md) - [Script rules in AppLocker](script-rules-in-applocker.md) - [DLL rules in AppLocker](dll-rules-in-applocker.md) - [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md) + ## Additional resources + - [AppLocker Design Guide](applocker-policies-design-guide.md) - [AppLocker deployment guide](applocker-policies-deployment-guide.md) - [Administer AppLocker](administer-applocker.md) -  -  diff --git a/windows/keep-secure/how-to-configure-security-policy-settings.md b/windows/keep-secure/how-to-configure-security-policy-settings.md index 9ba376ff63..6a307acac3 100644 --- a/windows/keep-secure/how-to-configure-security-policy-settings.md +++ b/windows/keep-secure/how-to-configure-security-policy-settings.md @@ -2,59 +2,77 @@ title: Configure security policy settings (Windows 10) description: Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller. ms.assetid: 63b0967b-a9fe-4d92-90af-67469ee20320 -ms.pagetype: security -ms.prod: W10 + +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Configure security policy settings + **Applies to** - Windows 10 + Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller. + You must have Administrators rights on the local device, or you must have the appropriate permissions to update a Group Policy Object (GPO) on the domain controller to perform these procedures. + When a local setting is inaccessible, it indicates that a GPO currently controls that setting. + ## To configure a setting using the Local Security Policy console + 1. To open Local Security Policy, on the **Start** screen, type **secpol.msc**, and then press ENTER. 2. Under **Security Settings** of the console tree, do one of the following: + - Click **Account Policies** to edit the **Password Policy** or **Account Lockout Policy**. - Click **Local Policies** to edit an **Audit Policy**, a **User Rights Assignment**, or **Security Options**. + 3. When you find the policy setting in the details pane, double-click the security policy that you want to modify. 4. Modify the security policy setting, and then click **OK**. + **Note**   - Some security policy settings require that the device be restarted before the setting takes effect. - Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.   ## To configure a security policy setting using the Local Group Policy Editor console + You must have the appropriate permissions to install and use the Microsoft Management Console (MMC), and to update a Group Policy Object (GPO) on the domain controller to perform these procedures. + 1. Open the Local Group Policy Editor (gpedit.msc). 2. In the console tree, click **Computer Configuration**, click **Windows Settings**, and then click **Security Settings**. 3. Do one of the following: + - Click **Account Policies** to edit the **Password Policy** or **Account Lockout Policy**. - Click **Local Policies** to edit an **Audit Policy**, a **User Rights Assignment**, or **Security Options**. + 4. In the details pane, double-click the security policy setting that you want to modify. - **Note**   -    If this security policy has not yet been defined, select the **Define these policy settings** check box. + + >**Note:**  If this security policy has not yet been defined, select the **Define these policy settings** check box.   5. Modify the security policy setting, and then click **OK**. -**Note**  If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console. + +>**Note:**  If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console.   ## To configure a setting for a domain controller + The following procedure describes how to configure a security policy setting for only a domain controller (from the domain controller). + 1. To open the domain controller security policy, in the console tree, locate *GroupPolicyObject \[ComputerName\]* Policy, click **Computer Configuration**, click **Windows Settings**, and then click **Security Settings**. 2. Do one of the following: + - Double-click **Account Policies** to edit the **Password Policy**, **Account Lockout Policy**, or **Kerberos Policy**. - Click **Local Policies** to edit the **Audit Policy**, a **User Rights Assignment**, or **Security Options**. + 3. In the details pane, double-click the security policy that you want to modify. - **Note**   - If this security policy has not yet been defined, select the **Define these policy settings** check box. + >**Note**  If this security policy has not yet been defined, select the **Define these policy settings** check box.   4. Modify the security policy setting, and then click **OK**. + **Important**   - Always test a newly created policy in a test organizational unit before you apply it to your network. - When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.   ## Related topics -[Security policy settings reference](security-policy-settings-reference.md) -  -  + +- [Security policy settings reference](security-policy-settings-reference.md) diff --git a/windows/keep-secure/how-user-account-control-works.md b/windows/keep-secure/how-user-account-control-works.md index 488f2bf4e5..90bba5477f 100644 --- a/windows/keep-secure/how-user-account-control-works.md +++ b/windows/keep-secure/how-user-account-control-works.md @@ -2,143 +2,311 @@ title: How User Account Control works (Windows 10) description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. ms.assetid: 9f921779-0fd3-4206-b0e4-05a19883ee59 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: operate ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # How User Account Control works + **Applies to** - Windows 10 + User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. + ## UAC process and interactions + Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows 10 protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials. + In order to better understand how this process happens, let's look at the Windows logon process. + ### Logon process + The following shows how the logon process for an administrator differs from the logon process for a standard user. + ![uac windows logon process](images/uacwindowslogonprocess.gif) + By default, standard users and administrators access resources and run apps in the security context of standard users. When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges. + When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token is used to start apps that do not perform administrative tasks (standard user apps). The standard user access token is then used to display the desktop (explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token. + A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md). + ### The UAC User Experience + When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 10 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt. + The alternative to running as a standard user is to run as an administrator in Admin Approval Mode. With the built-in UAC elevation component, members of the local Administrators group can easily perform an administrative task by providing approval. The default, built-in UAC elevation component for an administrator account in Admin Approval Mode is called the consent prompt. + **The consent and credential prompts** + With UAC enabled, Windows 10 prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed. + **The consent prompt** + The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. The following is an example of the UAC consent prompt. + ![uac consent prompt](images/uacconsentprompt.gif) + **The credential prompt** + The credential prompt is presented when a standard user attempts to perform a task that requires a user's administrative access token. Administrators can also be required to provide their credentials by setting the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting value to **Prompt for credentials**. + The following is an example of the UAC credential prompt. + ![uac credential prompt](images/uaccredentialprompt.gif) + **UAC elevation prompts** + The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows 10 first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows 10 determines which color elevation prompt to present to the user. + The elevation prompt color-coding is as follows: + - Red background with a red shield icon: The app is blocked by Group Policy or is from a publisher that is blocked. - Blue background with a blue and gold shield icon: The application is a Windows 10 administrative app, such as a Control Panel item. - Blue background with a blue shield icon: The application is signed by using Authenticode and is trusted by the local computer. - Yellow background with a yellow shield icon: The application is unsigned or signed but is not yet trusted by the local computer. + **Shield icon** + Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screen shot of the **Date and Time Properties** Control Panel item. + ![uac shield icon](images/uacshieldicon.png) + The shield icon on the **Change date and time** button indicates that the process requires a full administrator access token and will display a UAC elevation prompt. + **Securing the elevation prompt** + The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled. + When an executable file requests elevation, the interactive desktop, also called the user desktop, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user clicks **Yes** or **No**, the desktop switches back to the user desktop. + Malware can present an imitation of the secure desktop, but when the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting is set to **Prompt for consent**, the malware does not gain elevation if the user clicks **Yes** on the imitation. If the policy setting is set to **Prompt for credentials**, malware imitating the credential prompt may be able to gather the credentials from the user. However, the malware does not gain elevated privilege and the system has other protections that mitigate malware from taking control of the user interface even with a harvested password. + While malware could present an imitation of the secure desktop, this issue cannot occur unless a user previously installed the malware on the PC. Because processes requiring an administrator access token cannot silently install when UAC is enabled, the user must explicitly provide consent by clicking **Yes** or by providing administrator credentials. The specific behavior of the UAC elevation prompt is dependent upon Group Policy. + ## UAC Architecture + The following diagram details the UAC architecture. + ![uac architecture](images/uacarchitecture.gif) + To better understand each component, review the table below: -Component -Description -**User** -User performs operation requiring privilege -If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute. -ShellExecute -ShellExecute calls CreateProcess. ShellExecute looks for the ERROR\_ELEVATION\_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt. -CreateProcess -If the application requires elevation, CreateProcess rejects the call with ERROR\_ELEVATION\_REQUIRED. -**System** -Application Information service -A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required and (depending on Group Policy) consent is given by the user to do so. -Elevating an ActiveX install -If ActiveX is not installed, the system checks the UAC slider level. If ActiveX is installed, the **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked. -Check UAC slider level -UAC has four levels of notification to choose from and a slider to use to select the notification level: -- High - If the slider is set to **Always notify**, the system checks whether the secure desktop is enabled. -- Medium - If the slider is set to **Notify me only when programs try to make changes to my computer**, the **User Account Control: Only elevate executable files that are signed and validated** policy setting is checked: - - If the policy setting is enabled, the public key infrastructure (PKI) certification path validation is enforced for a given file before it is permitted to run. - - If the policy setting is not enabled (default), the PKI certification path validation is not enforced before a given file is permitted to run. The **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked. -- Low - If the slider is set to **Notify me only when apps try to make changes to my computer (do not dim by desktop)**, the CreateProcess is called. -- Never Notify - If the slider is set to **Never notify me when**, UAC prompt will never notify when an app is trying to install or trying to make any change on the computer. - **Important**   - This setting is not recommended. This setting is the same as setting the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting to **Elevate without prompting**. -   -Secure desktop enabled -The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is checked: -- If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. -- If the secure desktop is not enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used. -CreateProcess -CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest does not match the access token and returns an error (ERROR\_ELEVATION\_REQUIRED) to ShellExecute. -AppCompat -The AppCompat database stores information in the application compatibility fix entries for an application. -Fusion -The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field. -Installer detection -Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent. -**Kernel** -Virtualization -Virtualization technology ensures that non-compliant apps do not silently fail to run or fail in a way that the cause cannot be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas. -File system and registry -The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ComponentDescription
+

User

+
+

User performs operation requiring privilege

+		 +

If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.

+
+

ShellExecute

+		 +

ShellExecute calls CreateProcess. ShellExecute looks for the ERROR_ELEVATION_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.

+
+

CreateProcess

+		 +

If the application requires elevation, CreateProcess rejects the call with ERROR_ELEVATION_REQUIRED.

+
+

System

+
+

Application Information service

+		 +

A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required and (depending on Group Policy) consent is given by the user to do so.

+
+

Elevating an ActiveX install

+		 +

If ActiveX is not installed, the system checks the UAC slider level. If ActiveX is installed, the User Account Control: Switch to the secure desktop when prompting for elevation Group Policy setting is checked.

+
+

Check UAC slider level

+		 +

UAC has four levels of notification to choose from and a slider to use to select the notification level:

+
    +
  • +

    High

    +

    If the slider is set to Always notify, the system checks whether the secure desktop is enabled.

    +
    • +
  • +

    Medium

    +

    If the slider is set to Notify me only when programs try to make changes to my computer, the User Account Control: Only elevate executable files that are signed and validated policy setting is checked:

    +
      +
    • +

      If the policy setting is enabled, the public key infrastructure (PKI) certification path validation is enforced for a given file before it is permitted to run.

      +
      • +
    • +

      If the policy setting is not enabled (default), the PKI certification path validation is not enforced before a given file is permitted to run. The User Account Control: Switch to the secure desktop when prompting for elevation Group Policy setting is checked.

      +
      • +
    +
    • +
  • +

    Low

    +

    If the slider is set to Notify me only when apps try to make changes to my computer (do not dim by desktop), the CreateProcess is called.

    +
    • +
  • +

    Never Notify

    +

    If the slider is set to Never notify me when, UAC prompt will never notify when an app is trying to install or trying to make any change on the computer.

    +
    Important  

    This setting is not recommended. This setting is the same as setting the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting to Elevate without prompting.

    +
    +
     
    +
    • +
+
+

Secure desktop enabled

+		 +

The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is checked:

+
    +
  • +

    If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.

    +
    • +
  • +

    If the secure desktop is not enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.

    +
    • +
+
+

CreateProcess

+		 +

CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest does not match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.

+
+

AppCompat

+		 +

The AppCompat database stores information in the application compatibility fix entries for an application.

+
+

Fusion

+		 +

The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field.

+
+

Installer detection

+		 +

Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent.

+
+

Kernel

+
+

Virtualization

+		 +

Virtualization technology ensures that non-compliant apps do not silently fail to run or fail in a way that the cause cannot be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.

+
+

File system and registry

+		 +

The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.

+
  The slider will never turn UAC completely off. If you set it to **Never notify**, it will: + - Keep the UAC service running. - Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt. - Automatically deny all elevation requests for standard users. -**Important**   -In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**. + +>**Important:**  In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.   -**Warning**   -Universal Windows apps will not work when UAC is disabled. +>**Warning:**  Universal Windows apps will not work when UAC is disabled.   ### Virtualization + Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace the majority of apps when UAC is turned on. + Windows 10 includes file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app. + Most app tasks operate properly by using virtualization features. Although virtualization allows a majority of applications to run, it is a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization. + Virtualization is not an option in the following scenarios: + - Virtualization does not apply to apps that are elevated and run with a full administrative access token. - Virtualization supports only 32-bit apps. Non-elevated 64-bit apps simply receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations. - Virtualization is disabled if the app includes an app manifest with a requested execution level attribute. + ### Request execution levels + An app manifest is an XML file that describes and identifies the shared and private side-by-side assemblies that an app should bind to at run time. The app manifest includes entries for UAC app compatibility purposes. Administrative apps that include an entry in the app manifest prompt the user for permission to access the user's access token. Although they lack an entry in the app manifest, most administrative app can run without modification by using app compatibility fixes. App compatibility fixes are database entries that enable applications that are not UAC-compliant to work properly. + All UAC-compliant apps should have a requested execution level added to the application manifest. If the application requires administrative access to the system, then marking the app with a requested execution level of "require administrator" ensures that the system identifies this program as an administrative app and performs the necessary elevation steps. Requested execution levels specify the privileges required for an app. + ### Installer detection technology + Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 also heuristically detects updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry. + Installer detection only applies to: + - 32-bit executable files. - Applications without a requested execution level attribute. - Interactive processes running as a standard user with UAC enabled. + Before a 32-bit process is created, the following attributes are checked to determine whether it is an installer: + - The file name includes keywords such as "install," "setup," or "update." - Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name. - Keywords in the side-by-side manifest are embedded in the executable file. - Keywords in specific StringTable entries are linked in the executable file. - Key attributes in the resource script data are linked in the executable file. - There are targeted sequences of bytes within the executable file. -**Note**   -The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies. -  -**Note**   -The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md). -  -  + +>**Note:**  The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.   +>**Note:**  The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md). diff --git a/windows/keep-secure/impersonate-a-client-after-authentication.md b/windows/keep-secure/impersonate-a-client-after-authentication.md index 45f008dc87..9dc1b4f485 100644 --- a/windows/keep-secure/impersonate-a-client-after-authentication.md +++ b/windows/keep-secure/impersonate-a-client-after-authentication.md @@ -2,111 +2,101 @@ title: Impersonate a client after authentication (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Impersonate a client after authentication security policy setting. ms.assetid: 4cd241e2-c680-4b43-8ed0-3b391925cec5 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Impersonate a client after authentication + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Impersonate a client after authentication** security policy setting. + ## Reference + This policy setting determines which programs are allowed to impersonate a user or another specified account and act on behalf of the user. If this user right is required for this type of impersonation, an unauthorized user cannot cause a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created to impersonate that client. (Such an action could elevate the unauthorized user's permissions to administrative or system levels.) + Impersonation is the ability of a thread to run in a security context that is different from the context of the process that owns the thread. Impersonation is designed to meet the security requirements of client/server applications. When running in a client's security context, a service "is" the client, to some degree. One of the service's threads uses an access token representing the client's credentials to obtain access to the objects to which the client has access. The primary reason for impersonation is to cause access checks to be performed against the client's identity. Using the client's identity for access checks can cause access to be either restricted or expanded, depending on what the client has permission to do. + Services that are started by the Service Control Manager have the built-in Service group added by default to their access tokens. COM servers that are started by the COM infrastructure and configured to run under a specific account also have the Service group added to their access tokens. As a result, these processes are assigned this user right when they are started. + Constant: SeImpersonatePrivilege + ### Possible values + - User-defined list of accounts - Default values - Not defined + ### Best practices + - A user can impersonate an access token if any of the following conditions exist: + - The access token that is being impersonated is for this user. - The user in this session logged on to the network with explicit credentials to create the access token. - The requested level is less than Impersonate, such as Anonymous or Identify. + Because of these factors, users do not usually need to have this user right assigned. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, this setting is Administrators, Local Service, Network Service, and Service on domain controllers and stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not eefined

Default Domain Controller Policy

Administrators

-

Local Service

-

Network Service

-

Service

Stand-Alone Server Default Settings

Administrators

-

Local Service

-

Network Service

-

Service

Domain Controller Effective Default Settings

Administrators

-

Local Service

-

Network Service

-

Service

Member Server Effective Default Settings

Administrators

-

Local Service

-

Network Service

-

Service

Client Computer Effective Default Settings

Administrators

-

Local Service

-

Network Service

-

Service

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined | +| Default Domain Controller Policy| Administrators
Local Service
Network Service
Service| +| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service
Service| +| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service
Service| +| Member Server Effective Default Settings | Administrators
Local Service
Network Service
Service| +| Client Computer Effective Default Settings | Administrators
Local Service
Network Service
Service|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An attacker with the **Impersonate a client after authentication** user right could create a service, mislead a client into connecting to the service, and then impersonate that computer to elevate the attacker's level of access to that of the device. + ### Countermeasure + On member servers, ensure that only the Administrators and Service groups (Local Service, Network Service, and Service) have the **Impersonate a client after authentication** user right assigned to them. + ### Potential impact + In most cases, this configuration has no impact. If you have installed optional components such as ASP.NET or IIS, you may need to assign the **Impersonate a client after authentication** user right to additional accounts that are required by those components, such as IUSR\_*<ComputerName>*, IIS\_WPG, ASP.NET, or IWAM\_*<ComputerName>*. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md index 95e304939b..1680e13ed9 100644 --- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md +++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md @@ -3,7 +3,7 @@ title: Implement Microsoft Passport in your organization (Windows 10) description: You can create a Group Policy or mobile device management (MDM) policy that will implement Microsoft Passport on devices running Windows 10. ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8 keywords: identity, PIN, biometric, Hello -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/import-an-applocker-policy-from-another-computer.md b/windows/keep-secure/import-an-applocker-policy-from-another-computer.md index 02cf23e310..0f0e11976b 100644 --- a/windows/keep-secure/import-an-applocker-policy-from-another-computer.md +++ b/windows/keep-secure/import-an-applocker-policy-from-another-computer.md @@ -2,25 +2,29 @@ title: Import an AppLocker policy from another computer (Windows 10) description: This topic for IT professionals describes how to import an AppLocker policy. ms.assetid: b48cb2b2-8ef8-4cc0-89bd-309d0b1832f6 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Import an AppLocker policy from another computer + **Applies to** - Windows 10 + This topic for IT professionals describes how to import an AppLocker policy. + Before completing this procedure, you should have exported an AppLocker policy. For more information, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md). + Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. -**Caution**   -Importing a policy will overwrite the existing policy on that computer. + +>**Caution:**  Importing a policy will overwrite the existing policy on that computer.   **To import an AppLocker policy** + 1. From the AppLocker console, right-click **AppLocker**, and then click **Import Policy**. 2. In the **Import Policy** dialog box, locate the file that you exported, and then click **Open**. 3. The **Import Policy** dialog box will warn you that importing a policy will overwrite the existing rules and enforcement settings. If acceptable, click **OK** to import and overwrite the policy. 4. The **AppLocker** dialog box will notify you of how many rules were overwritten and imported. Click **OK**. -  -  diff --git a/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md b/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md index 94411b2263..c03e2d5282 100644 --- a/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md +++ b/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md @@ -2,26 +2,29 @@ title: Import an AppLocker policy into a GPO (Windows 10) description: This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). ms.assetid: 0629ce44-f5e2-48a8-ba47-06544c73261f -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Import an AppLocker policy into a GPO + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). AppLocker policies can be created as local security policies and modified like any other local security policy, or they can be created as part of a GPO and managed by using Group Policy. You can create AppLocker policies on any supported computer. For info about which Windows editions are supported, see [Requirements to Use AppLocker](requirements-to-use-applocker.md). -**Important**   -Follow your organization's standard procedures for updating GPOs. For info about specific steps to follow for AppLocker policies, see [Maintain AppLocker policies](maintain-applocker-policies.md). + +>**Important:**  Follow your organization's standard procedures for updating GPOs. For info about specific steps to follow for AppLocker policies, see [Maintain AppLocker policies](maintain-applocker-policies.md).   To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. + **To import an AppLocker policy into a GPO** + 1. In the Group Policy Management Console (GPMC), open the GPO that you want to edit. 2. In the console tree under **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Application Control Policies**, click **AppLocker**. 3. Right-click **AppLocker**, and then click **Import Policy**. 4. In the **Import Policy** dialog box, locate the XML policy file, and click **Open**. 5. The **AppLocker** dialog box will notify you of how many rules were imported. Click **OK**. -  -  diff --git a/windows/keep-secure/increase-a-process-working-set.md b/windows/keep-secure/increase-a-process-working-set.md index 8b8320a5d9..237be32d51 100644 --- a/windows/keep-secure/increase-a-process-working-set.md +++ b/windows/keep-secure/increase-a-process-working-set.md @@ -2,88 +2,87 @@ title: Increase a process working set (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Increase a process working set security policy setting. ms.assetid: b742ad96-37f3-4686-b8f7-f2b48367105b -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Increase a process working set + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Increase a process working set** security policy setting. + ## Reference + This policy setting determines which users can increase or decrease the size of the working set of a process. The working set of a process is the set of memory pages currently visible to the process in physical RAM. These pages are resident, and they are available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process. + Constant: SeIncreaseWorkingSetPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - You should make users aware that adverse performance issues may occur if they modify this security setting. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, standard users have this right. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not Defined

Default Domain Controller Policy

Users

Stand-Alone Server Default Settings

Users

Domain Controller Effective Default Settings

Users

Member Server Effective Default Settings

Users

Client Computer Effective Default Settings

Users

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not Defined| +| Default Domain Controller Policy | Users| +| Stand-Alone Server Default Settings| Users| +| Domain Controller Effective Default Settings| Users| +| Member Server Effective Default Settings | Users| +| Client Computer Effective Default Settings | Users|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Increasing the working set size for a process decreases the amount of physical memory that is available to the rest of the system. + ### Countermeasure + Increase user’s awareness about the impact of increasing the working set of a process and how to recognize that their system is adversely affected if they change this setting. + ### Potential impact None. Allowing standard users to increase the working set of a process is the default configuration. ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/increase-scheduling-priority.md b/windows/keep-secure/increase-scheduling-priority.md index 187e8ef3a7..727d53c8e1 100644 --- a/windows/keep-secure/increase-scheduling-priority.md +++ b/windows/keep-secure/increase-scheduling-priority.md @@ -2,90 +2,92 @@ title: Increase scheduling priority (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Increase scheduling priority security policy setting. ms.assetid: fbec5973-d35e-4797-9626-d0d56061527f -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Increase scheduling priority + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Increase scheduling priority** security policy setting. + ## Reference + This policy setting determines which user accounts can increase the base priority class of a process. It is not a privileged operation to increase relative priority within a priority class. This user right is not required by administrative tools that are supplied with the operating system, but it might be required by software development tools. + Specifically, this security setting determines which accounts can use a process with Write Property access to another process to increase the run priority that is assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. + Constant: SeIncreaseBasePriorityPrivilege + ### Possible values + - User-defined list of accounts - Not defined - Administrators + ### Best practices + - Allow the default value, Administrators, as the only account responsible for controlling process scheduling priorities. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Administrators

Stand-Alone Server Default Settings

Administrators

Domain Controller Effective Default Settings

Administrators

Member Server Effective Default Settings

Administrators

Client Computer Effective Default Settings

Administrators

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy| Administrators| +| Stand-Alone Server Default Settings | Administrators| +| Domain Controller Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + A user who is assigned this user right could increase the scheduling priority of a process to Real-Time, which would leave little processing time for all other processes and could lead to a denial-of-service condition. + ### Countermeasure + Verify that only Administrators have the **Increase scheduling priority** user right assigned to them. + ### Potential impact + None. Restricting the **Increase scheduling priority** user right to members of the Administrators group is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md index 5b1c59fb81..b605acb372 100644 --- a/windows/keep-secure/index.md +++ b/windows/keep-secure/index.md @@ -2,7 +2,7 @@ title: Keep Windows 10 secure (Windows 10) description: Learn about keeping Windows 10 and Windows 10 Mobile secure. ms.assetid: EA559BA8-734F-41DB-A74A-D8DBF36BE920 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md index 4325b85cc9..a1d2220641 100644 --- a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md @@ -2,156 +2,176 @@ title: Initialize and configure ownership of the TPM (Windows 10) description: This topic for the IT professional describes how to initialize and set the ownership the Trusted Platform Module (TPM), turn the TPM on and off, and clear TPM keys. ms.assetid: 1166efaf-7aa3-4420-9279-435d9c6ac6f8 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Initialize and configure ownership of the TPM + **Applies to** - Windows 10 + This topic for the IT professional describes how to initialize and set the ownership the Trusted Platform Module (TPM), turn the TPM on and off, and clear TPM keys. It also explains how to troubleshoot issues that you might encounter as a result of using these procedures. + ## About TPM initialization and ownership + The TPM must be initialized and ownership must be taken before it can be used to help secure your computer. The owner of the TPM is the user who possesses the owner password and is able to set it and change it. Only one owner password exists per TPM. The owner of the TPM can make full use of TPM capabilities. Taking ownership of the TPM can be done as part of the initialization process. + When you start the TPM Initialization Wizard, which is accessed through the TPM Microsoft Management Console (MMC), you can determine whether the computer's TPM has been initialized. You can also view the TPM properties. + This topic contains procedures for the following tasks: + - [Initialize the TPM and set ownership](#bkmk-initializetpm) - [Troubleshoot TPM initialization](#bkmk-troubleshootinit) - [Turn on or turn off the TPM](#bkmk-onoff) - [Clear all the keys from the TPM](#bkmk-clear1) - [Use the TPM cmdlets](#bkmk-tpmcmdlets) + ## Initialize the TPM and set ownership + Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. In addition, the computer must be equipped with a Trusted Computing Group-compliant BIOS. + **To start the TPM Initialization Wizard** + 1. Open the TPM Management console (tpm.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. 2. On the **Action** menu, click **Initialize TPM** to start the TPM Initialization Wizard. 3. If the TPM has never been initialized or is turned off, the TPM Initialization Wizard displays the **Turn on the TPM security hardware** dialog box. This dialog box provides guidance for initializing or turning on the TPM. Follow the instructions in the wizard. - **Note**   - If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the [To set ownership of the TPM](#bkmk-setownership) procedure. + + >**Note:** If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the [To set ownership of the TPM](#bkmk-setownership) procedure.   - **Note**   - If the TPM Initialization Wizard detects that you do not have a compatible BIOS, you cannot continue with the TPM Initialization Wizard, and you are alerted to consult the computer manufacturer's documentation for instructions to initialize the TPM. + >**Note:**  If the TPM Initialization Wizard detects that you do not have a compatible BIOS, you cannot continue with the TPM Initialization Wizard, and you are alerted to consult the computer manufacturer's documentation for instructions to initialize the TPM.   4. Click **Restart**. 5. Follow the BIOS screen prompts. An acceptance prompt is displayed to ensure that a user has physical access to the computer and that no malicious software is attempting to turn on the TPM. - **Note**   - BIOS screen prompts and the required keystrokes vary by computer manufacturer. + + >**Note:**  BIOS screen prompts and the required keystrokes vary by computer manufacturer.   6. After the computer restarts, sign in to the computer with the same administrative credentials that you used to start this procedure. 7. The TPM Initialization Wizard automatically restarts. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. 8. Continue with the next procedure to take ownership of the TPM. + To finish initializing the TPM for use, you must set an owner for the TPM. The process of taking ownership includes creating an owner password for the TPM. + **To set ownership of the TPM** + 1. If you are not continuing immediately from the last procedure, start the TPM Initialization Wizard. If you need to review the steps to do so, see the previous procedure [To start the TPM Initialization Wizard](#bkmk-starttpminitwizard). 2. In the **Create the TPM owner password** dialog box, click **Automatically create the password (recommended)**. 3. In the **Save your TPM owner password** dialog box, click **Save the password**. 4. In the **Save As** dialog box, select a location to save the password, and then click **Save**. The password file is saved as *computer\_name.tpm*. - **Important**   - We highly recommend saving the TPM owner password to a removable storage device and storing it in a safe location. + + >**Important:**  We highly recommend saving the TPM owner password to a removable storage device and storing it in a safe location.   5. Click **Print the password** if you want to print a copy of your password. - **Important**   - We highly recommend printing a copy of your TPM owner password and storing it in a safe location. + >**Important:**  We highly recommend printing a copy of your TPM owner password and storing it in a safe location.   6. Click **Initialize**. - **Note**   - The process of initializing the TPM might take a few minutes to complete. + >**Note:**  The process of initializing the TPM might take a few minutes to complete.   7. Click **Close**. - **Caution**   - Do not lose your password. If you do, you will be unable to make administrative changes unless you clear the TPM, which can result in data loss. + >**Caution:**  Do not lose your password. If you do, you will be unable to make administrative changes unless you clear the TPM, which can result in data loss.   ## Troubleshoot TPM initialization + Managing the Trusted Platform Module (TPM) is usually a straightforward procedure. If are unable to complete the initialization procedure, review the following information: + - If the TPM is not detected by Windows, verify that your computer hardware contains a Trusted Computing Group-compliant BIOS. Ensure that no BIOS settings have been used to hide the TPM from the operating system. - If you are attempting to initialize the TPM as part of the BitLocker setup, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM is not present on the computer. If you have a non-Microsoft driver installed, remove it and then try to initialize the TPM. The following table lists the three standard TPM drivers that are provided by Microsoft. - - - - - - - - - - - - - - - - - - - - - - - - - -
Driver nameManufacturer

Trusted Platform Module 1.2

(Standard)

Broadcom Trusted Platform Module (A1), v1.2

Broadcom

Broadcom Trusted Platform Module (A2), v1.2

Broadcom

+ +| Driver name | Manufacturer | +| - | - | +| Trusted Platform Module 1.2 | (Standard)| +| Broadcom Trusted Platform Module (A1), v1.2 | Broadcom| +| Broadcom Trusted Platform Module (A2), v1.2 | Broadcom|   - If the TPM has been previously initialized and you do not have the owner password, you may have to clear or reset the TPM to the factory default values. For more information, see [Clear all the keys from the TPM](#bkmk-clear1). - **Caution**   - Clearing the TPM can result in data loss. To avoid data loss, make sure that you have a backup or recovery method for any data that is protected or encrypted by the TPM. + > **Caution:**  Clearing the TPM can result in data loss. To avoid data loss, make sure that you have a backup or recovery method for any data that is protected or encrypted by the TPM.   Because your TPM security hardware is a physical part of your computer, you may want to read the manuals or instructions that came with your computer, or search the manufacturer's website. + **Network connection** + You cannot complete the initialization of the Trusted Platform Module (TPM) when your computer is disconnected from your organization's network if either of the following conditions exist: + - An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through Group Policy. - A domain controller cannot be reached. This can occur on a computer that is currently disconnected from the network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter). + In either case, an error message appears, and you cannot complete the initialization process. To avoid this issue, initialize the TPM while you are connected to the corporate network and you can contact a domain controller. + **Systems with multiple TPMs** + Some systems may have multiple TPMs and the active TPM may be toggled in the BIOS. Windows 10 does not support this behavior. If you switch TPMs, functionality that depends on the TPM will not work with the new TPM unless it is cleared and put through provisioning. Performing this clear may cause data loss, in particular of keys and certificates associated with the previous TPM. For example, toggling TPMs will cause Bitlocker to enter recovery mode. It is strongly recommended that, on systems with two TPMs, one TPM is selected to be used and the selection is not changed. + ## Turn on or turn off the TPM + Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC. + ### Turn on the TPM + If the TPM has been initialized but has never been used, or if you want to use the TPM after you have turned it off, you can use the following procedure to turn on the TPM. + **To turn on the TPM** + 1. Open the TPM MMC (tpm.msc). 2. In the **Action** pane, click **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page. 3. Click **Shutdown** (or **Restart**), and then follow the BIOS screen prompts. + After the computer restarts, but before you sign in to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user has physical access to the computer and that malicious software is not attempting to make changes to the TPM. + ### Turn off the TPM -If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM. If you have the TPM owner password, physical access to the computer is not required to turn off the TPM. If you do not have the TPM owner password, you must have physical access to the computer to turn off the TPM. + +If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM. If you have the TPM owner password, physical access to the computer is not required to turn off the TPM. If you do not have the TPM owner password, you must have physical access to the +computer to turn off the TPM. + **To turn off the TPM** + 1. Open the TPM MMC (tpm.msc). 2. In the **Action** pane, click **Turn TPM Off** to display the **Turn off the TPM security hardware** page. 3. In the **Turn off the TPM security hardware** dialog box, select a method to enter your owner password and turning off the TPM: + - If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, click **Browse** to locate the .tpm file that is saved on your removable storage device, click **Open**, and then click **Turn TPM Off**. - If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**. - If you do not know your TPM owner password, click **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent BIOS screens to turn off the TPM without entering the password. + ## Clear all the keys from the TPM + Clearing the TPM resets it to an unowned state. After clearing the TPM, you need to complete the TPM initialization process before using software that relies on the TPM, such as BitLocker Drive Encryption. By default, the TPM is initialized automatically. -**Important**   -Clearing the TPM can result in data loss. To avoid data loss, make sure that you have a backup or recovery method for any data that is protected or encrypted by the TPM. + +>**Important:**  Clearing the TPM can result in data loss. To avoid data loss, make sure that you have a backup or recovery method for any data that is protected or encrypted by the TPM.   After the TPM is cleared, it is also turned off. + To temporarily suspend TPM operations, turn off the TPM instead of clearing it. + Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. + **To clear the TPM** + 1. Open the TPM MMC (tpm.msc). 2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. 3. Under **Actions**, click **Clear TPM**. - **Warning**   - If the TPM is off, reinitialize it before clearing it. + >**Warning:**  If the TPM is off, reinitialize it before clearing it. + Clearing the TPM resets it to factory defaults and turns it off. You will lose all created keys and data that is protected by those keys.   4. In the **Clear the TPM security hardware** dialog box, select one of the following methods to enter your password and clear the TPM: - If you have the removable storage device with your saved TPM owner password, insert it, and click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, use **Browse** to navigate to the .tpm file that is saved on your removable storage device. Click **Open**, and then click **Clear TPM**. - If you do not have the removable storage device with your saved password, click **I want to enter the owner password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and click **Clear TPM**. - If you do not know your TPM owner password, click **I don't have the TPM owner password**, and follow the instructions that are provided to clear the TPM without entering the password. - **Note**   - If you have physical access to the computer, you can clear the TPM and perform a limited number of management tasks without entering the TPM owner password. + >**Note:**  If you have physical access to the computer, you can clear the TPM and perform a limited number of management tasks without entering the TPM owner password.   The status of your TPM is displayed under **Status** in TPM MMC. + ## Use the TPM cmdlets + If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command: -**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets** + +`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets` + For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). + ## Additional resources + For more info about TPM, see [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md#bkmk-additionalresources). -  -  diff --git a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md index 8034f861f4..b5282b5fa3 100644 --- a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md +++ b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md @@ -3,7 +3,7 @@ title: Install digital certificates on Windows 10 Mobile (Windows 10) description: Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. ms.assetid: FF7B1BE9-41F4-44B0-A442-249B650CEE25 keywords: S/MIME, PFX, SCEP -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -25,7 +25,7 @@ Certificates in Windows 10 Mobile are primarily used for the following purposes **Warning**   In Windows 10, Version 1607, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. [Learn more about this known issue in Version 1607](http://go.microsoft.com/fwlink/p/?LinkId=786764) -## Install certificates using Internet Explorer +## Install certificates using Microsoft Edge A certificate can be posted on a website and made available to users through a device-accessible URL that they can use to download the certificate. When a user accesses the page and taps the certificate, it opens on the device. The user can inspect the certificate, and if they choose to continue, the certificate is installed on the Windows 10 Mobile device. @@ -45,7 +45,7 @@ Windows 10 Mobile supports root, CA, and client certificate to be configured vi 3. The trusted CA certificate is installed directly during MDM request. 4. The device accepts certificate enrollment request. 5. The device generates private/public key pair. -6. The device connects to Internet facing point exposed by MDM server. +6. The device connects to Internet-facing point exposed by MDM server. 7. MDM server creates a certificate that is signed with proper CA certificate and returns it to device. > **Note:**  The device supports the pending function to allow server side to do additional verification before issuing the cert. In this case, a pending status is sent back to the device. The device will periodically contact the server, based on preconfigured retry count and retry period parameters. Retrying ends when either: diff --git a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md index 094e59fedf..7c1d049314 100644 --- a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md +++ b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md @@ -2,91 +2,98 @@ title: Interactive logon Display user information when the session is locked (Windows 10) description: Describes the best practices, location, values, and security considerations for the Interactive logon Display user information when the session is locked security policy setting. ms.assetid: 9146aa3d-9b2f-47ba-ac03-ff43efb10530 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Display user information when the session is locked + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting. + ## Reference When a session is locked in a Windows operating system (meaning the user at the computer pressed CTRL+ALT+DEL and the Secure Desktop is displayed), user information is displayed. By default, this information is in the form of **<user name> is logged on**. The displayed user name is the user’s full name as set on the Properties page for that user. These settings do not apply to the logon tiles, which are displayed on the desktop after using the **Switch User** feature. The information that is displayed can be changed to meet your security requirements using the following possible values. + ### Possible values + - **User display name, domain and user names** + If this is a local logon, the user’s full name is displayed on the Secure Desktop. If it is a domain logon, the user’s domain and user’s account name is displayed. + - **User display name only** + The name of the user who locked the session is displayed on the Secure Desktop as the user’s full name. + - **Do not display user information** + No names are displayed on the Secure Desktop, but user’s full names will be displayed on the **Switch user** desktop. + - Blank. + Default setting. This translates to “Not defined,” but it will display the user’s full name in the same manner as the **User display name, domain and user names** option. When an option is set, you cannot reset this policy to blank, or not defined. + ### Best practices + Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have computers with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy. + Depending on your security policy, you might also want to enable the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to logon. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or Group Policy object (GPO)Default value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

User display name, domain and user names

Member server effective default settings

User display name, domain and user names

Effective GPO default settings on client computers

User display name, domain and user names

+ +| Server type or Group Policy object (GPO) | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | **User display name, domain and user names**| +| Member server effective default settings | **User display name, domain and user names**| +| Effective GPO default settings on client computers | **User display name, domain and user names**|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + None + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + When a computer displays the Secure Desktop in an unsecured area, certain user information can be readily available to anyone looking at the monitor, either physically or through a remote connection. The displayed user information could include the domain user account name or the full name of the user who locked the session or who had logged on last. + ### Countermeasure + Enabling this policy setting allows the operating system to hide certain user information from being displayed on the Secure Desktop (after the device has been booted or when the session has been locked by using CTRL+ALT+DEL). However, user information is displayed if the **Switch user** feature is used so that the logon tiles are displayed for each logged on user. + You might also want to enable the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to logon. + ### Potential impact + If you do not enable this policy, the effect will be the same as enabling the policy and selecting the **User display name, domain and user names** option. + If the policy is enabled and set to **Do not display user information**, an observer cannot see who is logged onto the Secure Desktop, but the logon tile is still present if the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy is not enabled. Depending on how the logon tiles are configured, they could provide visual clues as to who is logged on. In addition, if the Interactive logon: Do not display last user name policy is not enabled, then the **Switch user** feature will show user information. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md index 65a5067ae3..0177def043 100644 --- a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md +++ b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md @@ -2,86 +2,87 @@ title: Interactive logon Do not display last user name (Windows 10) description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not display last user name security policy setting. ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Do not display last user name + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display last user name** security policy setting. + ## Reference + This security policy setting determines whether the name of the last user to log on to the device is displayed on the Secure Desktop. + If this policy is enabled, the full name of the last user to successfully log on is not displayed on the Secure Desktop, nor is the user’s logon tile displayed. Additionally, if the **Switch user** feature is used, the full name and logon tile are not displayed. The logon screen requests a qualified domain account name (or local user name) and password. + If this policy is disabled, the full name of the last user to log on is displayed, and the user’s logon tile is displayed. This behavior is the same when the **Switch user** feature is used. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy. + Depending on your security policy, you might also want to enable the [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md) policy, which will prevent the Windows operating system from displaying the logon name when the session is locked or started. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or Group Policy object (GPO)Default value

Default domain policy

Disabled

Default domain controller policy

Disabled

Stand-alone server default settings

Disabled

Domain controller effective default settings

Disabled

Member server effective default settings

Disabled

Effective GPO default settings on client computers

Disabled

+ +| Server type or Group Policy object (GPO) | Default value| +| - | - | +| Default domain policy| Disabled| +| Default domain controller policy| Disabled| +| Stand-alone server default settings | Disabled| +| Domain controller effective default settings | Disabled| +| Member server effective default settings | Disabled| +| Effective GPO default settings on client computers | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + None. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to log on. + ### Countermeasure + Enable the **Interactive logon: Do not display last user name** setting. + ### Potential impact + Users must always type their user names and passwords when they log on locally or to the domain. The logon tiles of all logged on users are not displayed. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md index 19bd4de7a1..f2741165ce 100644 --- a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md +++ b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md @@ -2,89 +2,92 @@ title: Interactive logon Do not require CTRL+ALT+DEL (Windows 10) description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not require CTRL+ALT+DEL security policy setting. ms.assetid: 04e2c000-2eb2-4d4b-8179-1e2cb4793e18 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Interactive logon: Do not require CTRL+ALT+DEL + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not require CTRL+ALT+DEL** security policy setting. + ## Reference + This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. + If this policy setting is enabled on a device, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. + If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to the Windows operating system (unless they are using a smart card for logon). + Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to device running the Windows operating system; however, not having to press the CTRL+ALT+DELETE key combination leaves users susceptible to attacks that attempt to intercept their passwords. Requiring CTRL+ALT+DELETE before users log on ensures that users are communicating by means of a trusted path when entering their passwords. + A malicious user might install malware that looks like the standard logon dialog box for the Windows operating system, and capture a user's password. The attacker can then log on to the compromised account with whatever level of user rights that user has. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - It is advisable to set **Disable CTRL+ALT+DEL requirement for logon** to **Disabled**. Unless they are using a smart card to log on, users will have to simultaneously press three keys before the logon dialog box appears. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + Beginning with Windows Server 2008 and Windows Vista, the CTRL+ALT+DELETE key combination is required to authenticate if this policy is disabled. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + This setting makes it easier for users with certain types of physical impairments to log on to devices that run the Windows operating system. However, if users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. + If this setting is enabled, an attacker could install malware that looks like the standard logon dialog box in the Windows operating system, and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has. + ### Countermeasure + Disable the **Interactive logon: Do not require CTRL+ALT+DEL** setting. + ### Potential impact + Unless they use a smart card to log on, users must simultaneously press the three keys before the logon dialog box is displayed. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md b/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md index baa13fc5c0..ee2f89dfe2 100644 --- a/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md +++ b/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md @@ -2,84 +2,85 @@ title: Interactive logon Machine account lockout threshold (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Machine account lockout threshold security policy setting. ms.assetid: ebbd8e22-2611-4ebe-9db9-d49344e631e4 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Machine account lockout threshold + **Applies to** - Windows 10 + Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine account lockout threshold** security policy setting. + ## Reference + Beginning with Windows Server 2012 and Windows 8, the **Interactive logon: Machine account threshold** security policy setting enforces the lockout policy on those computers that have BitLocker enabled to protect operating system volumes. + The security setting allows you to set a threshold for the number of failed logon attempts that causes the device to be locked by using BitLocker. This means, if the specified maximum number of failed logon attempts is exceeded, the device will invalidate the Trusted Platform Module (TPM) protector and any other protector except the 48-digit recovery password, and then reboot. During Device Lockout mode, the computer or device only boots into the touch-enabled Windows Recovery Environment (WinRE) until an authorized user enters the recovery password to restore full access. + Failed password attempts on workstations or member servers that have been locked by using either Ctrl+Alt+Delete or password-protected screen savers count as failed logon attempts. + ### Possible values + You can set the **invalid logon attempts** value between 1 and 999. Values from 1 to 3 are interpreted as 4. If you set the value to 0, or leave blank, the computer or device will never be locked as a result of this policy setting. -### Best practices + +### Best practices + Use this policy setting in conjunction with your other failed account logon attempts policy. For example, if the [Account lockout threshold](account-lockout-threshold.md) policy setting is set at 4, then setting **Interactive logon: Machine account lockout threshold** at 6 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings| Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled | +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + A restart is required for changes to this policy to become effective when they are saved locally or distributed through Group Policy. + ### Group Policy + Because this policy setting was introduced in Windows Server 2012 and Windows 8, it can only be set locally on those devices that contain this policy setting, but it can be set and distributed through Group Policy to any computer running the Windows operating system that supports Group Policy and is BitLocker-enabled. + When setting this policy, consider the [Account lockout threshold](account-lockout-threshold.md) policy setting, which determines the number of failed logon attempts that will cause a user account to be locked out. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + This policy setting helps protect a BitLocker-encrypted device from attackers attempting to brute-force guess the Windows sign-in password. If not set, then attackers can attempt innumerable passwords, if no other account protection mechanisms are in place. + ### Countermeasure + Use this policy setting in conjunction with your other failed account logon attempts policy. For example, if the [Account lockout threshold](account-lockout-threshold.md) policy setting is set at 4, then setting **Interactive logon: Machine account lockout threshold** at 6 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out. + ### Potential impact + If not set, the device could be compromised by an attacker using brute-force password cracking software. + If set too low, productivity might be hindered because users who become locked out will be unable to access the device without providing the 48-digit BitLocker recovery password. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-machine-inactivity-limit.md b/windows/keep-secure/interactive-logon-machine-inactivity-limit.md index 969511b2b4..5ecfd51a7e 100644 --- a/windows/keep-secure/interactive-logon-machine-inactivity-limit.md +++ b/windows/keep-secure/interactive-logon-machine-inactivity-limit.md @@ -2,81 +2,79 @@ title: Interactive logon Machine inactivity limit (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Machine inactivity limit security policy setting. ms.assetid: 7065b4a9-0d52-41d5-afc4-5aedfc4162b5 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Machine inactivity limit + **Applies to** - Windows 10 + Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine inactivity limit** security policy setting. + ## Reference + Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver. This policy setting allows you to control the locking time by using Group Policy. + ### Possible values + The automatic lock of the device is set in elapsed seconds of inactivity, which can range from zero (0) to 599,940 seconds (166.65 hours). + If no value (blank) or zero (0) is present in the **Machine will be locked after** input field, then the policy setting is disabled and no action is taken on user-input inactivity for the session. + ### Best practices + Set the time for elapsed user-input inactivity based on the device’s usage and location requirements. For example, if the device or device is in a public area, you might want to have the device automatically lock after a short period of inactivity to prevent unauthorized access. However, if the device is used by an individual or group of trusted individuals, such as in a restricted manufacturing area, automatically locking the device might hinder productivity. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + Restart is required for changes to this policy to become effective when they are saved locally or distributed through Group Policy. + ### Group Policy + Because this policy setting was introduced in Windows Server 2012 and Windows 8, it can only be set locally on those computers that contain this policy setting, but it can be set and distributed through Group Policy to any computer running the Windows operating system that supports Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + This policy setting helps you prevent unauthorized access to devices under your control when the currently signed-in user leaves without deliberately locking the desktop. In versions earlier than Windows Server 2012 and Windows 8, the desktop-locking mechanism was set on individual computers in Personalization in Control Panel. + ### Countermeasure + Set the time for elapsed user-input inactivity time by using the security policy setting **Interactive logon: Machine inactivity limit** based on the device’s usage and location requirements. + ### Potential impact + This security policy setting can limit unauthorized access to unsecured computers; however, that requirement must be balanced with the productivity requirements of the intended user. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md index b8962d626a..6ee93f3d7a 100644 --- a/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md +++ b/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md @@ -2,94 +2,94 @@ title: Interactive logon Message text for users attempting to log on (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Message text for users attempting to log on security policy setting. ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Message text for users attempting to log on + **Applies to** - Windows 10 + Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Message text for users attempting to log on** security policy setting. + ## Reference -The **Interactive logon: Message text for users attempting to log on** and [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they log on. Interactive logon: Message title for users attempting to log on specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited. + +The **Interactive logon: Message text for users attempting to log on** and [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they log on. Interactive logon: Message title for users attempting to log on specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons—for example, to warn +users about the ramifications of misusing company information, or to warn them that their actions might be audited. + Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers. + When these policy settings are configured, users will see a dialog box before they can log on to the server console. + ### Possible values + The possible values for this setting are: + - User-defined text - Not defined + ### Best practices + - It is advisable to set **Interactive logon: Message text for users attempting to log on** to a value similar to one of the following: + 1. IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION. 2. This system is restricted to authorized users. Individuals who attempt unauthorized access will be prosecuted. If you are unauthorized, terminate access now. Click OK to indicate your acceptance of this information. -**Important**   -Any warning that you display in the title or text should be approved by representatives from your organization's legal and human resources departments. +>**Important:**  Any warning that you display in the title or text should be approved by representatives from your organization's legal and human resources departments.   ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

DC Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes different requirements to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + There are two policy settings that relate to logon displays: + - **Interactive logon: Message text for users attempting to log on** - [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) + The first policy setting specifies a text message that displays to users when they log on, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited. + ### Vulnerability + Users often do not understand the importance of security practices. However, the display of a warning message before logon may help prevent an attack by warning malicious or uninformed users about the consequences of their misconduct before it happens. It may also help reinforce corporate policies by notifying employees of appropriate policies during the logon process. + ### Countermeasure + Configure the **Interactive logon: Message text for users attempting to log on** and [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) settings to an appropriate value for your organization. -**Note**   -Any warning message that displays should be approved by your organization's legal and human resources representatives. + +>**Note:**  Any warning message that displays should be approved by your organization's legal and human resources representatives.   ### Potential impact + Users see a message in a dialog box before they can log on to the server console. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md)  diff --git a/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md index dcc618ac81..5fd221ea00 100644 --- a/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md +++ b/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md @@ -2,93 +2,97 @@ title: Interactive logon Message title for users attempting to log on (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Message title for users attempting to log on security policy setting. ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Message title for users attempting to log on + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Message title for users attempting to log on** security policy setting. + ## Reference + This security setting allows you to specify a title that appears in the title bar of the window that contains the **Interactive logon: Message title for users attempting to log on**. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited. + The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on. + Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers. + When these policy settings are configured, users will see a dialog box before they can log on to the server console. + ### Possible values + - *User-defined title* - Not defined + ### Best practices + 1. It is advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one the following: + - RESTRICTED SYSTEM + or + - WARNING: This system is restricted to authorized users. + 2. Set the policy [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) to reinforce the meaning of the message’s title. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

DC Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +|Server type or GPO | Default value| +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + There are two policy settings that relate to logon displays: + - [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) - **Interactive logon: Message title for users attempting to log on** + The first policy setting specifies a text message that displays to users when they log on, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited. + ### Vulnerability + Users often do not understand the importance of security practices. However, the display of a warning message with an appropriate title before logon may help prevent an attack by warning malicious or uninformed users about the consequences of their misconduct before it happens. It may also help reinforce corporate policies by notifying employees of appropriate policies during the logon process. + ### Countermeasure + Configure the [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) and **Interactive logon: Message title for users attempting to log on** settings to an appropriate value for your organization. -**Note**   -Any warning message that displays should be approved by your organization's legal and human resources representatives. + +>**Note:**  Any warning message that displays should be approved by your organization's legal and human resources representatives.   ### Potential impact + Users see a message in a dialog box before they can log on to the server console. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md index 14605564d2..c57b5db6e3 100644 --- a/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md +++ b/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md @@ -2,91 +2,100 @@ title: Interactive logon Number of previous logons to cache (in case domain controller is not available) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Number of previous logons to cache (in case domain controller is not available) security policy setting. ms.assetid: 660e925e-cc3e-4098-a41e-eb8db8062d8d -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Number of previous logons to cache (in case domain controller is not available) + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** security policy setting. + ## Reference + The **Interactive logon: Number of previous logons to cache (in case domain controller is not available**) policy setting determines whether a user can log on to a Windows domain by using cached account information. Logon information for domain accounts can be cached locally so that, if a domain controller cannot be contacted on subsequent logons, a user can still log on. This policy setting determines the number of unique users whose logon information is cached locally. + If a domain controller is unavailable and a user's logon information is cached, the user is prompted with the following message: + A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes to your profile since you last logged on might not be available. + If a domain controller is unavailable and a user's logon information is not cached, the user is prompted with this message: + The system cannot log you on now because the domain *DOMAIN NAME* is not available. + The value of this policy setting indicates the number of users whose logon information the server caches locally. If the value is 10, the server caches logon information for 10 users. When an eleventh user logs on to the device, the server overwrites the oldest cached logon session. -Users who access the server console will have their logon credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by encrypting the information and keeping the cached credentials in the system's registries, which are spread across numerous physical locations. + +Users who access the server console will have their logon credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by +encrypting the information and keeping the cached credentials in the system's registries, which are spread across numerous physical locations. + ### Possible values + - A user-defined number from 0 through 50 - Not defined + ### Best practices + It is advisable to set **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** to 0. Setting this value to 0 disables the local caching of logon information. Additional countermeasures include enforcing strong password policies and physically securing the computers. If the value is set to 0, users will be unable to log on to any computers if there is no domain controller available to authenticate them. Organizations might want to set **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** to 2 for end-user systems, especially for mobile users. Setting this value to 2 means that the user's logon information will still be in the cache even if a member of the IT department has recently logged on to their device to perform system maintenance. This way, those users will be able to log on to their devices when they are not connected to the corporate network. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

10 logons

DC Effective Default Settings

10 logons

Member Server Effective Default Settings

10 logons

Client Computer Effective Default Settings

10 logons

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | 10 logons| +| DC Effective Default Settings | 10 logons| +| Member Server Effective Default Settings | 10 logons| +| Client Computer Effective Default Settings| 10 logons|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + None + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The number that is assigned to this policy setting indicates the number of users whose logon information is cache locally by the servers. If the number is set to 10, the server caches logon information for 10 users. When an eleventh user logs on to the device, the server overwrites the oldest cached logon session. + Users who access the server console have their logon credentials cached on that server. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to attempt to determine user passwords. + To mitigate this type of attack, Windows encrypts the information and obscures its physical location. + ### Countermeasure + Configure the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** setting to 0, which disables the local caching of logon information. Additional countermeasures include enforcement of strong password policies and physically secure locations for the computers. + ### Potential impact -Users cannot log on to any devices if there is no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's logon information is still in the cache, even if a member of the IT department has recently logged on to the device to perform system maintenance. This method allows users to log on to their computers when they are not connected to the organization's network. + +Users cannot log on to any devices if there is no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's logon information is still in the cache, even if a +member of the IT department has recently logged on to the device to perform system maintenance. This method allows users to log on to their computers when they are not connected to the organization's network. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md index f499d1b051..3b6173cf5c 100644 --- a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md +++ b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md @@ -2,85 +2,84 @@ title: Interactive logon Prompt user to change password before expiration (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Prompt user to change password before expiration security policy setting. ms.assetid: 8fe94781-40f7-4fbe-8cfd-5e116e6833e9 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Prompt user to change password before expiration + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting. + ## Reference + The **Interactive logon: Prompt user to change password before expiration** policy setting determines how many days in advance users are warned that their passwords are about to expire. With this advance warning, the user has time to construct a password that is sufficiently strong. + ### Possible values + - A user-defined number of days from 0 through 999. - Not defined. + ### Best practices + 1. Configure user passwords to expire periodically. Users will need warning that their passwords are going to expire, or they might inadvertently get locked out of the system. This could lead to confusion for users who access the network locally, or make it impossible for users who access the network through dial-up or virtual private network (VPN) connections to log on. 2. Set **Interactive logon: Prompt user to change password before expiration** to 5 days. When their password expiration date is 5 or fewer days away, users will see a dialog box each time they log on to the domain. 3. Do not set the value to 0, which results in displaying the password expiration warning every time the user logs on. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

14 days *

DC Effective Default Settings

14 days *

Member Server Effective Default Settings

14 days *

Client Computer Effective Default Settings

14 days *

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | 14 days| +| DC Effective Default Settings | 14 days | +| Member Server Effective Default Settings| 14 days | +| Client Computer Effective Default Settings | 14 days|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + None. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If user passwords are configured to expire periodically in your organization, users need to be warned when this is about to happen, or they may be locked out of the device inadvertently when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections. + ### Countermeasure + Configure the **Interactive logon: Prompt user to change password before expiration** setting to 14 days. + ### Potential impact + Users see a dialog-box prompt to change their password each time that they log on to the domain when their password is configured to expire in 14 or fewer days. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md index 97aa85187c..0faeff4378 100644 --- a/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md +++ b/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md @@ -2,87 +2,89 @@ title: Interactive logon Require Domain Controller authentication to unlock workstation (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Interactive logon Require Domain Controller authentication to unlock workstation security policy setting. ms.assetid: 97618ed3-e946-47db-a212-b5e7a4fc6ffc -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Require Domain Controller authentication to unlock workstation + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require Domain Controller authentication to unlock workstation** security policy setting. + ## Reference + Unlocking a locked device requires logon information. For domain accounts, the **Interactive logon: Require Domain Controller authentication to unlock workstation** policy setting determines whether it is necessary to contact a domain controller to unlock a device. Enabling this policy setting requires a domain controller to authenticate the domain account that is being used to unlock the device. Disabling this policy setting allows a user to unlock the device without the computer verifying the logon information with a domain controller. However, if [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) is set to a value greater than zero, the user's cached credentials will be used to unlock the system. + The device caches (locally in memory) the credentials of any users who have been authenticated. The device uses these cached credentials to authenticate anyone who attempts to unlock the console. + When cached credentials are used, any changes that have recently been made to the account (such as user rights assignments, account lockout, or the account being disabled) are not considered or applied after this authentication process. This means not only that user rights are not updated, but more importantly that disabled accounts are still able to unlock the console of the system. + It is advisable to set **Interactive logon: Require Domain Controller authentication to unlock workstation** to Enabled and set [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) to 0. When the console of a device is locked by a user or automatically by a screen saver time-out, the console can only be unlocked if the user is able to re-authenticate to the domain controller. If no domain controller is available, users cannot unlock their devices. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Set **Interactive logon: Require Domain Controller authentication to unlock workstation** to Enabled and set [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) to 0. When the console of a device is locked by a user or automatically by a screen saver time-out, the console can only be unlocked if the user is able to re-authenticate to the domain controller. If no domain controller is available, users cannot unlock their devices. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + None + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + By default, the device caches locally in memory the credentials of any users who are authenticated. The device uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account—such as user rights assignments, account lockout, or the account being disabled—are not considered or applied after the account is authenticated. User privileges are not updated, and disabled accounts are still able to unlock the console of the device + ### Countermeasure + Configure the **Interactive logon: Require Domain Controller authentication to unlock workstation** setting to Enabled and configure the [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) setting to 0. + ### Potential impact + When the console on a device is locked by a user or automatically by a screen-saver timeout, the console can be unlocked only if the user can re-authenticate to the domain controller. If no domain controller is available, users cannot unlock their workstations. If you configure the [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) setting to 0, users whose domain controllers are unavailable (such as mobile or remote users) cannot log on. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-require-smart-card.md b/windows/keep-secure/interactive-logon-require-smart-card.md index 417a99a5a3..2441b3c3e7 100644 --- a/windows/keep-secure/interactive-logon-require-smart-card.md +++ b/windows/keep-secure/interactive-logon-require-smart-card.md @@ -2,85 +2,86 @@ title: Interactive logon Require smart card (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Require smart card security policy setting. ms.assetid: c6a8c040-cbc7-472d-8bc5-579ddf3cbd6c -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Require smart card + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Require smart card** security policy setting. + ## Reference + The **Interactive logon: Require smart card** policy setting requires users to log on to a device by using a smart card. + Requiring users to use long, complex passwords for authentication enhances network security, especially if the users must change their passwords regularly. This reduces the chance that a malicious user will be able to guess a user's password through a brute-force attack. Using smart cards rather than passwords for authentication dramatically increases security because, with today's technology, it is nearly impossible for a malicious user to impersonate another user. Smart cards that require personal identification numbers (PINs) provide two-factor authentication: the user who attempts to log on must possess the smart card and know its PIN. A malicious user who captures the authentication traffic between the user's device and the domain controller will find it extremely difficult to decrypt the traffic: even if they do, the next time the user logs on to the network, a new session key will be generated for encrypting traffic between the user and the domain controller. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Set **Interactive logon: Require smart card** to Enabled. All users will have to use smart cards to log on to the network. This means that the organization must have a reliable public key infrastructure (PKI) in place, and provide smart cards and smart card readers for all users. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + None. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + It can be difficult to make users choose strong passwords, and even strong passwords are vulnerable to brute-force attacks if an attacker has sufficient time and computing resources. + ### Countermeasure + For users with access to computers that contain sensitive data, issue smart cards to users and configure the **Interactive logon: Require smart card** setting to Enabled. + ### Potential impact -All users of a device with this setting enabled must use smart cards to log on locally. This means that the organization must have a reliable public key infrastructure (PKI) as well as smart cards and smart card readers for these users. These requirements are significant challenges because expertise and resources are required to plan for and deploy these technologies. Active Directory Certificate Services (AD CS) can be used to implement and manage certificates. You can use automatic user and device enrollment and renewal on the client. + +All users of a device with this setting enabled must use smart cards to log on locally. This means that the organization must have a reliable public key infrastructure (PKI) as well as smart cards and smart card readers for these users. These requirements are significant challenges because +expertise and resources are required to plan for and deploy these technologies. Active Directory Certificate Services (AD CS) can be used to implement and manage certificates. You can use automatic user and device enrollment and renewal on the client. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md b/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md index e7daf35333..a2ba648b93 100644 --- a/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md +++ b/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md @@ -2,93 +2,102 @@ title: Interactive logon Smart card removal behavior (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Smart card removal behavior security policy setting. ms.assetid: 61487820-9d49-4979-b15d-c7e735999460 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Smart card removal behavior + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting. + ## Reference + This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. + If smart cards are used for authentication, the device should automatically lock itself when the card is removed—that way, if users forget to manually lock their devices when they are away from them, malicious users cannot gain access. + If you select **Force Logoff** in the property sheet for this policy setting, the user is automatically logged off when the smart card is removed. Users will have to reinsert their smart cards and reenter their PINs when they return to their workstations. + ### Possible values + - No Action - Lock Workstation + If you select this, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. + - Force Logoff + If you select this, the user is automatically logged off when the smart card is removed. + - Disconnect if a remote Remote Desktop Services session + If you select this, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. + - Not Defined + ### Best practices + - Set **Interactive logon: Smart card removal behavior** to **Lock Workstation**. If you select **Lock Workstation** in the property sheet for this policy setting, the workstation is locked when the smart card is removed. This allows users to leave the area, take their smart card with them, and still maintain a protected session. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

No Action

DC Effective Default Settings

No Action

Member Server Effective Default Settings

No Action

Client Computer Effective Default Settings

No Action

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | No Action| +| DC Effective Default Settings | No Action| +| Member Server Effective Default Settings | No Action| +| Client Computer Effective Default Settings | No Action|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + None + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their devices. If smart cards are used for authentication, the device should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources by using those credentials. + ### Countermeasure + Configure the **Interactive logon: Smart card removal behavior** setting to **Lock Workstation**. + If you select **Lock Workstation** for this policy setting, the device locks when the smart card is removed. Users can leave the area, take their smart card with them, and still maintain a protected session. This behavior is similar to the setting that requires users to log on when resuming work on the device after the screen saver has started. + If you select **Force Logoff** for this policy setting, the user is automatically logged off when the smart card is removed. This setting is useful when a device is deployed as a public access point, such as a kiosk or other type of shared device + ### Potential impact + If you select **Force Logoff**, users must insert their smart cards and enter their PINs when they return to their workstations. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md index 02e10c15b7..d724b1862d 100644 --- a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -3,9 +3,11 @@ title: Investigate Windows Defender Advanced Threat Protection alerts description: Use the investigation options to get details on which alerts are affecting your network, what they mean, and how to resolve them. keywords: investigate, investigation, machines, machine, endpoints, endpoint, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security +author: mjcaparas --- # Investigate Windows Defender Advanced Threat Protection alerts diff --git a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md index f5864ee6f3..fd75059fff 100644 --- a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Investigate Windows Defender Advanced Threat Protection domains description: Use the investigation options to see if machines and servers have been communicating with malicious domains. keywords: investigate domain, domain, malicious domain, windows defender atp, alert, URL search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- # Investigate a domain associated with a Windows Defender ATP alert diff --git a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md index 3b0b76a04d..2f82d6927e 100644 --- a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Investigate Windows Defender Advanced Threat Protection files description: Use the investigation options to get details on files associated with alerts, behaviours, or events. keywords: investigate, investigation, file, malicious activity, attack motivation, deep analysis, deep analysis report search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- # Investigate a file associated with a Windows Defender ATP alert diff --git a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md index 5e516f6425..e1427b0400 100644 --- a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Investigate Windows Defender Advanced Threat Protection IP address description: Use the investigation options to examine possible communication between machines and external IP addresses. keywords: investigate, investigation, IP address, alert, windows defender atp, external IP search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- # Investigate an IP address associated with a Windows Defender ATP alert diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md index a248e46dd3..4778e194e5 100644 --- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Investigate machines in the Windows Defender ATP Machines view description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines view. keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, active malware detections, threat category, filter, sort, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, low severity search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/kerberos-policy.md b/windows/keep-secure/kerberos-policy.md index 7fc388203f..0cb40c4482 100644 --- a/windows/keep-secure/kerberos-policy.md +++ b/windows/keep-secure/kerberos-policy.md @@ -2,56 +2,37 @@ title: Kerberos Policy (Windows 10) description: Describes the Kerberos Policy settings and provides links to policy setting descriptions. ms.assetid: 94017dd9-b1a3-4624-af9f-b29161b4bf38 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Kerberos Policy + **Applies to** - Windows 10 + Describes the Kerberos Policy settings and provides links to policy setting descriptions. + The Kerberos version 5 authentication protocol provides the default mechanism for authentication services and the authorization data necessary for a user to access a resource and perform a task on that resource. By reducing the lifetime of Kerberos tickets, you reduce the risk of a legitimate user's credentials being stolen and successfully used by an attacker. However, this also increases the authorization overhead. In most environments, these settings should not need to be changed. + These policy settings are located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy**. -The following topics provide a discussion of implementation and best practices considerations, policy location, default values for the server type or GPO, relevant differences in operating system versions, security considerations (including the possible settings vulnerabilities of each setting), countermeasures you can take, and the potential impact for each setting. + +The following topics provide a discussion of implementation and best practices considerations, policy location, default values for the server type or GPO, relevant differences in operating system versions, security considerations (including the possible settings vulnerabilities of each setting), +countermeasures you can take, and the potential impact for each setting. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Enforce user logon restrictions](enforce-user-logon-restrictions.md)

Describes the best practices, location, values, policy management, and security considerations for the Enforce user logon restrictions security policy setting.

[Maximum lifetime for service ticket](maximum-lifetime-for-service-ticket.md)

Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for service ticket security policy setting.

[Maximum lifetime for user ticket](maximum-lifetime-for-user-ticket.md)

Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket policy setting.

[Maximum lifetime for user ticket renewal](maximum-lifetime-for-user-ticket-renewal.md)

Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket renewal security policy setting.

[Maximum tolerance for computer clock synchronization](maximum-tolerance-for-computer-clock-synchronization.md)

Describes the best practices, location, values, policy management, and security considerations for the Maximum tolerance for computer clock synchronization security policy setting.

+ +| Topic | Description | +| - | - | +| [Enforce user logon restrictions](enforce-user-logon-restrictions.md) | Describes the best practices, location, values, policy management, and security considerations for the **Enforce user logon restrictions** security policy setting.| +| [Maximum lifetime for service ticket](maximum-lifetime-for-service-ticket.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for service ticket** security policy setting.| +| [Maximum lifetime for user ticket](maximum-lifetime-for-user-ticket.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket** policy setting.| +| [Maximum lifetime for user ticket renewal](maximum-lifetime-for-user-ticket-renewal.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket renewal** security policy setting.| +| [Maximum tolerance for computer clock synchronization](maximum-tolerance-for-computer-clock-synchronization.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum tolerance for computer clock synchronization** security| policy setting.   ## Related topics -[Configure security policy settings](how-to-configure-security-policy-settings.md) -  -  + +- [Configure security policy settings](how-to-configure-security-policy-settings.md) diff --git a/windows/keep-secure/load-and-unload-device-drivers.md b/windows/keep-secure/load-and-unload-device-drivers.md index fb07375002..a0500dbf3c 100644 --- a/windows/keep-secure/load-and-unload-device-drivers.md +++ b/windows/keep-secure/load-and-unload-device-drivers.md @@ -2,96 +2,95 @@ title: Load and unload device drivers (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Load and unload device drivers security policy setting. ms.assetid: 66262532-c610-470c-9792-35ff4389430f -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Load and unload device drivers + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Load and unload device drivers** security policy setting. + ## Reference + This policy setting determines which users can dynamically load and unload device drivers. This user right is not required if a signed driver for the new hardware already exists in the driver.cab file on the device. Device drivers run as highly privileged code. Windows supports the Plug and Play specifications that define how a computer can detect and configure newly added hardware, and then automatically install the device driver. Prior to Plug and Play, users needed to manually configure devices before attaching them to the device. This model allows a user to plug in the hardware, then Windows searches for an appropriate device driver package and automatically configures it to work without interfering with other devices. + Because device driver software runs as if it is a part of the operating system with unrestricted access to the entire computer, it is critical that only known and authorized device drivers be permitted. + Constant: SeLoadDriverPrivilege + ### Possible values + - User-defined list of accounts - Default values - Not Defined + ### Best practices + - Because of the potential security risk, do not assign this user right to any user, group, or process that you do not want to take over the system. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators and Print Operators on domain controllers and Administrators on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Administrators

-

Print Operators

Stand-Alone Server Default Settings

Administrators

Domain Controller Effective Default Settings

Administrators

-

Print Operators

Member Server Effective Default Settings

Administrators

Client Computer Effective Default Settings

Administrators

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Administrators
Print Operators| +| Stand-Alone Server Default Settings | Administrators| +| Domain Controller Effective Default Settings | Administrators
Print Operators | +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Device drivers run as highly privileged code. A user who has the **Load and unload device drivers** user right could unintentionally install malware that masquerades as a device driver. Administrators should exercise care and install only drivers with verified digital signatures. -**Note**   -You must have this user right or be a member of the local Administrators group to install a new driver for a local printer or to manage a local printer and configure defaults for options such as duplex printing. + +>**Note:**  You must have this user right or be a member of the local Administrators group to install a new driver for a local printer or to manage a local printer and configure defaults for options such as duplex printing.   ### Countermeasure + Do not assign the **Load and unload device drivers** user right to any user or group other than Administrators on member servers. On domain controllers, do not assign this user right to any user or group other than Domain Admins. + ### Potential impact + If you remove the **Load and unload device drivers** user right from the Print Operators group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks are not negatively affected. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/lock-pages-in-memory.md b/windows/keep-secure/lock-pages-in-memory.md index 3bf58d8f5e..c1da29a511 100644 --- a/windows/keep-secure/lock-pages-in-memory.md +++ b/windows/keep-secure/lock-pages-in-memory.md @@ -2,92 +2,93 @@ title: Lock pages in memory (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Lock pages in memory security policy setting. ms.assetid: cc724979-aec0-496d-be4e-7009aef660a3 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Lock pages in memory + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Lock pages in memory** security policy setting. + ## Reference + This policy setting determines which accounts can use a process to keep data in physical memory, which prevents the computer from paging the data to virtual memory on a disk. + Normally, an application running on Windows can negotiate for more physical memory, and in response to the request, the application begins to move the data from RAM (such as the data cache) to a disk. When the pageable memory is moved to a disk, more RAM is free for the operating system to use. + Enabling this policy setting for a specific account (a user account or a process account for an application) prevents paging of the data. Thereby, the amount of memory that Windows can reclaim under pressure is limited. This could lead to performance degradation. -**Note**   -By configuring this policy setting, the performance of the Windows operating system will differ depending on if applications are running on 32-bit or 64-bit systems, and if they are virtualized images. Performance will also differ between earlier and later versions of the Windows operating system. + +>**Note:**  By configuring this policy setting, the performance of the Windows operating system will differ depending on if applications are running on 32-bit or 64-bit systems, and if they are virtualized images. Performance will also differ between earlier and later versions of the Windows operating system.   Constant: SeLockMemoryPrivilege + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + Best practices are dependent on the platform architecture and the applications running on those platforms. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

Domain Controller Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| Domain Controller Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users with the **Lock pages in memory** user right could assign physical memory to several processes, which could leave little or no RAM for other processes and result in a denial-of-service condition. + ### Countermeasure + Do not assign the **Lock pages in memory** user right to any accounts. + ### Potential impact + None. Not defined is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/log-on-as-a-batch-job.md b/windows/keep-secure/log-on-as-a-batch-job.md index 1d61c2f659..e2be507be1 100644 --- a/windows/keep-secure/log-on-as-a-batch-job.md +++ b/windows/keep-secure/log-on-as-a-batch-job.md @@ -2,98 +2,92 @@ title: Log on as a batch job (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a batch job security policy setting. ms.assetid: 4eaddb51-0a18-470e-9d3d-5e7cd7970b41 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Log on as a batch job + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Log on as a batch job** security policy setting. + ## Reference + This policy setting determines which accounts can log on by using a batch-queue tool such as the Task Scheduler service. When you use the Add Scheduled Task Wizard to schedule a task to run under a particular user name and password, that user is automatically assigned the **Log on as a batch job** user right. When the scheduled time arrives, the Task Scheduler service logs on the user as a batch job instead of as an interactive user, and the task runs in the user's security context. + Constant: SeBatchLogonRight + ### Possible values + - User-defined list of accounts - Default values - Not Defined + ### Best practices + - Use discretion when assigning this right to specific users for security reasons. The default settings are sufficient in most cases. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, this setting is for Administrators, Backup Operators, and Performance Log Users on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Administrators

-

Backup Operators

-

Performance Log Users

Stand-Alone Server Default Settings

Administrators

-

Backup Operators

-

Performance Log Users

Domain Controller Effective Default Settings

Administrators

-

Backup Operators

-

Performance Log Users

Member Server Effective Default Settings

Administrators

-

Backup Operators

-

Performance Log Users

Client Computer Effective Default Settings

Administrators

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Administrators
Backup Operators
Performance Log Users| +| Stand-Alone Server Default Settings | Administrators
Backup Operators
Performance Log Users| +| Domain Controller Effective Default Settings | Administrators
Backup Operators
Performance Log Users| +| Member Server Effective Default Settings | Administrators
Backup Operators
Performance Log Users| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Task Scheduler automatically grants this right when a user schedules a task. To override this behavior use the [Deny log on as a batch job](deny-log-on-as-a-batch-job.md) User Rights Assignment setting. + Group Policy settings are applied in the following order, which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The **Log on as a batch job** user right presents a low-risk vulnerability. For most organizations, the default settings are sufficient. Members of the local Administrators group have this right by default. + ### Countermeasure + You should allow the computer to manage this user right automatically if you want to allow scheduled tasks to run for specific user accounts. If you do not want to use the Task Scheduler in this manner, configure the **Log on as a batch job** user right for only the Local Service account. + For IIS servers, you should configure this policy locally instead of through domain–based Group Policy settings so that you can ensure the local IUSR\_*<ComputerName>* and IWAM\_*<ComputerName>* accounts have this user right. + ### Potential impact + If you configure the **Log on as a batch job** setting by using domain-based Group Policy settings, the computer cannot assign the user right to accounts that are used for scheduled jobs in the Task Scheduler. If you install optional components such as ASP.NET or IIS, you may need to assign this user right to additional accounts that are required by those components. For example, IIS requires assignment of this user right to the IIS\_WPG group and the IUSR\_*<ComputerName>*, ASPNET, and IWAM\_*<ComputerName>* accounts. If this user right is not assigned to this group and these accounts, IIS cannot run some COM objects that are necessary for proper functionality. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/log-on-as-a-service.md b/windows/keep-secure/log-on-as-a-service.md index ac574fb9c8..eff13752ec 100644 --- a/windows/keep-secure/log-on-as-a-service.md +++ b/windows/keep-secure/log-on-as-a-service.md @@ -2,88 +2,91 @@ title: Log on as a service (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a service security policy setting. ms.assetid: acc9a9e0-fd88-4cda-ab54-503120ba1f42 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Log on as a service + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Log on as a service** security policy setting. + ## Reference + This policy setting determines which service accounts can register a process as a service. Running a process under a service account circumvents the need for human intervention. + Constant: SeServiceLogonRight + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - Minimize the number of accounts that are granted this user right. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Network Service on domain controllers and Network Service on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

Domain Controller Effective Default Settings

Network Service

Member Server Effective Default Settings

Network Service

Client Computer Effective Default Settings

Network Service

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| Domain Controller Effective Default Settings | Network Service| +| Member Server Effective Default Settings| Network Service| +| Client Computer Effective Default Settings | Network Service|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + The policy setting **Deny logon as a service** supersedes this policy setting if a user account is subject to both policies. + Group Policy settings are applied in the following order, which will overwrite settings on the local device at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -The **Log on as a service** user right allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced by the fact that only users with administrative privileges can install and configure services. An attacker who has already attained that level of access could configure the service to run with the Local System account. + +The **Log on as a service** user right allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced by the fact that only users with administrative privileges can install and configure services. An +attacker who has already attained that level of access could configure the service to run with the Local System account. + ### Countermeasure + By definition, the Network Service account has the **Log on as a service** user right. This right is not granted through the Group Policy setting. You should minimize the number of other accounts that are granted this user right. + ### Potential impact -On most computers, restricting the **Log on as a service** user right to the Local System, Local Service, and Network Service built-in accounts is the default configuration, and there is no negative impact. However, if you have installed optional components such as ASP.NET or IIS, you may need to assign the **Log on as a service** user right to additional accounts that are required by those components. IIS requires that this user right be explicitly granted to the ASPNET user account. + +On most computers, restricting the **Log on as a service** user right to the Local System, Local Service, and Network Service built-in accounts is the default configuration, and there is no negative impact. However, if you have installed optional components such as ASP.NET or IIS, you may need to +assign the **Log on as a service** user right to additional accounts that are required by those components. IIS requires that this user right be explicitly granted to the ASPNET user account. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/maintain-applocker-policies.md b/windows/keep-secure/maintain-applocker-policies.md index d028b6c454..43bd39884e 100644 --- a/windows/keep-secure/maintain-applocker-policies.md +++ b/windows/keep-secure/maintain-applocker-policies.md @@ -2,64 +2,100 @@ title: Maintain AppLocker policies (Windows 10) description: This topic describes how to maintain rules within AppLocker policies. ms.assetid: b4fbfdfe-ef3d-49e0-a390-f2dfe74602bc -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Maintain AppLocker policies + **Applies to** - Windows 10 + This topic describes how to maintain rules within AppLocker policies. + Common AppLocker maintenance scenarios include: + - A new app is deployed, and you need to update an AppLocker policy. - A new version of an app is deployed, and you need to either update an AppLocker policy or create a new rule to update the policy. - An app is no longer supported by your organization, so you need to prevent it from being used. - An app appears to be blocked but should be allowed. - An app appears to be allowed but should be blocked. - A single user or small subset of users needs to use a specific app that is blocked. + There are two methods you can use to maintain AppLocker policies: + - [Maintaining AppLocker policies by using Group Policy](#bkmk-applkr-use-gp) - [Maintaining AppLocker policies on the local computer](#bkmk-applkr-use-locsnapin) + As new apps are deployed or existing apps are removed by your organization or updated by the software publisher, you might need to make revisions to your rules and update the Group Policy Object (GPO) to ensure that your policy is current. -You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. -**Caution**   -You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. + +You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create +versions of GPOs. + +>**Caution:**  You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.   ## Maintaining AppLocker policies by using Group Policy + For every scenario, the steps to maintain an AppLocker policy distributed by Group Policy include the following tasks. + ### Step 1: Understand the current behavior of the policy + Before modifying a policy, evaluate how the policy is currently implemented. For example, if a new version of the application is deployed, you can use **Test-AppLockerPolicy** to verify the effectiveness of your current policy for that app. + ### Step 2: Export the AppLocker policy from the GPO + Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Therefore, export the policy from the GPO and update the rule or rules by using AppLocker on your AppLocker reference or test computer. To prepare an AppLocker policy for modification, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) + ### Step 3: Update the AppLocker policy by editing the appropriate AppLocker rule + After the AppLocker policy has been exported from the GPO into the AppLocker reference or test computer, or has been accessed on the local computer, the specific rules can be modified as required. + To modify AppLocker rules, see the following: + - [Edit AppLocker rules](edit-applocker-rules.md) - [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md) or [Merge AppLocker policies manually](merge-applocker-policies-manually.md) - [Delete an AppLocker rule](delete-an-applocker-rule.md) - [Enforce AppLocker rules](enforce-applocker-rules.md) + ### Step 4: Test the AppLocker policy + You should test each collection of rules to ensure that the rules perform as intended. (Because AppLocker rules are inherited from linked GPOs, you should deploy all rules for simultaneous testing in all test GPOs.) For steps to perform this testing, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). + ### Step 5: Import the AppLocker policy into the GPO + After testing, import the AppLocker policy back into the GPO for implementation. To update the GPO with a modified AppLocker policy, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). + ### Step 6: Monitor the resulting policy behavior After deploying a policy, evaluate the policy's effectiveness. + ## Maintaining AppLocker policies by using the Local Security Policy snap-in For every scenario, the steps to maintain an AppLocker policy by using the Local Group Policy Editor or the Local Security Policy snap-in include the following tasks. + ### Step 1: Understand the current behavior of the policy + Before modifying a policy, evaluate how the policy is currently implemented. + ### Step 2: Update the AppLocker policy by modifying the appropriate AppLocker rule + Rules are grouped into a collection, which can have the policy enforcement setting applied to it. By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. + To modify AppLocker rules, see the appropriate topic listed on [Administer AppLocker](administer-applocker.md). + ### Step 3: Test the AppLocker policy + You should test each collection of rules to ensure that the rules perform as intended. For steps to perform this testing, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). + ### Step 4: Deploy the policy with the modified rule + You can export and then import AppLocker policies to deploy the policy to other computers running Windows 8 or later. To perform this task, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). + ### Step 5: Monitor the resulting policy behavior + After deploying a policy, evaluate the policy's effectiveness. + ## Additional resources + - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). -  -  diff --git a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md index 12cc2527bd..718b2e22ce 100644 --- a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md @@ -3,9 +3,11 @@ title: Manage Windows Defender Advanced Threat Protection alerts description: Change the status of alerts, create suppression rules to hide alerts, submit comments, and review change history for individual alerts with the Manage Alert menu. keywords: manage alerts, manage, alerts, status, new, in progress, resolved, resolve alerts, suppress, supression, rules, context, history, comments, changes search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security +author: mjcaparas --- # Manage Windows Defender Advanced Threat Protection alerts diff --git a/windows/keep-secure/manage-auditing-and-security-log.md b/windows/keep-secure/manage-auditing-and-security-log.md index f6bfc0e575..7a6cfdc0ea 100644 --- a/windows/keep-secure/manage-auditing-and-security-log.md +++ b/windows/keep-secure/manage-auditing-and-security-log.md @@ -2,95 +2,97 @@ title: Manage auditing and security log (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Manage auditing and security log security policy setting. ms.assetid: 4b946c0d-f904-43db-b2d5-7f0917575347 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Manage auditing and security log + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Manage auditing and security log** security policy setting. + ## Reference -This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists (SACL). A user who is assigned this user right can also view and clear the Security log in Event Viewer. For more info about the Object Access audit policy, see [Audit object access](basic-audit-object-access.md). + +This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists (SACL). A user who is assigned this user right can also view and clear the +Security log in Event Viewer. For more info about the Object Access audit policy, see [Audit object access](basic-audit-object-access.md). + Constant: SeSecurityPrivilege + ### Possible values - User-defined list of accounts - Administrators - Not Defined + ### Best practices + 1. Before removing this right from a group, investigate whether applications are dependent on this right. 2. Generally, assigning this user right to groups other than Administrators is not necessary. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Administrators

Stand-Alone Server Default Settings

Administrators

Domain Controller Effective Default Settings

Administrators

Member Server Effective Default Settings

Administrators

Client Computer Effective Default Settings

Administrators

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Administrators| +| Stand-Alone Server Default Settings | Administrators| +| Domain Controller Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings| Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + Audits for object access are not performed unless you enable them by using the Local Group Policy Editor, the Group Policy Management Console (GPMC), or the Auditpol command-line tool. + For more information about the Object Access audit policy, see [Audit object access](basic-audit-object-access.md). + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Anyone with the **Manage auditing and security log** user right can clear the Security log to erase important evidence of unauthorized activity. + ### Countermeasure + Ensure that only the local Administrators group has the **Manage auditing and security log** user right. + ### Potential impact + Restricting the **Manage auditing and security log** user right to the local Administrators group is the default configuration. -**Warning**   -If groups other than the local Administrators group have been assigned this user right, removing this user right might cause performance issues with other applications. Before removing this right from a group, investigate whether applications are dependent on this right. + +>**Warning:**  If groups other than the local Administrators group have been assigned this user right, removing this user right might cause performance issues with other applications. Before removing this right from a group, investigate whether applications are dependent on this right.   ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md index 7f4b06da3d..bb891d67c5 100644 --- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md +++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md @@ -3,7 +3,7 @@ title: Manage identity verification using Microsoft Passport (Windows 10) description: In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN. ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E keywords: identity, PIN, biometric, Hello -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/manage-packaged-apps-with-applocker.md b/windows/keep-secure/manage-packaged-apps-with-applocker.md index 33641e9491..e1a7639af3 100644 --- a/windows/keep-secure/manage-packaged-apps-with-applocker.md +++ b/windows/keep-secure/manage-packaged-apps-with-applocker.md @@ -2,47 +2,71 @@ title: Manage packaged apps with AppLocker (Windows 10) description: This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. ms.assetid: 6d0c99e7-0284-4547-a30a-0685a9916650 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Manage packaged apps with AppLocker + **Applies to** - Windows 10 + This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. + ## Understanding Packaged apps and Packaged app installers for AppLocker -Packaged apps, also known as Universal Windows apps, are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity. With packaged apps, it is possible to control the entire app by using a single AppLocker rule. -**Note**   -AppLocker supports only publisher rules for packaged apps. All packaged apps must be signed by the software publisher because Windows does not support unsigned packaged apps. + +Packaged apps, also known as Universal Windows apps, are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity. +With packaged apps, it is possible to control the entire app by using a single AppLocker rule. + +>**Note:**  AppLocker supports only publisher rules for packaged apps. All packaged apps must be signed by the software publisher because Windows does not support unsigned packaged apps.   Typically, an app consists of multiple components: the installer that is used to install the app, and one or more exes, dlls, or scripts. With classic Windows apps, not all these components always share common attributes such as the software’s publisher name, product name, and product version. Therefore, AppLocker controls each of these components separately through different rule collections, such as exe, dll, script, and Windows Installer rules. In contrast, all the components of a packaged app share the same publisher name, package name, and package version attributes. Therefore, you can control an entire app with a single rule. + ### Comparing classic Windows apps and packaged apps -AppLocker policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server 2008 R2 or Windows 7. The rules for classic Windows apps and packaged apps can be enforced in tandem. The differences between packaged apps and classic Windows apps that you should consider include: + +AppLocker policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server +2008 R2 or Windows 7. The rules for classic Windows apps and packaged apps can be enforced in tandem. The differences between packaged apps and classic Windows apps that you should consider include: + - **Installing the apps**   All packaged apps can be installed by a standard user, whereas a number of classic Windows apps require administrative privileges to install. In an environment where most of the users are standard users, you might not have numerous exe rules (because classic Windows apps require administrative privileges to install), but you might want to have more explicit policies for packaged apps. - **Changing the system state**   Classic Windows apps can be written to change the system state if they are run with administrative privileges. Most packaged apps cannot change the system state because they run with limited privileges. When you design your AppLocker policies, it is important to understand whether an app that you are allowing can make system-wide changes. - **Acquiring the apps**   Packaged apps can be acquired through the Store, or by loading using Windows PowerShell cmdlets (which requires a special enterprise license). Classic Windows apps can be acquired through traditional means. + AppLocker uses different rule collections to control packaged apps and classic Windows apps. You have the choice to control one type, the other type, or both. + For info about controlling classic Windows apps, see [Administer AppLocker](administer-applocker.md). + For more info about packaged apps, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md). + ## Design and deployment decisions + You can use two methods to create an inventory of packaged apps on a computer: the AppLocker console or the **Get-AppxPackage** Windows PowerShell cmdlet. -**Note**   -Not all packaged apps are listed in AppLocker’s application inventory wizard. Certain app packages are framework packages that are leveraged by other apps. By themselves, these packages cannot do anything, but blocking such packages can inadvertently cause failure for apps that you want to allow. Instead, you can create Allow or Deny rules for the packaged apps that use these framework packages. The AppLocker user interface deliberately filters out all the packages that are registered as framework packages. For info about how to create an inventory list, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md). + +>**Note:**  Not all packaged apps are listed in AppLocker’s application inventory wizard. Certain app packages are framework packages that are leveraged by other apps. By themselves, these packages cannot do anything, but blocking such packages can inadvertently cause failure for apps that you want to allow. Instead, you can create Allow or Deny rules for the packaged apps that use these framework packages. The AppLocker user interface deliberately filters out all the packages that are registered as framework packages. For info about how to create an inventory list, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).   For info about how to use the **Get-AppxPackage** Windows PowerShell cmdlet, see the [AppLocker PowerShell Command Reference](http://technet.microsoft.com/library/hh847210.aspx). + For info about creating rules for Packaged apps, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md). + Consider the following info when you are designing and deploying apps: + - Because AppLocker supports only publisher rules for packaged apps, collecting the installation path information for packaged apps is not necessary. - You cannot create hash- or path-based rules for packaged apps because all packaged apps and packaged app installers are signed by the software publisher of the package. Classic Windows apps were not always consistently signed; therefore, AppLocker has to support hash- or path-based rules. -- By default, if there are no rules in a particular rule collection, AppLocker allows every file that is included in that rule collection. For example, if there are no Windows Installer rules, AppLocker allows all .msi, .msp, and .mst files to run. An existing AppLocker policy that was targeted at computers running Windows Server 2008 R2 and Windows 7 would not have rules for Packaged apps. Therefore, when a computer running at least Windows Server 2012 or Windows 8 joins a domain where an AppLocker policy is already configured, users would be allowed to run any packaged app. This might be contrary to your design. +- By default, if there are no rules in a particular rule collection, AppLocker allows every file that is included in that rule collection. For example, if there are no Windows Installer rules, AppLocker allows all .msi, .msp, and .mst files to run. An existing AppLocker policy that was targeted at computers running Windows Server 2008 R2 and Windows 7 would not have rules for Packaged apps. Therefore, when a computer running at least Windows Server 2012 or +Windows 8 joins a domain where an AppLocker policy is already configured, users would be allowed to run any packaged app. This might be contrary to your design. + To prevent all packaged apps from running on a newly domain-joined computer, by default AppLocker blocks all packaged apps on a computer running at least Windows Server 2012 or Windows 8 if the existing domain policy has rules configured in the exe rule collection. You must take explicit action to allow packaged apps in your enterprise. You can allow only a select set of packaged apps. Or if you want to allow all packaged apps, you can create a default rule for the packaged apps collection. + ## Using AppLocker to manage packaged apps + Just as there are differences in managing each rule collection, you need to manage the packaged apps with the following strategy: + 1. Gather information about which Packaged apps are running in your environment. For information about how to do this, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md). + 2. Create AppLocker rules for specific packaged apps based on your policy strategies. For more information, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) and [Packaged Apps Default Rules in AppLocker](http://technet.microsoft.com/library/ee460941(WS.10).aspx). + 3. Continue to update the AppLocker policies as new package apps are introduced into your environment. To do this, see [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md). + 4. Continue to monitor your environment to verify the effectiveness of the rules that are deployed in AppLocker policies. To do this, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). -  -  diff --git a/windows/keep-secure/manage-tpm-commands.md b/windows/keep-secure/manage-tpm-commands.md index 0683127abc..0620207ec5 100644 --- a/windows/keep-secure/manage-tpm-commands.md +++ b/windows/keep-secure/manage-tpm-commands.md @@ -2,54 +2,75 @@ title: Manage TPM commands (Windows 10) description: This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. ms.assetid: a78e751a-2806-43ae-9c20-2e7ca466b765 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Manage TPM commands + **Applies to** - Windows 10 + This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. + ## + After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. The list can be created and applied to all computers in a domain by using Group Policy, or a list can be created for individual computers by using the TPM MMC. Because some hardware vendors might provide additional commands or the Trusted Computing Group may decide to add commands in the future, the TPM MMC also supports the ability to block new commands. + Domain administrators can configure a list of blocked TPM commands by using Group Policy. Local administrators cannot allow TPM commands that are blocked through Group Policy. For more information about this Group Policy setting, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-clbtc). + Local administrators can block commands by using the TPM MMC, and commands on the default block list are also blocked unless the Group Policy settings are changed from the default settings. + Two policy settings control the enforcement which allows TPM commands to run. For more information about these policy settings, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-idlb). + The following procedures describe how to manage the TPM command lists. You must be a member of the local Administrators group. + **To block TPM commands by using the Local Group Policy Editor** + 1. Open the Local Group Policy Editor (gpedit.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. - **Note**   - Administrators with appropriate rights in a domain can configure a Group Policy Object (GPO) that can be applied through Active Directory Domain Services (AD DS). + + >**Note:**  Administrators with appropriate rights in a domain can configure a Group Policy Object (GPO) that can be applied through Active Directory Domain Services (AD DS).   2. In the console tree, under **Computer Configuration**, expand **Administrative Templates**, and then expand **System**. 3. Under **System**, click **Trusted Platform Module Services**. 4. In the details pane, double-click **Configure the list of blocked TPM commands**. 5. Click **Enabled**, and then click **Show**. 6. For each command that you want to block, click **Add**, enter the command number, and then click **OK**. - **Note**   - For a list of commands, see the [Trusted Platform Module (TPM) Specifications](http://go.microsoft.com/fwlink/p/?linkid=139770). + + >**Note:**  For a list of commands, see the [Trusted Platform Module (TPM) Specifications](http://go.microsoft.com/fwlink/p/?linkid=139770).   7. After you have added numbers for each command that you want to block, click **OK** twice. 8. Close the Local Group Policy Editor. + **To block or allow TPM commands by using the TPM MMC** + 1. Open the TPM MMC (tpm.msc) 2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. 3. In the console tree, click **Command Management**. A list of TPM commands is displayed. 4. In the list, select a command that you want to block or allow. 5. Under **Actions**, click **Block Selected Command** or **Allow Selected Command** as needed. If **Allow Selected Command** is unavailable, that command is currently blocked by Group Policy. + **To block new commands** + 1. Open the TPM MMC (tpm.msc). + If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. + 2. In the console tree, click **Command Management**. A list of TPM commands is displayed. 3. In the **Action** pane, click **Block New Command**. The **Block New Command** dialog box is displayed. 4. In the **Command Number** text box, type the number of the new command that you want to block, and then click **OK**. The command number you entered is added to the blocked list. + ## Use the TPM cmdlets + If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command: -**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets** + +`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets` + For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx) + ## Additional resources + For more info about TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md#bkmk-additionalresources). -  -  diff --git a/windows/keep-secure/manage-tpm-lockout.md b/windows/keep-secure/manage-tpm-lockout.md index efe696a11e..61c94cc77e 100644 --- a/windows/keep-secure/manage-tpm-lockout.md +++ b/windows/keep-secure/manage-tpm-lockout.md @@ -2,48 +2,73 @@ title: Manage TPM lockout (Windows 10) description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. ms.assetid: bf27adbe-404c-4691-a644-29ec722a3f7b -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Manage TPM lockout + **Applies to** - Windows 10 + This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. + ## About TPM lockout + The TPM will lock itself to prevent tampering or malicious attacks. TPM lockout often lasts for a variable amount of time or until the computer is turned off. While the TPM is in lockout mode, it generally returns an error message when it receives commands that require an authorization value. One exception is that the TPM always allows the owner at least one attempt to reset the TPM lockout when it is in lockout mode. + TPM ownership is commonly taken the first time BitLocker Drive Encryption is turned on for the computer. In this case, the TPM owner authorization password is saved with the BitLocker recovery key. When the BitLocker recovery key is saved to a file, BitLocker also saves a TPM owner password file (.tpm) with the TPM owner password hash value. When the BitLocker recovery key is printed, the TPM owner password is printed at the same time. You can also save your TPM owner password hash value to Active Directory Domain Services (AD DS) if your organization's Group Policy settings are configured to do so. + In some cases, encryption keys are protected by a TPM by requiring a valid authorization value to access the key. A common example is configuring BitLocker Drive Encryption to use the TPM plus PIN key protector. In this scenario, the user must type the correct PIN during the boot process to access the volume encryption key protected by the TPM. To prevent malicious users or software from discovering authorization values, TPMs implement protection logic. The protection logic is designed to slow or stop responses from the TPM if it detects that an entity might be trying to guess authorization values. + The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM manufacturers implement different protection mechanisms and behavior. The general guidance is for the TPM chip to take exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. This can prevent them from using the TPM for a period of time. + If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. + ## Reset the TPM lockout by using the TPM MMC + The following procedure explains the steps to reset the TPM lockout by using the TPM MMC. + **To reset the TPM lockout** + 1. Open the TPM MMC (tpm.msc). 2. In the **Action** pane, click **Reset TPM Lockout** to start the Reset TPM Lockout Wizard. 3. Choose one of the following methods to enter the TPM owner password: - If you saved your TPM owner password to a .tpm file, click **I have the owner password file**, and then type the path to the file, or click **Browse** to navigate to the file location. - If you want to manually enter your TPM owner password, click **I want to enter the owner password**, and then type the password in the text box provided. - **Note**   - If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it. + + >**Note:**  If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it.   ## Use Group Policy to manage TPM lockout settings + The TPM Group Policy settings in the following list are located at: + **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\** + - [Standard User Lockout Duration](trusted-platform-module-services-group-policy-settings.md#bkmk-individual) + This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for TPM commands that require authorization. An authorization failure occurs each time a user sends a command to the TPM and receives an error message that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, the user is prevented from sending commands to the TPM that require authorization. + - [Standard User Individual Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-suld) + This policy setting allows you to manage the maximum number of authorization failures for the TPM for each user. This value is the maximum number of authorization failures that each user can have before the user is not allowed to send commands to the TPM that require authorization. If the number of authorization failures equals the duration that is set for the policy setting, the user is prevented from sending commands to the TPM that require authorization. + - [Standard User Total Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#bkmk-total) + This policy setting allows you to manage the maximum number of authorization failures for the TPM for all standard users. If the total number of authorization failures for all users equals the duration that is set for the policy, all users are prevented from sending commands to the TPM that require authorization. + For information about mitigating dictionary attacks that use the lockout settings, see [TPM fundamentals](tpm-fundamentals.md#bkmk-howtpmmitigates). + ## Use the TPM cmdlets + If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command: + **dism /online /enable-feature /FeatureName:tpm-psh-cmdlets** + For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). + ## Additional resources -For more info about TPM, see [TPM technology overview](trusted-platform-module-overview.md#bkmk-additionalresources). -  -  + +For more info about TPM, see [TPM technology overview](trusted-platform-module-overview.md#bkmk-additionalresources). \ No newline at end of file diff --git a/windows/keep-secure/maximum-lifetime-for-service-ticket.md b/windows/keep-secure/maximum-lifetime-for-service-ticket.md index 35118cc805..fd43969eb0 100644 --- a/windows/keep-secure/maximum-lifetime-for-service-ticket.md +++ b/windows/keep-secure/maximum-lifetime-for-service-ticket.md @@ -2,89 +2,91 @@ title: Maximum lifetime for service ticket (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for service ticket security policy setting. ms.assetid: 484bf05a-3858-47fc-bc02-6599ca860247 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Maximum lifetime for service ticket + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for service ticket** security policy setting. + ## Reference + The **Maximum lifetime for service ticket** policy setting determines the maximum number of minutes that a granted session ticket can be used to access a particular service. The value must be 10 minutes or greater, and it must be less than or equal to the value of the **Maximum lifetime for service ticket** policy setting. + The possible values for this Group Policy setting are: + - A user-defined number of minutes from 10 through 99,999, or 0 (in which case service tickets do not expire). - Not defined. + If a client presents an expired session ticket when it requests a connection to a server, the server returns an error message. The client must request a new session ticket from the Kerberos V5 KDC. After a connection is authenticated, however, it no longer matters whether the session ticket remains valid. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket that authenticated the connection expires during the connection. + If the value for this policy setting is too high, users might be able to access network resources outside of their logon hours. In addition, users whose accounts have been disabled might be able to continue accessing network services by using valid service tickets that were issued before their account was disabled. If the value is set to 0, service tickets never expire. + ### Best practices + - It is advisable to set **Maximum lifetime for service ticket** to **600** minutes. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server Type or GPODefault Value

Default Domain Policy

600 minutes

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not applicable

DC Effective Default Settings

600 minutes

Member Server Effective Default Settings

Not applicable

Client Computer Effective Default Settings

Not applicable

+ +| Server Type or GPO | Default Value | +| - | - | +| Default Domain Policy| 600 minutes| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not applicable| +| DC Effective Default Settings | 600 minutes| +| Member Server Effective Default Settings | Not applicable| +| Client Computer Effective Default Settings | Not applicable|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + This policy setting is configured on the domain controller. + ### Group Policy + Client computers will get the new setting during the next scheduled and successful Group Policy refresh. But for domain controllers to assign these new settings immediately, a gpupdate.exe /force is required. On the local device, the Security Configuration Engine will refresh this setting in about five minutes. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If you configure the value for the **Maximum lifetime for service ticket** setting too high, users might be able to access network resources outside of their logon hours. Also, users whose accounts were disabled might continue to have access to network services with valid service tickets that were issued before their accounts were disabled. + ### Countermeasure + Configure the **Maximum lifetime for service ticket** setting to 600 minutes. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Kerberos Policy](kerberos-policy.md) -  -  + +- [Kerberos Policy](kerberos-policy.md) diff --git a/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md b/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md index bcb1a344e6..f807fae4e2 100644 --- a/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md +++ b/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md @@ -2,88 +2,89 @@ title: Maximum lifetime for user ticket renewal (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket renewal security policy setting. ms.assetid: f88cd819-3dd1-4e38-b560-13fe6881b609 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Maximum lifetime for user ticket renewal + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket renewal** security policy setting. + ## Reference + The **Maximum lifetime for user ticket renewal** policy setting determines the period of time (in days) during which a user’s ticket-granting ticket can be renewed. + The possible values for this Group Policy setting are: + - A user-defined number of days from 0 through 99,999 - Not defined + ### Best practices + - If the value for this policy setting is too high, users may be able to renew very old user ticket-granting tickets. If the value is 0, ticket-granting tickets never expire. + It is advisable to set **Maximum lifetime for user ticket renewal** to **7** days. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

7 days

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not applicable

Domain Controller Effective Default Settings

7 days

Member Server Effective Default Settings

Not applicable

Client Computer Effective Default Settings

Not applicable

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| 7 days| +| Default Domain Controller Policy| Not defined| +| Stand-Alone Server Default Settings | Not applicable| +| Domain Controller Effective Default Settings | 7 days| +| Member Server Effective Default Settings | Not applicable| +| Client Computer Effective Default Settings | Not applicable|   ### Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + This policy setting is configured on the domain controller. + ### Group Policy + Client devices will get the new setting during the next scheduled and successful Group Policy refresh. But for domain controllers to assign these new settings immediately, a gpupdate.exe /force is required. On the local device, the Security Configuration Engine will refresh this setting in about five minutes. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If the value for the **Maximum lifetime for user ticket renewal** setting is too high, users might be able to renew very old user tickets. + ### Countermeasure + Configure the **Maximum lifetime for user ticket renewal** setting to 7 days. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Kerberos Policy](kerberos-policy.md) -  -  + +- [Kerberos Policy](kerberos-policy.md) diff --git a/windows/keep-secure/maximum-lifetime-for-user-ticket.md b/windows/keep-secure/maximum-lifetime-for-user-ticket.md index 4d15d5cbd8..e37ae53435 100644 --- a/windows/keep-secure/maximum-lifetime-for-user-ticket.md +++ b/windows/keep-secure/maximum-lifetime-for-user-ticket.md @@ -2,88 +2,89 @@ title: Maximum lifetime for user ticket (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket policy setting. ms.assetid: bcb4ff59-334d-4c2f-99af-eca2b64011dc -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Maximum lifetime for user ticket + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket** policy setting. + ## Reference + The **Maximum lifetime for user ticket** policy setting determines the maximum amount of time (in hours) that a user’s ticket-granting ticket can be used. When a user’s ticket-granting ticket expires, a new one must be requested or the existing one must be renewed. + The possible values for this Group Policy setting are: + - A user-defined number of hours from 0 through 99,999 - Not defined + If the value for this policy setting is too high, users might be able to access network resources outside of their logon hours, or users whose accounts have been disabled might be able to continue to access network services by using valid service tickets that were issued before their account was disabled. If the value is set to 0, ticket-granting tickets never expire. + ### Best practices + - It is advisable to set **Maximum lifetime for user ticket** to 10 hours. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy + ### Default Values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server Type or GPODefault Value

Default Domain Policy

10 hours

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not applicable

Domain Controller Effective Default Settings

10 hours

Member Server Effective Default Settings

Not applicable

Client Computer Effective Default Settings

Not applicable

+ +| Server Type or GPO | Default Value | +| - | - | +| Default Domain Policy| 10 hours| +| Default Domain Controller Policy| Not defined| +| Stand-Alone Server Default Settings | Not applicable| +| Domain Controller Effective Default Settings | 10 hours| +| Member Server Effective Default Settings | Not applicable| +| Client Computer Effective Default Settings | Not applicable|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + This policy setting is configured on the domain controller. + ### Group Policy + Client devices will get the new setting during the next scheduled and successful Group Policy refresh. But for domain controllers to assign these new settings immediately, a gpupdate.exe /force is required. On the local computer, the Security Configuration Engine will refresh this setting in about five minutes. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If you configure the value for the **Maximum lifetime for user ticket** setting too high, users might be able to access network resources outside of their logon hours. Also, users whose accounts were disabled might continue to have access to network services with valid user tickets that were issued before their accounts were disabled. If you configure this value too low, ticket requests to the KDC may affect the performance of your KDC and present an opportunity for a DoS attack. + ### Countermeasure + Configure the **Maximum lifetime for user ticket** setting with a value between 4 and 10 hours. + ### Potential impact + Reducing this setting from the default value reduces the likelihood that the ticket-granting ticket will be used to access resources that the user does not have rights to. However, it requires more frequent requests to the KDC for ticket-granting tickets on behalf of users. Most KDCs can support a value of four hours without too much additional burden. + ## Related topics -[Kerberos Policy](kerberos-policy.md) -  -  + +- [Kerberos Policy](kerberos-policy.md) diff --git a/windows/keep-secure/maximum-password-age.md b/windows/keep-secure/maximum-password-age.md index 2c384dcf41..488f04f383 100644 --- a/windows/keep-secure/maximum-password-age.md +++ b/windows/keep-secure/maximum-password-age.md @@ -2,82 +2,76 @@ title: Maximum password age (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum password age security policy setting. ms.assetid: 2d6e70e7-c8b0-44fb-8113-870c6120871d -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Maximum password age + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting. + ## Reference + The **Maximum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If **Maximum password age** is between 1 and 999 days, the minimum password age must be less than the maximum password age. If **Maximum password age** is set to 0, [Minimum password age](minimum-password-age.md) can be any value between 0 and 998 days. -**Note**   -Setting **Maximum password age** to -1 is equivalent to 0, which means it never expires. Setting it to any other negative number is equivalent to setting it to **Not Defined**. + +>**Note:**  Setting **Maximum password age** to -1 is equivalent to 0, which means it never expires. Setting it to any other negative number is equivalent to setting it to **Not Defined**.   ### Possible values + - User-specified number of days between 0 and 999 - Not defined + ### Best practices + Set **Maximum password age** to a value between 30 and 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to compromise a user's password and have access to your network resources. + ### Location + **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or Group Policy Object (GPO)Default value

Default domain policy

42 days

Default domain controller policy

Not defined

Stand-alone server default settings

42 days

Domain controller effective default settings

42 days

Member server effective default settings

42 days

Effective GPO default settings on client computers

42 days

+ +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| 42 days| +| Default domain controller policy| Not defined| +| Stand-alone server default settings | 42 days| +| Domain controller effective default settings | 42 days| +| Member server effective default settings | 42 days| +| Effective GPO default settings on client computers| 42 days|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the **Maximum password age** policy setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access. + ### Countermeasure + Configure the **Maximum password age** policy setting to a value that is suitable for your organization's business requirements. + ### Potential impact + If the **Maximum password age** policy setting is too low, users are required to change their passwords very often. Such a configuration can reduce security in the organization because users might keep their passwords in an unsecured location or lose them. If the value for this policy setting is too high, the level of security within an organization is reduced because it allows potential attackers more time in which to discover user passwords or to use compromised accounts. + ## Related topics -[Password Policy](password-policy.md) -  -  + +- [Password Policy](password-policy.md) diff --git a/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md b/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md index 5923108470..63ebd1f934 100644 --- a/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md +++ b/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md @@ -2,88 +2,90 @@ title: Maximum tolerance for computer clock synchronization (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum tolerance for computer clock synchronization security policy setting. ms.assetid: ba2cf59e-d69d-469e-95e3-8e6a0ba643af -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Maximum tolerance for computer clock synchronization + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Maximum tolerance for computer clock synchronization** security policy setting. + ## Reference + This security setting determines the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller that provides Kerberos authentication. -To prevent "replay attacks," the Kerberos v5 protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both devices must be set to the same time and date. Because the clocks of two computers are often out of sync, you can use this policy setting to establish the maximum acceptable difference to the Kerberos protocol between a client clock and domain controller clock. If the difference between a client computer clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any time stamp that is used in a session between the two devices is considered to be authentic. + +To prevent "replay attacks," the Kerberos v5 protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both devices must be set to the same time and date. +Because the clocks of two computers are often out of sync, you can use this policy setting to establish the maximum acceptable difference to the Kerberos protocol between a client clock and domain controller clock. If the difference between a client computer clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any time stamp that is used in a session between the two devices is considered to be authentic. + The possible values for this Group Policy setting are: + - A user-defined number of minutes from 1 through 99,999 - Not defined + ### Best practices + - It is advisable to set **Maximum tolerance for computer clock synchronization** to a value of 5 minutes. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

5 minutes

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not applicable

Domain Controller Effective Default Settings

5 minutes

Member Server Effective Default Settings

Not applicable

Client Computer Effective Default Settings

Not applicable

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| 5 minutes| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not applicable| +| Domain Controller Effective Default Settings| 5 minutes| +| Member Server Effective Default Settings | Not applicable| +| Client Computer Effective Default Settings | Not applicable|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + This policy setting is configured on the domain controller. + ### Group Policy + Client devices will get the new setting during the next scheduled and successful Group Policy refresh. But for domain controllers to assign these new settings immediately, a gpupdate.exe /force is required. On the local device, the Security Configuration Engine will refresh this setting in about five minutes. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + To prevent "replay attacks" (which are attacks in which an authentication credential is resubmitted by a malicious user or program to gain access to a protected resource), the Kerberos protocol uses time stamps as part of its definition. For time stamps to work properly, the clocks of the client computer and the domain controller need to be closely synchronized. Because the clocks of two computers are often not synchronized, administrators can use this policy to establish the maximum acceptable difference to the Kerberos protocol between a client computer clock and a domain controller clock. If the difference between the client computer clock and the domain controller clock is less than the maximum time difference specified in this setting, any time stamp that is used in a session between the two computers is considered to be authentic. + ### Countermeasure + Configure the **Maximum tolerance for computer clock synchronization** setting to 5 minutes. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Kerberos Policy](kerberos-policy.md) -  -  + +- [Kerberos Policy](kerberos-policy.md) diff --git a/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md index 3b95f2b434..2e095a1533 100644 --- a/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -2,27 +2,36 @@ title: Merge AppLocker policies by using Set-ApplockerPolicy (Windows 10) description: This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. ms.assetid: f1c7d5c0-463e-4fe2-a410-844a404f18d0 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Merge AppLocker policies by using Set-ApplockerPolicy + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. + The **Set-AppLockerPolicy** cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default. When the Merge parameter is used, rules in the specified AppLocker policy will be merged with the AppLocker rules in the target GPO specified in the LDAP path. The merging of policies will remove rules with duplicate rule IDs, and the enforcement setting specified by the AppLocker policy in the target GPO will be preserved. If the Merge parameter is not specified, then the new policy will overwrite the existing policy. + For info about using **Set-AppLockerPolicy**, including syntax descriptions and parameters, see [Set-AppLockerPolicy](http://technet.microsoft.com/library/hh847212.aspx). + For info about using Windows PowerShell for AppLocker, including how to import the AppLocker cmdlets into Windows PowerShell, see [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md). + You can also manually merge AppLocker policies. For the procedure to do this, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md). + **To merge a local AppLocker policy with another AppLocker policy by using LDAP paths** 1. Open the PowerShell command window. For info about performing Windows PowerShell commands for AppLocker, see [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md). 2. At the command prompt, type **C:\\PS>Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP "LDAP: //***<string>***"** **-Merge** where *<string>* specifies the LDAP path of the unique GPO. + ## Example + Gets the local AppLocker policy, and then merges the policy with the existing AppLocker policy in the GPO specified in the LDAP path. + ``` syntax C:\PS>Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP "LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C044FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com" -Merge -``` -  -  +``` \ No newline at end of file diff --git a/windows/keep-secure/merge-applocker-policies-manually.md b/windows/keep-secure/merge-applocker-policies-manually.md index 160ae52209..2747de84e0 100644 --- a/windows/keep-secure/merge-applocker-policies-manually.md +++ b/windows/keep-secure/merge-applocker-policies-manually.md @@ -2,84 +2,46 @@ title: Merge AppLocker policies manually (Windows 10) description: This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). ms.assetid: 3605f293-e5f2-481d-8efd-775f9f23c30f -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Merge AppLocker policies manually + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). + If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You cannot automatically merge policies by using the AppLocker console. You must create one rule collection from two or more policies. For info about merging policies by using the cmdlet, see [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). + The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. Rule collections are specified within the **RuleCollection Type** element. The XML schema includes five attributes for the different rule collections, as shown in the following table: - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rule collectionRuleCollection Type element

Executable rules

Exe

Windows Installer rules

Msi

Script rules

Script

DLL rules

Dll

Packaged apps and packaged app installers

Appx

+ +| Rule collection | RuleCollection Type element | +| - | - | +| Executable rules| Exe| +| Windows Installer rules| Msi| +| Script rules | Script| +| DLL rules | Dll| +| Packaged apps and packaged app installers|Appx|   Rule enforcement is specified with the **EnforcementMode** element. The three enforcement modes in the XML correspond to the three enforcement modes in the AppLocker console, as shown in the following table: - ---- - - - - - - - - - - - - - - - - - - - - -
XML enforcement modeEnforcement mode in Group Policy

NotConfigured

Not configured (rules are enforced)

AuditOnly

Audit only

Enabled

Enforce rules

+ +| XML enforcement mode |Enforcement mode in Group Policy | +| - | - | +| NotConfigured | Not configured (rules are enforced)| +| AuditOnly | Audit only| +| Enabled | Enforce rules|   Each of the three condition types use specific elements. For XML examples of the different rule types, see Merge AppLocker policies manually. + Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. + **To merge two or more AppLocker policies** + 1. Open an XML policy file in a text editor or XML editor, such as Notepad. 2. Select the rule collection where you want to copy rules from. 3. Select the rules that you want to add to another policy file, and then copy the text. @@ -87,5 +49,3 @@ Membership in the local **Administrators** group, or equivalent, is the minimum 5. Select and expand the rule collection where you want to add the rules. 6. At the bottom of the rule list for the collection, after the closing element, paste the rules that you copied from the first policy file. Verify that the opening and closing elements are intact, and then save the policy. 7. Upload the policy to a reference computer to ensure that it is functioning properly within the GPO. -  -  diff --git a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md index ae89b2c502..1cb4c83e11 100644 --- a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md @@ -2,103 +2,109 @@ title: Microsoft network client Digitally sign communications (always) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting. ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Microsoft network client: Digitally sign communications (always) + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting. + ## Reference -The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted. + +The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. +This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted. + Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security. + If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. + If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. + Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. + There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: - [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md) - [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md) - [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md) + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + 1. Configure the following security policy settings as follows: + - Disable **Microsoft network client: Digitally sign communications (always)**. - Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). - Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md). - Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md). + 2. Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication, and gain unauthorized access to data. + SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place. + ### Countermeasure + Configure the settings as follows: + - Disable **Microsoft network client: Digitally sign communications (always)**. - Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). - Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md). - Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md). + In highly secure environments, we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. -**Note**   -An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing. + +>**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.   ### Potential impact + Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. + Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md index 287afc0542..4594534751 100644 --- a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md +++ b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md @@ -2,103 +2,111 @@ title: Microsoft network client Digitally sign communications (if server agrees) (Windows 10) description: Describes the best practices, location, values, and security considerations for the Microsoft network client Digitally sign communications (if server agrees) security policy setting. ms.assetid: e553f700-aae5-425c-8650-f251c90ba5dd -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft + --- # Microsoft network client: Digitally sign communications (if server agrees) + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting. + ## Reference + The Server Message Block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted. + Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security. + If server-side SMB signing is required, a client computer will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. + If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. + Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. + There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: + - [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md) - [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) - [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md) + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + 1. Configure the following security policy settings as follows: + - Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md). - Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). - Enable **Microsoft Network Client: Digitally Sign Communications (If Server Agrees)**. - Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md). + 2. Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data. + +Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so +that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data. + SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place. + ### Countermeasure + Configure the settings as follows: + - Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md). - Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). - Enable **Microsoft network client: Digitally sign communications (if server agrees)**. - Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md). + In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. -**Note**   -An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing. + +>**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.   ### Potential impact + Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. -Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking attacks. + +Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking +attacks. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md index c14351f372..901baabc0f 100644 --- a/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md +++ b/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md @@ -2,82 +2,82 @@ title: Microsoft network client Send unencrypted password to third-party SMB servers (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network client Send unencrypted password to third-party SMB servers security policy setting. ms.assetid: 97a76b93-afa7-4dd9-bb52-7c9e289b6017 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + + # Microsoft network client: Send unencrypted password to third-party SMB servers + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Send unencrypted password to third-party SMB servers** security policy setting. + ## Reference + The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. This policy setting allows or prevents the SMB redirector to send plaintext passwords to a non-Microsoft server service that does not support password encryption during authentication. + ### Possible values + - Enabled + The Server Message Block (SMB) redirector is allowed to send plaintext passwords to a non-Microsoft server service that does not support password encryption during authentication. + - Disabled + The Server Message Block (SMB) redirector only sends encrypted passwords to non-Microsoft SMB server services. If those server services do not support password encryption, the authentication request will fail. + - Not defined + ### Best practices + - It is advisable to set **Microsoft network client: Send unencrypted password to connect to third-party SMB servers** to Disabled. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings| Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If you enable this policy setting, the server can transmit plaintext passwords across the network to other computers that offer SMB services. These other devices might not use any of the SMB security mechanisms that are included with Windows Server 2003 or later. + ### Countermeasure + Disable the **Microsoft network client: Send unencrypted password to connect to third-party SMB servers** setting. + ### Potential impact + Some older applications may not be able to communicate with the servers in your organization by means of the SMB protocol. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md index 754051399a..f124f2216c 100644 --- a/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md +++ b/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md @@ -2,81 +2,79 @@ title: Microsoft network server Amount of idle time required before suspending session (Windows 10) description: Describes the best practices, location, values, and security considerations for the Microsoft network server Amount of idle time required before suspending session security policy setting. ms.assetid: 8227842a-569d-480f-b43c-43450bbaa722 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Microsoft network server: Amount of idle time required before suspending session + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Microsoft network server: Amount of idle time required before suspending session** security policy setting. + ## Reference + Each Server Message Block (SMB) session consumes server resources. Establishing numerous null sessions will cause the server to slow down or possibly fail. A malicious user might repeatedly establish SMB sessions until the server stops responding; at this point, SMB services will become slow or unresponsive. + The **Microsoft network server: Amount of idle time required before suspending session** policy setting determines the amount of continuous idle time that must pass in an SMB session before the session is suspended due to inactivity. You can use this policy setting to control when a device suspends an inactive SMB session. The session is automatically reestablished when client device activity resumes. + ### Possible values + - A user-defined number of minutes from 0 through 99,999 + For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days. In effect, this value disables the policy. + - Not defined + ### Best practices + - It is advisable to set this policy to 15 minutes. There will be little impact because SMB sessions will be reestablished automatically if the client resumes activity. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

15 minutes

DC Effective Default Settings

15 minutes

Member Server Effective Default Settings

15 minutes

Client Computer Effective Default Settings

15 minutes

+ +| Server type or GPO Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | 15 minutes| +| DC Effective Default Settings | 15 minutes| +| Member Server Effective Default Settings | 15 minutes| +| Client Computer Effective Default Settings | 15 minutes|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Each SMB session consumes server resources, and numerous null sessions slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive. + ### Countermeasure + The default behavior on a server mitigates this threat by design. + ### Potential impact + There is little impact because SMB sessions are reestablished automatically if the client computer resumes activity. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md index 5a59300d6c..d979a1d65a 100644 --- a/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md +++ b/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md @@ -2,88 +2,95 @@ title: Microsoft network server Attempt S4U2Self to obtain claim information (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Microsoft network server Attempt S4U2Self to obtain claim information security policy setting. ms.assetid: e4508387-35ed-4a3f-a47c-27f8396adbba -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Microsoft network server: Attempt S4U2Self to obtain claim information + **Applies to** - Windows 10 + Describes the best practices, location, values, management, and security considerations for the **Microsoft network server: Attempt S4U2Self to obtain claim information** security policy setting. + ## Reference -This security setting supports client devices running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-for-User-to-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain. This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers and domain controllers running a version of Windows prior to Windows 8 or Windows Server 2012. + +This security setting supports client devices running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-for-User-to-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain. This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers +and domain controllers running a version of Windows prior to Windows 8 or Windows Server 2012. + When enabled, this security setting causes the Windows file server to examine the access token of an authenticated network client principal and determines if claim information is present. If claims are not present, the file server will then use the Kerberos S4U2Self feature to attempt to contact a Windows Server 2012 domain controller in the client’s account domain and obtain a claims-enabled access token for the client principal. A claims-enabled token might be needed to access files or folders that have claim-based access control policy applied. + If this setting is disabled, the Windows file server will not attempt to obtain a claim-enabled access token for the client principal. + ### Possible values + - **Default** + The Windows file server will examine the access token of an authenticated network client principal and determine if claim information is present. + - **Enabled** + Same as **Default**. + - **Disabled** + - **Not defined** + Same as **Disabled**. + ### Best practices + This setting should be set to **Default** so that the file server can automatically evaluate whether claims are needed for the user. You should explicitly configure this setting to **Enabled** only if there are local file access policies that include user claims. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings| Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers and domain controllers running a version of Windows prior to Windows 8 or Windows Server 2012. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -None. Enabling this policy setting allows you take advantage of features in Windows Server 2012 and Windows 8 for specific scenarios to use claims-enabled tokens to access files or folders that have claim-based access control policy applied on Windows operating systems prior to Windows Server 2012 and Windows 8. + +None. Enabling this policy setting allows you take advantage of features in Windows Server 2012 and Windows 8 and later for specific scenarios to use claims-enabled tokens to access files or folders that have claim-based access control policy applied on Windows operating systems prior to Windows Server 2012 +and Windows 8. + ### Countermeasure + Not applicable. + ### Potential impact + None. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md index 224f74984a..e71590b3cf 100644 --- a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md @@ -2,104 +2,112 @@ title: Microsoft network server Digitally sign communications (always) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (always) security policy setting. ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Microsoft network server: Digitally sign communications (always) + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting. + ## Reference -The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted. + +The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. +This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted. + Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security. + For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md). Devices that have this policy set will not be able to communicate with devices that do not have server-side packet signing enabled. By default, server-side packet signing is enabled only on domain controllers. Server-side packet signing can be enabled on devices by setting [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md). + If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. + If server-side SMB signing is enabled, SMB packet signing will be negotiated with client devices that have SMB signing enabled. + Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. + There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: + - [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) - [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md) - [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md) + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + 1. Configure the following security policy settings as follows: + - Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md). - Disable **Microsoft network server: Digitally sign communications (always)**. - Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md). - Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md). + 2. Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Enabled

Stand-Alone Server Default Settings

Not defined

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Enabled| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Not defined| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data. + SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place. + ### Countermeasure + Configure the settings as follows: + - Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md). - Disable **Microsoft network server: Digitally sign communications (always)**. - Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md). - Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md). + In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. -**Note**   -An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing. + +>**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.   ### Potential impact + Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. + Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking attacks. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md index d63b5a83c1..6ad33d8c8d 100644 --- a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md +++ b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md @@ -2,103 +2,110 @@ title: Microsoft network server Digitally sign communications (if client agrees) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (if client agrees) security policy setting. ms.assetid: c92b2e3d-1dbf-4337-a145-b17a585f4fc1 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Microsoft network server: Digitally sign communications (if client agrees) + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting. + ## Reference -The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted. + +The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. +This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted. + Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security. + If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. + If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. + Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. + There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: + - [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md) - [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md) - [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + 1. Configure the following security policy settings as follows: + - Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md). - Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). - Enable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). - Enable **Microsoft Network Server: Digitally Sign Communications (If Client Agrees)**. + 2. Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Enabled

Stand-Alone Server Default Settings

Not defined

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy| Enabled| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings|Not defined| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication and gain unauthorized access to data. + SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place. + ### Countermeasure + Configure the settings as follows: + - Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md). - Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). - Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md). - Enable **Microsoft network server: Digitally sign communications (if client agrees)**. + In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. -**Note**   -An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing. + +>**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.   ### Potential impact + SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. + Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md index 054c5a3be3..529004e2f0 100644 --- a/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md +++ b/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md @@ -2,84 +2,85 @@ title: Microsoft network server Disconnect clients when logon hours expire (Windows 10) description: Describes the best practices, location, values, and security considerations for the Microsoft network server Disconnect clients when logon hours expire security policy setting. ms.assetid: 48b5c424-9ba8-416d-be7d-ccaabb3f49af -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Microsoft network server: Disconnect clients when logon hours expire + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Microsoft network server: Disconnect clients when logon hours expire** security policy setting. + ## Reference + This policy setting enables or disables the forced disconnection of users who are connected to the local device outside their user account's valid logon hours. It affects the SMB component. If you enable this policy setting, client computer sessions with the SMB service are forcibly disconnected when the client's logon hours expire. If you disable this policy setting, established client device sessions are maintained after the client device's logon hours expire. + ### Possible values + - Enabled + Client device sessions with the SMB service are forcibly disconnected when the client device's logon hours expire. If logon hours are not used in your organization, enabling this policy setting will have no impact. + - Disabled + The system maintains an established client device session after the client device's logon hours have expired. + - Not defined + ### Best practices + - If you enable this policy setting, you should also enable [Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md). + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings| Enabled | +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If your organization configures logon hours for users, it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours can continue to use those resources with sessions that were established during allowed hours. + ### Countermeasure + Enable the **Microsoft network server: Disconnect clients when logon hours expire** setting. + ### Potential impact + If logon hours are not used in your organization, this policy setting has no impact. If logon hours are used, existing user sessions are forcibly terminated when their logon hours expire. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md index 1cd20cf6fd..6096400f68 100644 --- a/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md +++ b/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md @@ -2,94 +2,101 @@ title: Microsoft network server Server SPN target name validation level (Windows 10) description: Describes the best practices, location, and values, policy management and security considerations for the Microsoft network server Server SPN target name validation level security policy setting. ms.assetid: 18337f78-eb45-42fd-bdbd-f8cd02c3e154 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Microsoft network server: Server SPN target name validation level + **Applies to** - Windows 10 + Describes the best practices, location, and values, policy management and security considerations for the **Microsoft network server: Server SPN target name validation level** security policy setting. + ## Reference + This policy setting controls the level of validation that a server with shared folders or printers performs on the service principal name (SPN) that is provided by the client device when the client device establishes a session by using the Server Message Block (SMB) protocol. The level of validation can help prevent a class of attacks against SMB services (referred to as SMB relay attacks). This setting affects both SMB1 and SMB2. + Servers that use SMB provide availability to their file systems and other resources, such as printers, to networked client devices. Most servers that use SMB validate user access to resources by using NT Domain authentication (NTLMv1 and NTLMv2) and the Kerberos protocol. + ### Possible values + The options for validation levels are: + - **Off** + The SPN from a SMB client is not required or validated by the SMB server. + - **Accept if provided by client** + The SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB server’s list of SPN’s. If the SPN does not match, the session request for that SMB client will be denied. + - **Required from client** + The SMB client must send a SPN name in session setup, and the SPN name provided must match the SMB server that is being requested to establish a connection. If no SPN is provided by the client device, or the SPN provided does not match, the session is denied. + The default setting is Off. + ### Best practices + This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities. -**Note**   -All Windows operating systems support a client-side SMB component and a server-side SMB component. + +>**Note:**  All Windows operating systems support a client-side SMB component and a server-side SMB component.   ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or Group Policy object (GPO)Default value

Default domain policy

Off

Default domain controller policy

Off

Stand-alone server default settings

Off

Domain controller effective default settings

Validation level check not implemented

Member server effective default settings

Validation level check not implemented

Effective GPO default settings on client computers

Validation level check not implemented

+ +| Server type or Group Policy object (GPO) | Default value | +| - | - | +| Default domain policy | Off | +| Default domain controller policy| Off| +| Stand-alone server default settings | Off| +| Domain controller effective default settings| Validation level check not implemented| +| Member server effective default settings | Validation level check not implemented| +| Effective GPO default settings on client computers | Validation level check not implemented|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + None. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + This policy setting controls the level of validation that a server with shared folders or printers performs on the service principal name (SPN) that is provided by the client device when the client device establishes a session by using the SMB protocol. The level of validation can help prevent a class of attacks against SMB servers (referred to as SMB relay attacks). This setting will affect both SMB1 and SMB2. + ### Countermeasure + For countermeasures that are appropriate to your environment, see **Possible values** above. + ### Potential impact + All Windows operating systems support a client-side SMB component and a server-side SMB component. This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities. + Because the SMB protocol is widely deployed, setting the options to **Accept if provided by client** or **Required from client** will prevent some clients from successfully authenticating to some servers in your environment. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/microsoft-passport-and-password-changes.md b/windows/keep-secure/microsoft-passport-and-password-changes.md index 4325261928..ceebe00f0a 100644 --- a/windows/keep-secure/microsoft-passport-and-password-changes.md +++ b/windows/keep-secure/microsoft-passport-and-password-changes.md @@ -2,7 +2,7 @@ title: Microsoft Passport and password changes (Windows 10) description: When you set up Microsoft Passport, the PIN or biometric (Windows Hello) gesture that you use is specific to that device. ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md index a9483a0b56..490c5c9e6e 100644 --- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md +++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md @@ -3,7 +3,7 @@ title: Microsoft Passport errors during PIN creation (Windows 10) description: When you set up Microsoft Passport in Windows 10, you may get an error during the Create a work PIN step. ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502 keywords: PIN, error, create a work PIN -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md index 70f6296988..b78b6f94f7 100644 --- a/windows/keep-secure/microsoft-passport-guide.md +++ b/windows/keep-secure/microsoft-passport-guide.md @@ -3,8 +3,7 @@ title: Microsoft Passport guide (Windows 10) description: This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system. ms.assetid: 11EA7826-DA6B-4E5C-99FB-142CC6BD9E84 keywords: security, credential, password, authentication -ms.prod: W10 -ms.pagetype: security +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/minimum-password-age.md b/windows/keep-secure/minimum-password-age.md index e132b39e0f..d56c232478 100644 --- a/windows/keep-secure/minimum-password-age.md +++ b/windows/keep-secure/minimum-password-age.md @@ -2,81 +2,78 @@ title: Minimum password age (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password age security policy setting. ms.assetid: 91915cb2-1b3f-4fb7-afa0-d03df95e8161 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Minimum password age + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting. + ## Reference + The **Minimum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If [Maximum password age](maximum-password-age.md) is between 1 and 999 days, the minimum password age must be less than the maximum password age. If Maximum password age is set to 0, **Minimum password age** can be any value between 0 and 998 days. + ### Possible values + - User-specified number of days between 0 and 998 - Not defined + ### Best practices + Set **Minimum password age** to a value of 2 days. Setting the number of days to 0 allows immediate password changes, which is not recommended. + If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box. Otherwise, the user will not be able to change the password until the number of days specified by **Minimum password age**. + ### Location + **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or Group Policy Object (GPO)Default value

Default domain policy

1 day

Default domain controller policy

Not defined

Stand-alone server default settings

0 days

Domain controller effective default settings

1 day

Member server effective default settings

1 day

Effective GPO default settings on client computers

1 day

+ +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| 1 day| +| Default domain controller policy| Not defined| +| Stand-alone server default settings | 0 days| +| Domain controller effective default settings | 1 day| +| Member server effective default settings | 1 day| +| Effective GPO default settings on client computers| 1 day|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users may have favorite passwords that they like to use because they are easy to remember and they believe that their password choice is secure from compromise. Unfortunately, passwords can be compromised and if an attacker is targeting a specific individual user account, with knowledge of data about that user, reuse of old passwords can cause a security breach. + To address password reuse, you must use a combination of security settings. Using this policy setting with the [Enforce password history](enforce-password-history.md) policy setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history policy setting to ensure that users cannot reuse any of their last 12 passwords, but you do not configure the **Minimum password age** policy setting to a number that is greater than 0, users could change their password 13 times in a few minutes and reuse their original password. You must configure this policy setting to a number that is greater than 0 for the Enforce password history policy setting to be effective. + ### Countermeasure + Configure the **Minimum password age** policy setting to a value of at least 2 days. Users should know about this limitation and contact the Help Desk if they need to change their password during that two-day period. If you configure the number of days to 0, immediate password changes would be allowed, which we do not recommend. + ### Potential impact + If you set a password for a user but wants that user to change the password when the user first logs on, the administrator must select the **User must change password at next logon** check box, or the user cannot change the password until the next day. + ## Related topics -[Password Policy](password-policy.md) -  -  + +- [Password Policy](password-policy.md) diff --git a/windows/keep-secure/minimum-password-length.md b/windows/keep-secure/minimum-password-length.md index 30bd818de2..39c8f9fa60 100644 --- a/windows/keep-secure/minimum-password-length.md +++ b/windows/keep-secure/minimum-password-length.md @@ -2,85 +2,82 @@ title: Minimum password length (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password length security policy setting. ms.assetid: 3d22eb9a-859a-4b6f-82f5-c270c427e17e -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Minimum password length + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting. + ## Reference + The **Minimum password length** policy setting determines the least number of characters that can make up a password for a user account. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. + ### Possible values + - User-specified number of characters between 0 and 14 - Not defined + ### Best practices + Set Minimum password length to at least a value of 8. If the number of characters is set to 0, no password is required. In most environments, an eight-character password is recommended because it is long enough to provide adequate security and still short enough for users to easily remember. This value will help provide adequate defense against a brute force attack. Adding complexity requirements will help reduce the possibility of a dictionary attack. For more info, see [Password must meet complexity requirements](password-must-meet-complexity-requirements.md). + Permitting short passwords reduces security because short passwords can be easily broken with tools that perform dictionary or brute force attacks against the passwords. Requiring very long passwords can result in mistyped passwords that might cause an account lockout and subsequently increase the volume of Help Desk calls. + In addition, requiring extremely long passwords can actually decrease the security of an organization because users might be more likely to write down their passwords to avoid forgetting them. However, if users are taught that they can use passphrases (sentences such as "I want to drink a $5 milkshake"), they should be much more likely to remember. + ### Location + **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or Group Policy Object (GPO)Default value

Default domain policy

7 characters

Default domain controller policy

Not defined

Stand-alone server default settings

0 characters

Domain controller effective default settings

7 characters

Member server effective default settings

7 characters

Effective GPO default settings on client computers

0 characters

+ +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| 7 characters| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | 0 characters| +| Domain controller effective default settings | 7 characters| +| Member server effective default settings | 7 characters| +| Effective GPO default settings on client computers | 0 characters|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Types of password attacks include dictionary attacks (which attempt to use common words and phrases) and brute force attacks (which try every possible combination of characters). Also, attackers sometimes try to obtain the account database so they can use tools to discover the accounts and passwords. + ### Countermeasure + Configure the **** policy setting to a value of 8 or more. If the number of characters is set to 0, no password will be required. + In most environments, we recommend an eight-character password because it is long enough to provide adequate security, but not too difficult for users to easily remember. This configuration provides adequate defense against a brute force attack. Using the [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) policy setting in addition to the **Minimum password length** setting helps reduce the possibility of a dictionary attack. -**Note**   -Some jurisdictions have established legal requirements for password length as part of establishing security regulations. + +>**Note:**  Some jurisdictions have established legal requirements for password length as part of establishing security regulations.   ### Potential impact + Requirements for extremely long passwords can actually decrease the security of an organization because users might leave the information in an unsecured location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of Help Desk calls. If your organization has issues with forgotten passwords due to password length requirements, consider teaching your users about passphrases, which are often easier to remember and, due to the larger number of character combinations, much harder to discover. + ## Related topics -[Password Policy](password-policy.md) -  -  + +- [Password Policy](password-policy.md) diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md index fa17f2947f..91db7537e8 100644 --- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Minimum requirements for Windows Defender Advanced Threat Protection description: Minimum network and data storage configuration, endpoint hardware and software requirements, and deployment channel requirements for Windows Defender ATP. keywords: minimum requirements, Windows Defender Advanced Threat Protection minimum requirements, network and data storage, endpoint, endpoint configuration, deployment channel search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: iaanw --- diff --git a/windows/keep-secure/modify-an-object-label.md b/windows/keep-secure/modify-an-object-label.md index 4f06c8a9e8..fecfb339d8 100644 --- a/windows/keep-secure/modify-an-object-label.md +++ b/windows/keep-secure/modify-an-object-label.md @@ -2,96 +2,102 @@ title: Modify an object label (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Modify an object label security policy setting. ms.assetid: 3e5a97dd-d363-43a8-ae80-452e866ebfd5 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Modify an object label + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Modify an object label** security policy setting. + ## Reference + This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. -The integrity label is used by the Windows Integrity Controls (WIC) feature, which was introduced in Windows Server 2008 and Windows Vista. WIC keeps lower integrity processes from modifying higher integrity processes by assigning one of six possible labels to objects on the system. Although similar to NTFS file and folder permissions, which are discretionary controls on objects, the WIC integrity levels are mandatory controls that are put in place and enforced by the operating system. The following list describes the integrity levels from lowest to highest: + +The integrity label is used by the Windows Integrity Controls (WIC) feature, which was introduced in Windows Server 2008 and Windows Vista. WIC keeps lower integrity processes from modifying higher integrity processes by assigning one of six possible labels to objects on the system. Although +similar to NTFS file and folder permissions, which are discretionary controls on objects, the WIC integrity levels are mandatory controls that are put in place and enforced by the operating system. The following list describes the integrity levels from lowest to highest: + - **Untrusted**   Default assignment for processes that are logged on anonymously. - **Low**   Default assignment for processes that interact with the Internet. - **Medium**   Default assignment for standard user accounts and any object that is not explicitly designated with a lower or higher integrity level. - **High**  Default assignment for administrator accounts and processes that request to run using administrative rights. - **System**   Default assignment for Windows kernel and core services. - **Installer**   Used by setup programs to install software. It is important that only trusted software is installed on computers because objects that are assigned the Installer integrity level can install, modify, and uninstall all other objects. + Constant: SeRelabelPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - Do not give any group this user right. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Not defined on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

Domain Controller Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| Domain Controller Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -Anyone with the **Modify an object label** user right can change the integrity level of a file or process so that it becomes elevated or decreased to a point where it can be deleted by lower integrity processes. Either of these states effectively circumvents the protection that is offered by Windows Integrity Controls and makes your system vulnerable to attacks by malicious software. + +Anyone with the **Modify an object label** user right can change the integrity level of a file or process so that it becomes elevated or decreased to a point where it can be deleted by lower integrity processes. Either of these states effectively circumvents the protection that is offered by +Windows Integrity Controls and makes your system vulnerable to attacks by malicious software. + If malicious software is set with an elevated integrity level such as Trusted Installer or System, administrator accounts do not have sufficient integrity levels to delete the program from the system. In that case, use of the **Modify an object label** right is mandated so that the object can be re-labeled. However, the re-labeling must occur by using a process that is at the same or a higher level of integrity than the object that you are attempting to re-label. + ### Countermeasure + Do not give any group this right. If necessary, implement it for a constrained period of time to a trusted individual to respond to a specific organizational need. + ### Potential impact + None. Not defined is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/modify-firmware-environment-values.md b/windows/keep-secure/modify-firmware-environment-values.md index 8662f8166e..e4f6b85eb1 100644 --- a/windows/keep-secure/modify-firmware-environment-values.md +++ b/windows/keep-secure/modify-firmware-environment-values.md @@ -2,94 +2,100 @@ title: Modify firmware environment values (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Modify firmware environment values security policy setting. ms.assetid: 80bad5c4-d9eb-4e3a-a5dc-dcb742b83fca -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Modify firmware environment values + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Modify firmware environment values** security policy setting. + ## Reference + This security setting determines who can modify firmware environment values. Firmware environment values are settings that are stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. + On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the **Last Known Good Configuration** setting, which should only be modified by the system. + On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the **Default Operating System** setting using the **Startup and Recovery** feature on the **Advanced** tab of **System Properties**. + The exact setting for firmware environment values is determined by the boot firmware. The location of these values is also specified by the firmware. For example, on a UEFI-based system, NVRAM contains firmware environment values that specify system boot settings. + On all computers, this user right is required to install or upgrade Windows. + Constant: SeSystemEnvironmentPrivilege + ### Possible values + - User-defined list of accounts - Administrators - Not Defined + ### Best practices + - Ensure that only the local Administrators group is assigned the **Modify firmware environment values** user right. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Adminstrators

Stand-Alone Server Default Settings

Adminstrators

Domain Controller Effective Default Settings

Adminstrators

Member Server Effective Default Settings

Adminstrators

Client Computer Effective Default Settings

Adminstrators

+ +| Server type or GPO |Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Adminstrators| +| Stand-Alone Server Default Settings | Adminstrators| +| Domain Controller Effective Default Settings | Adminstrators| +| Member Server Effective Default Settings | Adminstrators| +| Client Computer Effective Default Settings | Adminstrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + This security setting does not affect who can modify the system environment values and user environment values that are displayed on the **Advanced** tab of **System Properties**. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Anyone who is assigned the **Modify firmware environment values** user right could configure the settings of a hardware component to cause it to fail, which could lead to data corruption or a denial-of-service condition. + ### Countermeasure + Ensure that only the local Administrators group is assigned the **Modify firmware environment values** user right. + ### Potential impact + None. Restricting the **Modify firmware environment values** user right to the members of the local Administrators group is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/monitor-application-usage-with-applocker.md b/windows/keep-secure/monitor-application-usage-with-applocker.md index 4a0e489d50..87ead686b6 100644 --- a/windows/keep-secure/monitor-application-usage-with-applocker.md +++ b/windows/keep-secure/monitor-application-usage-with-applocker.md @@ -2,51 +2,83 @@ title: Monitor app usage with AppLocker (Windows 10) description: This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. ms.assetid: 0516da6e-ebe4-45b4-a97b-31daba96d1cf -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Monitor app usage with AppLocker + **Applies to** - Windows 10 + This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. + Once you set rules and deploy the AppLocker policies, it is good practice to determine if the policy implementation is what you expected. + ### Discover the effect of an AppLocker policy + You can evaluate how the AppLocker policy is currently implemented for documentation or audit purposes, or before you modify the policy. Updating your AppLocker Policy Deployment Planning document will help you track your findings. For information about creating this document, see [Create your AppLocker planning document](create-your-applocker-planning-document.md). You can perform one or more of the following steps to understand what application controls are currently enforced through AppLocker rules. + - **Analyze the AppLocker logs in Event Viewer** + When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are not enforced but are still evaluated to generate audit event data that is written to the AppLocker logs. + For the procedure to access the log, see [View the AppLocker Log in Event Viewer](#bkmk-applkr-view-log). + - **Enable the Audit only AppLocker enforcement setting** + By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules are properly configured for your organization. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log. + For the procedure to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). + - **Review AppLocker events with Get-AppLockerFileInformation** + For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if you are using the audit-only enforcement mode) and how many times the event has occurred for each file. + For the procedure to do this, see [Review AppLocker Events with Get-AppLockerFileInformation](#bkmk-applkr-review-events). + - **Review AppLocker events with Test-AppLockerPolicy** + You can use the **Test-AppLockerPolicy** Windows PowerShell cmdlet to determine whether any of the rules in your rule collections will be blocked on your reference device or the device on which you maintain policies. + For the procedure to do this, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). + ### Review AppLocker events with Get-AppLockerFileInformation + For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if the **Audit only** enforcement setting is applied) and how many times the event has occurred for each file. + Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. -**Note**   -If the AppLocker logs are not on your local device, you will need permission to view the logs. If the output is saved to a file, you will need permission to read that file. + +>**Note:**  If the AppLocker logs are not on your local device, you will need permission to view the logs. If the output is saved to a file, you will need permission to read that file.   **To review AppLocker events with Get-AppLockerFileInformation** + 1. At the command prompt, type **PowerShell**, and then press ENTER. 2. Run the following command to review how many times a file would have been blocked from running if rules were enforced: + `Get-AppLockerFileInformation –EventLog –EventType Audited –Statistics` + 3. Run the following command to review how many times a file has been allowed to run or prevented from running: + `Get-AppLockerFileInformation –EventLog –EventType Allowed –Statistics` + ### View the AppLocker Log in Event Viewer + When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log. + Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. + **To view events in the AppLocker log by using Event Viewer** + 1. Open Event Viewer. To do this, click **Start**, type **eventvwr.msc**, and then press ENTER. 2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, double-click **AppLocker**. -AppLocker events are listed in either the **EXE and DLL** log, the **MSI and Script** log, or the **Packaged app-Deployment** or **Packaged app-Execution** log. Event information includes the enforcement setting, file name, date and time, and user name. The logs can be exported to other file formats for further analysis. + +AppLocker events are listed in either the **EXE and DLL** log, the **MSI and Script** log, or the **Packaged app-Deployment** or **Packaged app-Execution** log. Event information includes the enforcement setting, file name, date and time, and user name. The logs can be exported to other file +formats for further analysis. + ## Related topics -[AppLocker](applocker-overview.md) -  -  + +- [AppLocker](applocker-overview.md) diff --git a/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md b/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md index 228daa4fa2..6904612d1c 100644 --- a/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md +++ b/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md @@ -2,22 +2,27 @@ title: Monitor central access policy and rule definitions (Windows 10) description: This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. ms.assetid: 553f98a6-7606-4518-a3c5-347a33105130 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Monitor central access policy and rule definitions + **Applies to** - Windows 10 + This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. Central access policies and rules determine access permissions for multiple files on multiple file servers. Therefore, it is important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS), and they can be monitored just like any other object in Active Directory. Central access policies and rules are critical elements in a Dynamic Access Control deployment. These policies and rules are stored in AD DS, so they should be less likely to be tampered with than other network objects. However, it is important to monitor these objects for potential changes in security auditing and to verify that policies are being enforced. + Use the following procedures to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx). -**Note**   -Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. + +>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.   **To configure settings to monitor changes to central access policy and rule definitions** + 1. Sign in to your domain controller by using domain administrator credentials. 2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. 3. In the console tree, right-click the default domain controller Group Policy Object, and then click **Edit**. @@ -28,8 +33,11 @@ Your server might function differently based on the version and edition of the o 8. Under Dynamic Access Control, right-click **Central Access Policies**, and then select **Properties**. 9. Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab. 10. Click **Add**, add a security auditing setting for the container, and then close all Security properties dialog boxes. + After you configure settings to monitor changes to central access policy and central access rule definitions, verify that the changes are being monitored. + **To verify that changes to central access policy and rule definitions are monitored** + 1. Sign in to your domain controller by using domain administrator credentials. 2. Open the Active Directory Administrative Center. 3. Under **Dynamic Access Control**, right-click **Central Access Policies**, and then click **Properties**. @@ -39,7 +47,7 @@ After you configure settings to monitor changes to central access policy and cen 7. Click **OK**, and then close the Active Directory Administrative Center. 8. In Server Manager, click **Tools**, and then click **Event Viewer**. 9. Expand **Windows Logs**, and then click **Security**. Verify that event 4819 appears in the security log. + ### Related resource -[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) -  -  + +- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) diff --git a/windows/keep-secure/monitor-claim-types.md b/windows/keep-secure/monitor-claim-types.md index 88650d8745..fcbaaa93b0 100644 --- a/windows/keep-secure/monitor-claim-types.md +++ b/windows/keep-secure/monitor-claim-types.md @@ -2,39 +2,52 @@ title: Monitor claim types (Windows 10) description: This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options. ms.assetid: 426084da-4eef-44af-aeec-e7ab4d4e2439 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Monitor claim types + **Applies to** - Windows 10 + This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options. + Claim types are one of the basic building blocks of Dynamic Access Control. Claim types can include attributes such as the departments in an organization or the levels of security clearance that apply to classes of users. You can use security auditing to track whether claims are added, modified, enabled, disabled, or deleted. -Use the following procedures to configure settings to monitor changes to claim types in AD DS. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx). -**Note**   -Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. + +Use the following procedures to configure settings to monitor changes to claim types in AD DS. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic +Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx). + +>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.   **To configure settings to monitor changes to claim types** + 1. Sign in to your domain controller by using domain administrator credential. 2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. 3. In the console tree, right-click the default domain controller Group Policy Object, and then click **Edit**. 4. Double-click **Computer Configuration**, click **Security Settings**, expand **Advanced Audit Policy Configuration**, expand **System Audit Policies**, click **DS Access**, and then double-click **Audit directory service changes**. 5. Select the **Configure the following audit events** check box, select the **Success** check box (andthe **Failure** check box, if desired), and then click **OK**. + After you configure settings to monitor changes to claim types in AD DS, verify that the changes are being monitored. + **To verify that changes to claim types are monitored** + 1. Sign in to your domain controller by using domain administrator credentials. 2. Open the Active Directory Administrative Center. 3. Under **Dynamic Access Control**, right-click **Claim Types**, and then click **Properties**. 4. Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab. 5. Click **Add**, add a security auditing setting for the container, and then close all the Security properties dialog boxes. 6. In the **Claim Types** container, add a new claim type or select an existing claim type. In the **Tasks** pane, click **Properties**, and then change one or more attributes. + Click **OK**, and then close the Active Directory Administrative Center. + 7. Open Event Viewer on this domain controller, expand **Windows Logs**, and select the **Security** log. + Look for event 5137. Key information to look for includes the name of the new attribute that was added, the type of claim that was created, and the user who created the claim. + ### Related resource -[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) -  -  + +- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) diff --git a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md index 67ff38e86d..8babe1f172 100644 --- a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Monitor Windows Defender ATP onboarding description: Monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports. keywords: monitor onboarding, monitor Windows Defender ATP onboarding, monitor Windows Defender Advanced Threat Protection onboarding search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/monitor-resource-attribute-definitions.md b/windows/keep-secure/monitor-resource-attribute-definitions.md index 71c872ac0f..75bff821fe 100644 --- a/windows/keep-secure/monitor-resource-attribute-definitions.md +++ b/windows/keep-secure/monitor-resource-attribute-definitions.md @@ -2,23 +2,29 @@ title: Monitor resource attribute definitions (Windows 10) description: This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects. ms.assetid: aace34b0-123a-4b83-9e09-f269220e79de -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Monitor resource attribute definitions + **Applies to** - Windows 10 + This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects. Resource attribute definitions define the basic properties of resource attributes, such as what it means for a resource to be defined as “high business value.” Resource attribute definitions are stored in AD DS under the Resource Properties container. Changes to these definitions could significantly change the protections that govern a resource, even if the resource attributes that apply to the resource remain unchanged. Changes can be monitored like any other AD DS object. + For information about monitoring changes to the resource attributes that apply to files, see [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md). + Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx). -**Note**   -Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. + +>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.   **To configure settings to monitor changes to resource attributes** + 1. Sign in to your domain controller by using domain administrator credentials. 2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. 3. In the console tree, right-click the Group Policy Object for the default domain controller, and then click **Edit**. @@ -29,8 +35,11 @@ Your server might function differently based on the version and edition of the o 8. Under **Dynamic Access Control**, right-click **Resource Properties**, and then click **Properties**. 9. Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab. 10. Click **Add**, add a security auditing setting for the container, and then close all Security properties dialog boxes. + After you configure settings to monitor changes to resource attributes in AD DS, verify that the changes are being monitored. + **To verify that changes to resource definitions are monitored** + 1. Sign in to your domain controller by using domain administrator credentials. 2. Open the Active Directory Administrative Center. 3. Under **Dynamic Access Control**, click **Resource Properties**, and then double-click a resource attribute. @@ -38,7 +47,7 @@ After you configure settings to monitor changes to resource attributes in AD DS 5. Click **OK**, and then close the Active Directory Administrative Center. 6. In Server Manager, click **Tools**, and then click **Event Viewer**. 7. Expand **Windows Logs**, and then click **Security**. Verify that event 5137 appears in the security log. + ### Related resource -[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) -  -  + +- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) diff --git a/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md index 3aff0a5708..74e926c90b 100644 --- a/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md +++ b/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md @@ -2,53 +2,67 @@ title: Monitor the central access policies associated with files and folders (Windows 10) description: This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects. ms.assetid: 2ea8fc23-b3ac-432f-87b0-6a16506e8eed -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Monitor the central access policies associated with files and folders + **Applies to** - Windows 10 + This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects. + This security audit policy and the event that it records are generated when the central access policy that is associated with a file or folder is changed. This security audit policy is useful when an administrator wants to monitor potential changes on some, but not all, files and folders on a file server. + For info about monitoring potential central access policy changes for an entire file server, see [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md). + Use the following procedures to configure settings to monitor central access policies that are associated with files. These procedures assume that you have configured and deployed Dynamic Access Control in your network. For more information about how to configure and deploy Dynamic Access Control, see [Dynamic Access Control: Scenario Overview](http://technet.microsoft.com/library/hh831717.aspx). -**Note**   -Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. + +>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.   **To configure settings to monitor central access policies associated with files or folders** + 1. Sign in to your domain controller by using domain administrator credentials. 2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. 3. In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**. 4. Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Policy Change**, and then double-click **Audit Authorization Policy Change**. 5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**. 6. Enable auditing for a file or folder as described in the following procedure. + **To enable auditing for a file or folder** + 1. Sign in as a member of the local administrators group on the computer that contains the files or folders that you want to audit. 2. Right-click the file or folder, click **Properties**, and then click the **Security** tab. 3. Click **Advanced**, click the **Auditing** tab, and then click **Continue**. + If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. + 4. Click **Add**, click **Select a principal**, type a user name or group name in the format **contoso\\user1**, and then click **OK**. 5. In the **Auditing Entry for** dialog box, select the permissions that you want to audit, such as **Full Control** or **Delete**. 6. Click **OK** four times to complete the configuration of the object SACL. 7. Open a File Explorer window and select or create a file or folder to audit. 8. Open an elevated command prompt, and run the following command: - **gpupdate /force** + + `gpupdate /force` + After you configure settings to monitor changes to the central access policies that are associated with files and folders, verify that the changes are being monitored. + **To verify that changes to central access policies associated with files and folders are monitored** + 1. Sign in as a member of the local administrators group on the computer that contains the files or folders that you want to audit. 2. Open a File Explorer window and select the file or folder that you configured for auditing in the previous procedure. 3. Right-click the file or folder, click **Properties**, click the **Security** tab, and then click **Advanced**. 4. Click the **Central Policy** tab, click **Change**, and select a different central access policy (if one is available) or select **No Central Access Policy**, and then click **OK** twice. - **Note**   - You must select a setting that is different than your original setting to generate the audit event. + >**Note:**  You must select a setting that is different than your original setting to generate the audit event.   5. In Server Manager, click **Tools**, and then click **Event Viewer**. 6. Expand **Windows Logs**, and then click **Security**. 7. Look for event 4913, which is generated when the central access policy that is associated with a file or folder is changed. This event includes the security identifiers (SIDs) of the old and new central access policies. + ### Related resource -[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) -  -  + +- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) diff --git a/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md index 54838b32b6..4e21c32c36 100644 --- a/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md +++ b/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md @@ -2,28 +2,37 @@ title: Monitor the central access policies that apply on a file server (Windows 10) description: This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. ms.assetid: 126b051e-c20d-41f1-b42f-6cff24dcf20c -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Monitor the central access policies that apply on a file server + **Applies to** - Windows 10 + This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. Central access policies are created on a domain controller and then applied to file servers through Group Policy management. + Use the following procedures to configure and verify security auditing settings that are used to monitor changes to the set of central access policies on a file server. The following procedures assume that you have configured and deployed dynamic access control, including central access policies, and claims in your network. If you have not yet deployed dynamic access control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx). + **To configure settings to monitor changes to central access policies** + 1. Sign in to your domain controller by using domain administrator credentials. 2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. 3. In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**. 4. Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Policy Change**, and then double-click **Other Policy Change Events**. - **Note**   - This policy setting monitors policy changes that might not be captured otherwise, such as central access policy changes or trusted platform module configuration changes. + + >**Note:**  This policy setting monitors policy changes that might not be captured otherwise, such as central access policy changes or trusted platform module configuration changes.   5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**. + After you modify the central access policies on the domain controller, verify that the changes have been applied to the file server and that the proper events are logged. + **To verify changes to the central access policies** + 1. Sign in to your domain controller by using domain administrator credentials. 2. Open the Group Policy Management Console. 3. Right-click **Default domain policy**, and then click **Edit**. @@ -32,13 +41,13 @@ After you modify the central access policies on the domain controller, verify th 6. In the wizard that appears, follow the instructions to add a new central access policy (CAP), and then click **OK**. 7. Use local administrator credentials to sign in to the server that hosts resources that are subject to the central access policies you changed. 8. Press the Windows key + R, then type **cmd** to open a Command Prompt window. - **Note**   - If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. + + >**Note:**  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.   9. Type **gpupdate /force**, and press ENTER. 10. In Server Manager, click **Tools**, and then click **Event Viewer**. 11. Expand **Windows Logs**, and then click **Security**. Verify that event 4819 appears in the security log. + ## Related resource -[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) -  -  + +- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) diff --git a/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md b/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md index 8c4c23bf12..5849cc955c 100644 --- a/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md +++ b/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md @@ -2,42 +2,54 @@ title: Monitor the resource attributes on files and folders (Windows 10) description: This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects. ms.assetid: 4944097b-320f-44c7-88ed-bf55946a358b -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Monitor the resource attributes on files and folders + **Applies to** - Windows 10 + This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects. + If your organization has a carefully thought out authorization configuration for resources, changes to these resource attributes can create potential security risks. Examples include: + - Changing files that have been marked as high business value to low business value. - Changing the Retention attribute of files that have been marked for retention. - Changing the Department attribute of files that are marked as belonging to a particular department. + Use the following procedures to configure settings to monitor changes to resource attributes on files and folders. These procedures assume that have configured and deployed central access policies in your network. For more information about how to configure and deploy central access policies, see [Dynamic Access Control: Scenario Overview](http://technet.microsoft.com/library/hh831717.aspx) . -**Note**   -Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. + +>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.   **To monitor changes to resource attributes on files** + 1. Sign in to your domain controller by using domain administrator credentials. 2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. 3. In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**. 4. Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Policy Change**, and then double-click **Audit Authorization Policy Change**. 5. Select the **Configure the following audit events** check box, select the **Success** and **Failure** check boxes, and then click **OK**. + After you configure settings to monitor resource attributes on files, verify that the changes are being monitored. + **To verify that changes to resource attributes on files are monitored** + 1. Use administrator credentials to sign in to the server that hosts the resource you want to monitor. 2. From an elevated command prompt, type **gpupdate /force**, and then press ENTER. 3. Attempt to change resource properties on one or more files and folders. 4. In Server Manager, click **Tools**, and then click **Event Viewer**. 5. Expand **Windows Logs**, and then click **Security**. 6. Depending on which resource attributes you attempted to change, you should look for the following events: + - Event 4911, which tracks changes to file attributes - Event 4913, which tracks changes to central access policies + Key information to look for includes the name and account domain of the principal attempting to change the resource attribute, the object that the principal is attempting to modify, and information about the changes that are being attempted. + ### Related resource -[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) -  -  + +- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) diff --git a/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md b/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md index b465dfccb6..7665d0dddc 100644 --- a/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md +++ b/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md @@ -2,22 +2,28 @@ title: Monitor the use of removable storage devices (Windows 10) description: This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects. ms.assetid: b0a9e4a5-b7ff-41c6-96ff-0228d4ba5da8 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Monitor the use of removable storage devices + **Applies to** - Windows 10 + This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects. + If you configure this policy setting, an audit event is generated each time a user attempts to copy, move, or save a resource to a removable storage device. + Use the following procedures to monitor the use of removable storage devices and to verify that the devices are being monitored. -**Note**   -Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. + +>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.   **To configure settings to monitor removable storage devices** + 1. Sign in to your domain controller by using domain administrator credentials. 2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. 3. In the console tree, right-click the flexible access Group Policy Object on the domain controller, and then click **Edit**. @@ -25,22 +31,25 @@ Your server might function differently based on the version and edition of the o 5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**. 6. If you selected the **Failure** check box, double-click **Audit Handle Manipulation**, select the **Configure the following audit events check box**, and then select **Failure**. 7. Click **OK**, and then close the Group Policy Management Editor. + After you configure the settings to monitor removable storage devices, use the following procedure to verify that the settings are active. + **To verify that removable storage devices are monitored** + 1. Sign in to the computer that hosts the resources that you want to monitor. Press the Windows key + R, and then type **cmd** to open a Command Prompt window. - **Note**   - If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. + + >**Note:**  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.   2. Type **gpupdate /force**, and press ENTER. 3. Connect a removable storage device to the targeted computer and attempt to copy a file that is protected with the Removable Storage Audit policy. 4. In Server Manager, click **Tools**, and then click **Event Viewer**. 5. Expand **Windows Logs**, and then click **Security**. 6. Look for event 4663, which logs successful attempts to write to or read from a removable storage device. Failures will log event 4656. Both events include **Task Category = Removable Storage device**. + Key information to look for includes the name and account domain of the user who attempted to access the file, the object that the user is attempting to access, resource attributes of the resource, and the type of access that was attempted. - **Note**   - We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event. + + >**Note:**  We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event.   ### Related resource -[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) -  -  + +- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) diff --git a/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md b/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md index 43db7d7f40..f95697b152 100644 --- a/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md +++ b/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md @@ -2,36 +2,48 @@ title: Monitor user and device claims during sign-in (Windows 10) description: This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects. ms.assetid: 71796ea9-5fe4-4183-8475-805c3c1f319f -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft + --- + # Monitor user and device claims during sign-in + **Applies to** - Windows 10 + This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects. + Device claims are associated with the system that is used to access resources that are protected with Dynamic Access Control. User claims are attributes that are associated with a user. User claims and device claims are included in the user’s security token used at sign-on. For example, information about Department, Company, Project, or Security clearances might be included in the token. + Use the following procedures to monitor changes to user claims and device claims in the user’s sign-on token and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx). -**Note**   -Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. + +>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.   **To monitor user and device claims in user logon token** + 1. Sign in to your domain controller by using domain administrator credentials. 2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. 3. In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**. 4. Double-click **Computer Configuration**, click **Security Settings**, expand **Advanced Audit Policy Configuration**, expand **System Audit Policies**, click **Logon/Logoff**, and then double-click **Audit User/Device claims**. 5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**. 6. Close the Group Policy Management Editor. + After you configure settings to monitor user and device claims, verify that the changes are being monitored. + **To verify that user and device claims in user logon token are monitored** + 1. With local administrator credentials, sign in to a file server that is subject to the flexible access Group Policy Object. 2. Open an elevated command prompt, and run the following command: - **gpupdate force** + + `gpupdate force` + 3. From a client computer, connect to a file share on the file server as a user who has access permissions to the file server. 4. On the file server, open Event Viewer, expand **Windows Logs**, and select the **Security** log. Look for event 4626, and confirm that it contains information about user claims and device claims. + ### Related resource -[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) -  -  + +- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) diff --git a/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md b/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md index ce3d50eac0..206c76f7fc 100644 --- a/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md +++ b/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md @@ -2,90 +2,96 @@ title: Network access Allow anonymous SID/Name translation (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Allow anonymous SID/Name translation security policy setting. ms.assetid: 0144477f-22a6-4d06-b70a-9c9c2196e99e -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Allow anonymous SID/Name translation + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Allow anonymous SID/Name translation** security policy setting. + ## Reference + This policy setting enables or disables the ability of an anonymous user to request security identifier (SID) attributes for another user. + If this policy setting is enabled, a user might use the well-known Administrators SID to get the real name of the built-in Administrator account, even if the account has been renamed. That person might then use the account name to initiate a brute-force password-guessing attack. + Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. + ### Possible values + - Enabled + An anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects the SID-to-name translation as well as the name-to-SID translation + - Disabled + Prevents an anonymous user from requesting the SID attribute for another user. + - Not defined + ### Best practices + - Set this policy to Disabled. This is the default value on member computers; therefore, it will have no impact on them. The default value for domain controllers is Enabled. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Note defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Note defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Disabled| +| Client Computer Effective Default Settings | Disabled|   ### Operating system version differences + The default value of this setting has changed between operating systems as follows: + - The default on domain controllers running Windows Server 2003 R2 or earlier was set to Enabled. - The default on domain controllers running Windows Server 2008 and later is set to Disabled. + ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Modifying this setting may affect compatibility with client computers, services, and applications. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If this policy setting is enabled, a user with local access could use the well-known Administrator's SID to learn the real name of the built-in Administrator account, even if it has been renamed. That person could then use the account name to initiate a password-guessing attack. + ### Countermeasure + Disable the **Network access: Allow anonymous SID/Name translation** setting. + ### Potential impact + Disabled is the default configuration for this policy setting on member devices; therefore, it has no impact on them. The default configuration for domain controllers is Enabled. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md index 95f97f704f..7de439ad10 100644 --- a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md +++ b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md @@ -2,85 +2,86 @@ title: Network access Do not allow anonymous enumeration of SAM accounts and shares (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts and shares security policy setting. ms.assetid: 3686788d-4cc7-4222-9163-cbc7c3362d73 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Do not allow anonymous enumeration of SAM accounts and shares + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts and shares** security policy setting. + ## Reference + This policy setting determines which additional permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to give access to users in a trusted domain that does not maintain a reciprocal trust. However, even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON. + This policy setting has no impact on domain controllers. Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. + ### Possible values + - Enabled + - Disabled + No additional permissions can be assigned by the administrator for anonymous connections to the device. Anonymous connections will rely on default permissions. However, an unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social-engineering attacks. + - Not defined + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflicts + Even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON (on systems earlier than Windows Server 2008 and Windows Vista). + ### Group Policy + This policy has no impact on domain controllers. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social-engineering attacks. + ### Countermeasure + Enable the **Network access: Do not allow anonymous enumeration of SAM accounts and shares** setting. + ### Potential impact + It is impossible to grant access to users of another domain across a one-way trust because administrators in the trusting domain are unable to enumerate lists of accounts in the other domain. Users who access file and print servers anonymously are unable to list the shared network resources on those servers; the users must be authenticated before they can view the lists of shared folders and printers. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md index 2324359e3a..1a8d592782 100644 --- a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md +++ b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md @@ -2,85 +2,88 @@ title: Network access Do not allow anonymous enumeration of SAM accounts (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts security policy setting. ms.assetid: 6ee25b33-ad43-4097-b031-7be680f64c7c -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft + --- + # Network access: Do not allow anonymous enumeration of SAM accounts + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts** security policy setting. + ## Reference + This policy setting determines which additional permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to give access to users in a trusted domain that does not maintain a reciprocal trust. + This policy setting has no impact on domain controllers. + Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. + ### Possible values + - Enabled + - Disabled + No additional permissions can be assigned by the administrator for anonymous connections to the device. Anonymous connections will rely on default permissions. + - Not defined + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflicts + Even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON (on systems earlier than Windows Server 2008 and Windows Vista). + ### Group Policy + This policy has no impact on domain controllers. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An unauthorized user could anonymously list account names and use the information to perform social engineering attacks or attempt to guess passwords. Social engineering attackers try to deceive users in some way to obtain passwords or some form of security information. + ### Countermeasure + Enable the **Network access: Do not allow anonymous enumeration of SAM accounts** setting. + ### Potential impact + It is impossible to grant access to users of another domain across a one-way trust because administrators in the trusting domain are unable to enumerate lists of accounts in the other domain. Users who access file and print servers anonymously are unable to list the shared network resources on those servers; the users must be authenticated before they can view the lists of shared folders and printers. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md index 16fa1842da..a60b14af97 100644 --- a/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md +++ b/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md @@ -2,91 +2,95 @@ title: Network access Do not allow storage of passwords and credentials for network authentication (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Do not allow storage of passwords and credentials for network authentication security policy setting. ms.assetid: b9b64360-36ea-40fa-b795-2d6558c46563 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Do not allow storage of passwords and credentials for network authentication + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Do not allow storage of passwords and credentials for network authentication** security policy setting. + ## Reference + This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication. + ### Possible values + - Enabled + Credential Manager does not store passwords and credentials on the device + - Disabled + Credential Manager will store passwords and credentials on this computer for later use for domain authentication. + - Not defined + ### Best practices + It is a recommended practice to disable the ability of the Windows operating system to cache credentials on any device where credentials are not needed. Evaluate your servers and workstations to determine the requirements. Cached credentials are designed primarily to be used on laptops that require domain credentials when disconnected from the domain. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or Group Policy Object (GPO)Default value

Default domain policy

Disabled

Default domain controller policy

Disabled

Stand-alone server default settings

Disabled

Domain controller effective default settings

Not defined

Member server effective default settings

Not defined

Effective GPO default settings on client computers

Not defined

+ +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| Disabled| +| Default domain controller policy| Disabled| +| Stand-alone server default settings | Disabled| +| Domain controller effective default settings| Not defined| +| Member server effective default settings | Not defined| +| Effective GPO default settings on client computers | Not defined|   ### Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + A restart of the device is required before this policy will be effective when changes to this policy are saved locally or distributed through Group Policy. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Passwords that are cached can be accessed by the user when logged on to the device. Although this information may sound obvious, a problem can arise if the user unknowingly runs malicious software that reads the passwords and forwards them to another, unauthorized user. -**Note**   -The chances of success for this exploit and others that involve malicious software are reduced significantly for organizations that effectively implement and manage an enterprise antivirus solution combined with sensible software restriction policies. + +>**Note:**  The chances of success for this exploit and others that involve malicious software are reduced significantly for organizations that effectively implement and manage an enterprise antivirus solution combined with sensible software restriction policies.   Regardless of what encryption algorithm is used to encrypt the password verifier, a password verifier can be overwritten so that an attacker can authenticate as the user to whom the verifier belongs. Therefore, the administrator's password may be overwritten. This procedure requires physical access to the device. Utilities exist that can help overwrite the cached verifier. By using one of these utilities, an attacker can authenticate by using the overwritten value. + Overwriting the administrator's password does not help the attacker access data that is encrypted by using that password. Also, overwriting the password does not help the attacker access any Encrypting File System (EFS) data that belongs to other users on that device. Overwriting the password does not help an attacker replace the verifier, because the base keying material is incorrect. Therefore, data that is encrypted by using Encrypting File System or by using the Data Protection API (DPAPI) will not decrypt. + ### Countermeasure + Enable the **Network access: Do not allow storage of passwords and credentials for network authentication** setting. + To limit the number of changed domain credentials that are stored on the computer, set the **cachedlogonscount** registry entry. By default, the operating system caches the verifier for each unique user's ten most recent valid logons. This value can be set to any value between 0 and 50. By default, all versions of the Windows operating system remember 10 cached logons, except Windows Server 2008 and later, which are set at 25. + When you try to log on to a domain from a Windows-based client device, and a domain controller is unavailable, you do not receive an error message. Therefore, you may not notice that you logged on with cached domain credentials. You can set a notification of logon that uses cached domain credentials with the ReportDC registry entry. + ### Potential impact + Users are forced to type passwords whenever they log on to their Microsoft Account or other network resources that are not accessible to their domain account. This policy setting should have no impact on users who access network resources that are configured to allow access with their Active Directory–based domain account. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md index 84c96fe8a5..02f1530efb 100644 --- a/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md +++ b/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md @@ -2,83 +2,83 @@ title: Network access Let Everyone permissions apply to anonymous users (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Let Everyone permissions apply to anonymous users security policy setting. ms.assetid: cdbc5159-9173-497e-b46b-7325f4256353 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Let Everyone permissions apply to anonymous users + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Let Everyone permissions apply to anonymous users** security policy setting. + ## Reference + This policy setting determines what additional permissions are granted for anonymous connections to the device. If you enable this policy setting, anonymous users can enumerate the names of domain accounts and shared folders and perform certain other activities. This capability is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. + By default, the token that is created for anonymous connections does not include the Everyone SID. Therefore, permissions that are assigned to the Everyone group do not apply to anonymous users. + ### Possible values + - Enabled + The Everyone SID is added to the token that is created for anonymous connections, and anonymous users can access any resource for which the Everyone group has been assigned permissions. + - Disabled + The Everyone SID is removed from the token that is created for anonymous connections. + - Not defined + ### Best practices + - Set this policy to **Disabled**. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Polices\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks. + ### Countermeasure + Disable the **Network access: Let Everyone permissions apply to anonymous users** setting. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md index 3046386e99..68f545297d 100644 --- a/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md +++ b/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md @@ -2,129 +2,91 @@ title: Network access Named Pipes that can be accessed anonymously (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Named Pipes that can be accessed anonymously security policy setting. ms.assetid: 8897d2a4-813e-4d2b-8518-fcee71e1cf2c -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Named Pipes that can be accessed anonymously + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Named Pipes that can be accessed anonymously** security policy setting. + ## Reference + This policy setting determines which communication sessions, or pipes, have attributes and permissions that allow anonymous access. + Restricting access over named pipes such as COMNAP and LOCATOR helps prevent unauthorized access to the network. + ### Possible values + - User-defined list of shared folders - Not defined + ### Best practices + - Set this policy to a null value; that is, enable the policy setting, but do not enter named pipes in the text box. This will disable null session access over named pipes, and applications that rely on this feature or on unauthenticated access to named pipes will no longer function. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Netlogon, samr, lsarpc

Stand-Alone Server Default Settings

Null

DC Effective Default Settings

Netlogon, samr, lsarpc

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Netlogon, samr, lsarpc| +| Stand-Alone Server Default Settings | Null| +| DC Effective Default Settings | Netlogon, samr, lsarpc| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + For this policy setting to take effect, you must also enable the [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md) setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + You can restrict access over named pipes such as COMNAP and LOCATOR to help prevent unauthorized access to the network. The following list describes available named pipes and their purpose. These pipes were granted anonymous access in earlier versions of Windows and some legacy applications may still use them. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Named pipePurpose

COMNAP

SNABase named pipe. Systems network Architecture (SNA) is a collection of network protocols that were originally developed for IBM mainframe computers.

COMNODE

SNA Server named pipe.

SQL\QUERY

Default named pipe for SQL Server.

SPOOLSS

Named pipe for the Print Spooler service.

EPMAPPER

End Point Mapper named pipe.

LOCATOR

Remote Procedure Call Locator service named pipe.

TrlWks

Distributed Link Tracking Client named pipe.

TrkSvr

Distributed Link Tracking Server named pipe.

+ +| Named pipe | Purpose | +| - | - | +| COMNAP | SNABase named pipe. Systems network Architecture (SNA) is a collection of network protocols that were originally developed for IBM mainframe computers.| +| COMNODE| SNA Server named pipe.| +| SQL\QUERY | Default named pipe for SQL Server.| +| SPOOLSS | Named pipe for the Print Spooler service.| +| EPMAPPER | End Point Mapper named pipe.| +| LOCATOR | Remote Procedure Call Locator service named pipe.| +| TrlWks | Distributed Link Tracking Client named pipe.| +| TrkSvr | Distributed Link Tracking Server named pipe.|   ### Countermeasure + Configure the **Network access: Named Pipes that can be accessed anonymously** setting to a null value (enable the setting but do not specify named pipes in the text box). + ### Potential impact + This configuration disables null-session access over named pipes, and applications that rely on this feature or on unauthenticated access to named pipes no longer function. This may break trust between Windows Server 2003 domains in a mixed mode environment. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md index c4154f266c..3dc22f67e2 100644 --- a/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md +++ b/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md @@ -2,69 +2,57 @@ title: Network access Remotely accessible registry paths and subpaths (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network access Remotely accessible registry paths and subpaths security policy setting. ms.assetid: 3fcbbf70-a002-4f85-8e86-8dabad21928e -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Remotely accessible registry paths and subpaths + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Network access: Remotely accessible registry paths and subpaths** security policy setting. + ## Reference + This policy setting determines which registry paths and subpaths are accessible when an application or process references the WinReg key to determine access permissions. -The registry is a database for device configuration information, much of which is sensitive. A malicious user can use it to facilitate unauthorized activities. The chance of this happening is reduced by the fact that the default ACLs that are assigned throughout the registry are fairly restrictive, and they help protect it from access by unauthorized users. + +The registry is a database for device configuration information, much of which is sensitive. A malicious user can use it to facilitate unauthorized activities. The chance of this happening is reduced by the fact that the default ACLs that are assigned throughout the registry are fairly restrictive, +and they help protect it from access by unauthorized users. + To allow remote access, you must also enable the Remote Registry service. + ### Possible values + - User-defined list of paths - Not Defined + ### Best practices + - Set this policy to a null value; that is, enable the policy setting, but do not enter any paths in the text box. Remote management tools, such as the Microsoft Baseline Security Analyzer and Configuration Manager, require remote access to the registry. Removing the default registry paths from the list of accessible paths might cause these and other management tools to fail. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

See the following registry key combination

DC Effective Default Settings

See the following registry key combination

Member Server Effective Default Settings

See the following registry key combination

Client Computer Effective Default Settings

See the following registry key combination

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | See the following registry key combination| +| DC Effective Default Settings | See the following registry key combination| +| Member Server Effective Default Settings | See the following registry key combination| +| Client Computer Effective Default Settings | See the following registry key combination|   The combination of all the following registry keys apply to the previous settings: + 1. System\\CurrentControlSet\\Control\\Print\\Printers 2. System\\CurrentControlSet\\Services\\Eventlog 3. Software\\Microsoft\\OLAP Server @@ -76,22 +64,33 @@ The combination of all the following registry keys apply to the previous setting 9. System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration 10. Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib 11. System\\CurrentControlSet\\Services\\SysmonLog + ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The registry contains sensitive device configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs that are assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack. + ### Countermeasure + Configure the **Network access: Remotely accessible registry paths and sub-paths** setting to a null value (enable the setting but do not enter any paths in the text box). + ### Potential impact + Remote management tools such as MBSA and Configuration Manager require remote access to the registry to properly monitor and manage those computers. If you remove the default registry paths from the list of accessible ones, such remote management tools could fail. -**Note**   -If you want to allow remote access, you must also enable the Remote Registry service. + +>**Note:**  If you want to allow remote access, you must also enable the Remote Registry service.   ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-remotely-accessible-registry-paths.md b/windows/keep-secure/network-access-remotely-accessible-registry-paths.md index 33f15de3de..88c2340130 100644 --- a/windows/keep-secure/network-access-remotely-accessible-registry-paths.md +++ b/windows/keep-secure/network-access-remotely-accessible-registry-paths.md @@ -2,88 +2,86 @@ title: Network access Remotely accessible registry paths (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Remotely accessible registry paths security policy setting. ms.assetid: 977f86ea-864f-4f1b-9756-22220efce0bd -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Remotely accessible registry paths + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Remotely accessible registry paths** security policy setting. + ## Reference + This policy setting determines which registry paths are accessible when an application or process references the WinReg key to determine access permissions. + The registry is a database for device configuration information, much of which is sensitive. A malicious user can use the registry to facilitate unauthorized activities. To reduce the risk of this happening, suitable access control lists (ACLs) are assigned throughout the registry to help protect it from access by unauthorized users. + To allow remote access, you must also enable the Remote Registry service. + ### Possible values + - User-defined list of paths - Not Defined + ### Best practices + - Set this policy to a null value; that is, enable the policy setting but do not enter any paths in the text box. Remote management tools, such as the Microsoft Baseline Security Analyzer and Configuration Manager, require remote access to the registry. Removing the default registry paths from the list of accessible paths might cause these and other management tools to fail. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

See the following registry key combination

DC Effective Default Settings

See the following registry key combination

Member Server Effective Default Settings

See the following registry key combination

Client Computer Effective Default Settings

See the following registry key combination

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | See the following registry key combination| +| DC Effective Default Settings | See the following registry key combination| +| Member Server Effective Default Settings | See the following registry key combination| +| Client Computer Effective Default Settings | See the following registry key combination|   The combination of all the following registry keys apply to the previous settings: + 1. System\\CurrentControlSet\\Control\\ProductOptions 2. System\\CurrentControlSet\\Control\\Server Applications 3. Software\\Microsoft\\Windows NT\\CurrentVersion + ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An attacker could use information in the registry to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users. + ### Countermeasure + Configure the **Network access: Remotely accessible registry paths** setting to a null value (enable the setting, but do not enter any paths in the text box). + ### Potential impact + Remote management tools such as the Microsoft Baseline Security Analyzer (MBSA) and Configuration Manager require remote access to the registry to properly monitor and manage those computers. If you remove the default registry paths from the list of accessible ones, such remote management tools could fail. -**Note**   -If you want to allow remote access, you must also enable the Remote Registry service. + +>**Note:**  If you want to allow remote access, you must also enable the Remote Registry service.   ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md index ab84cb8711..75a2e71242 100644 --- a/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md +++ b/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md @@ -2,81 +2,78 @@ title: Network access Restrict anonymous access to Named Pipes and Shares (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Restrict anonymous access to Named Pipes and Shares security policy setting. ms.assetid: e66cd708-7322-4d49-9b57-1bf8ec7a4c10 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Restrict anonymous access to Named Pipes and Shares + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting. + ## Reference -This policy setting enables or disables the restriction of anonymous access to only those shared folders and pipes that are named in the **Network access: Named pipes that can be accessed anonymously** and [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md) settings. The setting controls null session access to shared folders on your computers by adding RestrictNullSessAccess with the value 1 in the registry key **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters**. This registry value toggles null session shared folders on or off to control whether the Server service restricts unauthenticated clients' access to named resources. + +This policy setting enables or disables the restriction of anonymous access to only those shared folders and pipes that are named in the **Network access: Named pipes that can be accessed anonymously** and [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md) settings. The setting controls null session access to shared folders on your computers by adding RestrictNullSessAccess with the value 1 in the registry key +**HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters**. This registry value toggles null session shared folders on or off to control whether the Server service restricts unauthenticated clients' access to named resources. + Null sessions are a weakness that can be exploited through the various shared folders on the devices in your environment. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Set this policy to Enabled. Enabling this policy setting restricts null session access to unauthenticated users to all server pipes and shared folders except those listed in the **NullSessionPipes** and **NullSessionShares** registry entries. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings | Enabled| +| Client Computer Effective Default Settings| Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Null sessions are a weakness that can be exploited through shared folders (including the default shared folders) on devices in your environment. + ### Countermeasure + Enable the **Network access: Restrict anonymous access to Named Pipes and Shares** setting. + ### Potential impact + You can enable this policy setting to restrict null-session access for unauthenticated users to all server pipes and shared folders except those that are listed in the NullSessionPipes and NullSessionShares entries. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md b/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md index 604898a019..4f53f77bdc 100644 --- a/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md +++ b/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md @@ -2,79 +2,74 @@ title: Network access Shares that can be accessed anonymously (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Shares that can be accessed anonymously security policy setting. ms.assetid: f3e4b919-8279-4972-b415-5f815e2f0a1a -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Shares that can be accessed anonymously + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Shares that can be accessed anonymously** security policy setting. + ## Reference + This policy setting determines which shared folders can be accessed by anonymous users. + ### Possible values + - User-defined list of shared folders - Not Defined + ### Best practices + - Set this policy to a null value. There should be little impact because this is the default value. All users will have to be authenticated before they can access shared resources on the server. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

DC Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Any shared folders that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data. + ### Countermeasure + Configure the **Network access: Shares that can be accessed anonymously** setting to a null value. + ### Potential impact + There should be little impact because this is the default configuration. Only authenticated users have access to shared resources on the server. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md b/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md index c1f32eb9c3..aab32aedb6 100644 --- a/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md +++ b/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md @@ -2,88 +2,85 @@ title: Network access Sharing and security model for local accounts (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Sharing and security model for local accounts security policy setting. ms.assetid: 0b3d703c-ea27-488f-8f59-b345af75b994 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Sharing and security model for local accounts + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Sharing and security model for local accounts** security policy setting. + ## Reference + This policy setting determines how network logons that use local accounts are authenticated. If you configure this policy setting to Classic, network logons that use local account credentials authenticate with those credentials. If you configure this policy setting to Guest only, network logons that use local accounts are automatically mapped to the Guest account. The Classic model provides precise control over access to resources, and it enables you to grant different types of access to different users for the same resource. Conversely, the Guest only model treats all users equally, and they all receive the same level of access to a given resource, which can be either Read Only or Modify. -**Note**   -This policy setting does not affect network logons that use domain accounts. Nor does this policy setting affect interactive logons that are performed remotely through services such as Telnet or Remote Desktop Services. + +>**Note:**  This policy setting does not affect network logons that use domain accounts. Nor does this policy setting affect interactive logons that are performed remotely through services such as Telnet or Remote Desktop Services. When the device is not joined to a domain, this policy setting also tailors the **Sharing** and **Security** tabs in Windows Explorer to correspond to the sharing and security model that is being used.   When the value of this policy setting is **Guest only - local users authenticate as Guest**, any user who can access your device over the network does so with Guest user rights. This means that they will probably be unable to write to shared folders. Although this does increase security, it makes it impossible for authorized users to access shared resources on those systems. When the value is **Classic - local users authenticate as themselves**, local accounts must be password-protected; otherwise, anyone can use those user accounts to access shared system resources. + ### Possible values + - Classic - Local users authenticate as themselves - Guest only - Local users authenticate as Guest - Not defined + ### Best practices + 1. For network servers, set this policy to **Classic - local users authenticate as themselves**. 2. On end-user systems, set this policy to **Guest only - local users authenticate as Guest**. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Classic (local users authenticate as themselves)

DC Effective Default Settings

Classic (local users authenticate as themselves)

Member Server Effective Default Settings

Classic (local users authenticate as themselves)

Client Computer Effective Default Settings

Classic (local users authenticate as themselves)

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Classic (local users authenticate as themselves)| +| DC Effective Default Settings | Classic (local users authenticate as themselves)| +| Member Server Effective Default Settings | Classic (local users authenticate as themselves)| +| Client Computer Effective Default Settings | Classic (local users authenticate as themselves)|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + With the Guest only model, any user who can authenticate to your device over the network does so with Guest privileges, which probably means that they do not have Write access to shared resources on that device. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources. + ### Countermeasure + For network servers, configure the **Network access: Sharing and security model for local accounts setting** to **Classic – local users authenticate as themselves**. On end-user computers, configure this policy setting to **Guest only – local users authenticate as guest**. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-list-manager-policies.md b/windows/keep-secure/network-list-manager-policies.md index 931739dc93..1488ba7052 100644 --- a/windows/keep-secure/network-list-manager-policies.md +++ b/windows/keep-secure/network-list-manager-policies.md @@ -2,50 +2,75 @@ title: Network List Manager policies (Windows 10) description: Network List Manager policies are security settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices. ms.assetid: bd8109d4-b07c-4beb-a9a6-affae2ba2fda -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network List Manager policies + **Applies to** - Windows 10 + Network List Manager policies are security settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices. + To configure Network List Manager Policies for one device, you can use the Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in, and edit the local computer policy. The Network List Manager Policies are located at the following path in Group Policy Object Editor: **Computer Configuration | Windows Settings | Security Settings | Network List Manager Policies** + To configure Network List Manager Policies for many computers, such as for all of the Domain Computers in an Active Directory domain, follow Group Policy documentation to learn how to edit the policies for the object that you require. The path to the Network List Manager Policies is the same as the path listed above. + ### Policy settings for Network List Manager Policies + The following policy settings are provided for Network List Manager Policies. These policy settings are located in the details pane of the Group Policy Object Editor, in **Network Name**. + ### Unidentified Networks -This policy setting allows you to configure the **Network Location**, including the location type and the user permissions, for networks that Windows cannot identify due to a network issue or a lack of identifiable characters in the network information received by the operating system from the network. A network location identifies the type of network that a computer is connected to and automatically sets the appropriate firewall settings for that location. You can configure the following items for this policy setting: + +This policy setting allows you to configure the **Network Location**, including the location type and the user permissions, for networks that Windows cannot identify due to a network issue or a lack of identifiable characters in the network information received by the operating system from the +network. A network location identifies the type of network that a computer is connected to and automatically sets the appropriate firewall settings for that location. You can configure the following items for this policy setting: + - **Location type**. For this item, the following options are available: + - **Not configured**. If you select this option, this policy setting does not apply a location type to unidentified network connections. - **Private**. If you select this option, this policy setting applies a location type of Private to unidentified network connections. A private network, such as a home or work network, is a location type that assumes that you trust the other computers on the network. Do not select this item if there is a possibility that an active, unidentified network is in a public place. + - **Public**. If you select this option, this policy setting applies a location type of Public to unidentified network connections. A public network, such as a wireless network at an airport or coffee shop, is a location type that assumes that you do not trust the other computers on the network. + - **User permissions**. For this item, the following options are available: + - **Not configured**. If you select this option, this policy setting does not specify whether users can change the location for unidentified network connections. - **User can change location**. If you select this option, this policy setting allows users to change an unidentified network connection location from Private to Public or from Public to Private. - **User cannot change location**. If you select this option, this policy setting does not allow users to change the location of an unidentified network connection. + ### Identifying Networks + This policy setting allows you to configure the **Network Location** for networks that are in a temporary state while Windows works to identify the network and location type. A network location identifies the type of network that a computer is connected to and automatically sets the appropriate firewall settings for that location. You can configure the following items for this policy setting: + - **Location type**. For this item, the following options are available: + - **Not configured**. If you select this option, this policy setting does not apply a location type to network connections that are in the process of being identified by Windows. - **Private**. If you select this option, this policy setting applies a location type of Private to network connections that are in the process of being identified. A private network, such as a home or work network, is a location type that assumes that you trust the other devices on the network. Do not select this item if there is a possibility that an active, unidentified network is in a public place. - **Public**. If you select this option, this policy setting applies a location type of Public to network connections that are in the process of being identified by Windows. A public network, such as a wireless network at an airport or coffee shop, is a location type that assumes that you do not trust the other devices on the network. + ### All Networks + This policy setting allows you to specify the **User Permissions** that control whether users can change the network name, location, or icon, for all networks to which the user connects. You can configure the following items for this policy setting: + - **Network name**. For this item, the following options are available: + - **Not configured**. If you select this option, this policy setting does not specify whether users can change the network name for all network connections. - **User can change name**. If you select this option, users can change the network name for all networks to which they connect. - **User cannot change name**. If you select this option, users cannot change the network name for any networks to which they connect. + - **Network location**. For this item, the following options are available: + - **Not configured**. If you select this option, this policy setting does not specify whether users can change the location for all network connections. - **User can change location**. If you select this option, this policy setting allows users to change all network locations from Private to Public or from Public to Private. - **User cannot change location**. If you select this option, this policy setting does not allow users to change the location for any networks to which they connect. + - **Network icon**. For this item, the following options are available: + - **Not configured**. If you select this option, this policy setting does not specify whether users can change the network icon for all network connections. - **User can change icon**. If you select this option, this policy setting allows users to change the network icon for all networks to which the user connects. - **User cannot change icon**. If you select this option, this policy setting does not allow users to change the network icon for any networks to which the user connects. -  -  diff --git a/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md index 532768f78b..0c3458656e 100644 --- a/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md +++ b/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md @@ -2,115 +2,87 @@ title: Network security Allow Local System to use computer identity for NTLM (Windows 10) description: Describes the location, values, policy management, and security considerations for the Network security Allow Local System to use computer identity for NTLM security policy setting. ms.assetid: c46a658d-b7a4-4139-b7ea-b9268c240053 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Allow Local System to use computer identity for NTLM + **Applies to** - Windows 10 + Describes the location, values, policy management, and security considerations for the **Network security: Allow Local System to use computer identity for NTLM** security policy setting. + ## Reference + When services connect to devices that are running versions of the Windows operating system earlier than Windows Vista or Windows Server 2008, services that run as Local System and use SPNEGO (Negotiate) that revert to NTLM will authenticate anonymously. In Windows Server 2008 R2 and Windows 7 and later, if a service connects to a computer running Windows Server 2008 or Windows Vista, the system service uses the computer identity. + When a service connects with the device identity, signing and encryption are supported to provide data protection. (When a service connects anonymously, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors. Anonymous authentication uses a NULL session, which is a session with a server in which no user authentication is performed; and therefore, anonymous access is allowed.) + ### Possible values - ----- - - - - - - - - - - - - - - - - - - - - - - - - -
SettingWindows Server 2008 and Windows VistaAt least Windows Server 2008 R2 and Windows 7

Enabled

Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.

Services running as Local System that use Negotiate will use the computer identity. This is the default behavior.

Disabled

Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This is the default behavior.

Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.

Neither

Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.

Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.

+ +| Setting | Windows Server 2008 and Windows Vista | At least Windows Server 2008 R2 and Windows 7 | +| - | - | +| Enabled | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This is the default behavior. | +| Disabled| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This is the default behavior.| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.| +|Neither|Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.|   ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or Group Policy object (GPO)Default value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

Not applicable

Member server effective default settings

Not applicable

Effective GPO default settings on client computers

Not defined

+ +| Server type or Group Policy object (GPO) | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not applicable| +| Member server effective default settings | Not applicable| +| Effective GPO default settings on client computers | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + The policy [Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md), if enabled, will allow NTLM or Kerberos authentication to be used when a system service attempts authentication. This will increase the success of interoperability at the expense of security. + The anonymous authentication behavior is different for Windows Server 2008 and Windows Vista than later versions of Windows. Configuring and applying this policy setting on those systems might not produce the same results. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + When a service connects to computers running versions of Windows earlier than Windows Vista or Windows Server 2008, services that run as Local System and use SPNEGO (Negotiate) that revert to NTLM will use NULL session. In Windows Server 2008 R2 and Windows 7 and later, if a service connects to a computer running Windows Server 2008 or Windows Vista, the system service uses the computer identity. + When a service connects with the computer identity, signing and encryption are supported to provide data protection. When a service connects with a NULL session, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors. + ### Countermeasure + You can configure the **Network security: Allow Local System to use computer identity for NTLM** security policy setting to allow Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. + ### Potential impact + If you do not configure this policy setting on Windows Server 2008 and Windows Vista, services running as Local System that use the default credentials will use the NULL session and revert to NTLM authentication for Windows operating systems earlier than Windows Vista or Windows Server 2008. Beginning with Windows Server 2008 R2 and Windows 7, the system allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md b/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md index 393c0a9382..405f149efa 100644 --- a/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md +++ b/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md @@ -2,78 +2,75 @@ title: Network security Allow LocalSystem NULL session fallback (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network security Allow LocalSystem NULL session fallback security policy setting. ms.assetid: 5b72edaa-bec7-4572-b6f0-648fc38f5395 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Allow LocalSystem NULL session fallback + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Network security: Allow LocalSystem NULL session fallback** security policy setting. + ## Reference -This policy affects session security during the authentication process between devices running Windows Server 2008 R2 and Windows 7 and later and those devices running earlier versions of the Windows operating system. For computers running Windows Server 2008 R2 and Windows 7 and later, services running as Local System require a service principal name (SPN) to generate the session key. However, if [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) is set to disabled, services running as Local System will fall back to using NULL session authentication when they transmit data to servers running versions of Windows earlier than Windows Vista or Windows Server 2008. NULL session does not establish a unique session key for each authentication; and thus, it cannot provide integrity or confidentiality protection. The setting **Network security: Allow LocalSystem NULL session fallback** determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility. + +This policy affects session security during the authentication process between devices running Windows Server 2008 R2 and Windows 7 and later and those devices running earlier versions of the Windows operating system. For computers running Windows Server 2008 R2 and Windows 7 and later, services running as Local System require a service principal name (SPN) to generate the session key. However, if [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) is set to disabled, services running as Local +System will fall back to using NULL session authentication when they transmit data to servers running versions of Windows earlier than Windows Vista or Windows Server 2008. NULL session does not establish a unique session key for each authentication; and thus, it cannot provide integrity or confidentiality protection. The setting **Network security: Allow LocalSystem NULL session fallback** determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility. + ### Possible values + - **Enabled** + When a service running as Local System connects with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. This increases application compatibility, but it degrades the level of security. + - **Disabled** - When a service running as Local System connects with a NULL session, session security will be unavailable. Calls seeking encryption or signing will fail. This setting is more secure, but at the risk of degrading application incompatibility. Calls that are using the device identity instead of a NULL session will still have full use of session security. + + When a service running as Local System connects with a NULL session, session security will be unavailable. Calls seeking encryption or signing will fail. This setting is more secure, but at the risk of degrading application incompatibility. Calls that are using the device identity instead of a + NULL session will still have full use of session security. + - Not defined. When this policy is not defined, the default takes effect. This is Enabled for versions of the Windows operating system earlier than Windows Server 2008 R2 and Windows 7, and it is Disabled otherwise. + ### Best practices + When services connect with the device identity, signing and encryption are supported to provide data protection. When services connect with a NULL session, this level of data protection is not provided. However, you will need to evaluate your environment to determine the Windows operating system versions that you support. If this policy is enabled, some services may not be able to authenticate. + This policy applies to Windows Server 2008 and Windows Vista (SP1 and later). When your environment no longer requires support for Windows NT 4, this policy should be disabled. By default, it is disabled in Windows 7 and Windows Server 2008 R2 and later. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or Group Policy Object (GPO)Default value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

Not applicable

Member server effective default settings

Not applicable

Effective GPO default settings on client computers

Not applicable

+ +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not applicable| +| Member server effective default settings | Not applicable | +| Effective GPO default settings on client computers | Not applicable|   ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If this setting is Enabled, when a service connects with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. Data that is intended to be protected might be exposed. + ### Countermeasure + You can configure the computer to use the computer identity for Local System with the policy **Network security: Allow Local System to use computer identity for NTLM**. If that is not possible, this policy can be used to prevent data from being exposed in transit if it was protected with a well-known key. + ### Potential impact + If you enable this policy, services that use NULL session with Local System could fail to authenticate because they will be prohibited from using signing and encryption. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index a5ffb6243d..fe460ccefd 100644 --- a/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -2,83 +2,79 @@ title: Network security Allow PKU2U authentication requests to this computer to use online identities (Windows 10) description: Describes the best practices, location, and values for the Network Security Allow PKU2U authentication requests to this computer to use online identities security policy setting. ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Allow PKU2U authentication requests to this computer to use online identities + **Applies to** - Windows 10 + Describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting. + ## Reference + Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Support Provider (SSP) supports an extension SSP, Negoexts.dll. This extension SSP is treated as an authentication protocol by the Windows operating system, and it supports SSPs from Microsoft, including PKU2U. You can also develop or add other SSPs. + When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. -**Note**   -The ability to link online IDs can be performed by anyone with an account that has standard user’s credentials through **Credential Manager**. + +>**Note:**  The ability to link online IDs can be performed by anyone with an account that has standard user’s credentials through **Credential Manager**.   This policy is not configured by default on domain-joined devices. This would disallow the online identities to be able to authenticate to the domain-joined computers in Windows 7 and later. + ### Possible values + - **Enabled** + This will allow authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use on online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. + - **Disabled** + This will prevent online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship. + - Not set. Not configuring this policy prevents online IDs from being used to authenticate the user. This is the default on domain-joined devices + ### Best practices + Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or do not configure this policy to exclude online identities from being used to authenticate. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or Group Policy Object (GPO)Default value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

Disabled

Member server effective default settings

Disabled

Effective GPO default settings on client computers

Disabled

+ +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Disabled| +| Member server effective default settings | Disabled| +| Effective GPO default settings on client computers | Disabled|   ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft Account, so that account can log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). Although this is beneficial for workgroups or home groups, using this feature in a domain-joined environment might circumvent your established security policies. + ### Countermeasure + Set this policy to Disabled or do not configure this security policy for domain-joined devices. + ### Potential impact + If you do not set or disable this policy, the PKU2U protocol will not be used to authenticate between peer devices, which forces users to follow domain defined access control policies. If you enable this policy, you will allow your users to authenticate by using local certificates between systems that are not part of a domain that uses PKU2U. This will allow users to share resources between devices + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md index 6fa8240e2e..bcbe56a0ef 100644 --- a/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -2,128 +2,89 @@ title: Network security Configure encryption types allowed for Kerberos Win7 only (Windows 10) description: Describes the best practices, location, values and security considerations for the Network security Configure encryption types allowed for Kerberos Win7 only security policy setting. ms.assetid: 303d32cc-415b-44ba-96c0-133934046ece -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Configure encryption types allowed for Kerberos Win7 only + **Applies to** - Windows 10 + Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos Win7 only** security policy setting. + ## Reference + This policy setting allows you to set the encryption types that the Kerberos protocol is allowed to use. If it is not selected, the encryption type will not be allowed. This setting might affect compatibility with client computers or services and applications. Multiple selections are permitted. + For more information, see [article 977321](http://support.microsoft.com/kb/977321) in the Microsoft Knowledge Base. + The following table lists and explains the allowed encryption types. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Encryption typeDescription and version support

DES_CBC_CRC

Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function

-

Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default.

DES_CBC_MD5

Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function

-

Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default.

RC4_HMAC_MD5

Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function

-

Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

AES128_HMAC_SHA1

Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).

-

Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

AES256_HMAC_SHA1

Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).

-

Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Future encryption types

Reserved by Microsoft for additional encryption types that might be implemented.

+ +| Encryption type | Description and version support | +| - | - | +| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES| by default. +| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default. | +| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.| +| AES128_HMAC_SHA1| Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. | +| AES256_HMAC_SHA1| Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. | +| Future encryption types| Reserved by Microsoft for additional encryption types that might be implemented.|   ### Possible values + + The encryption type options include: + - DES\_CBC\_CRC - DES\_CBC\_MD5 - RC4\_HMAC\_MD5 - AES128\_HMAC\_SHA1 - AES256\_HMAC\_SHA1 - Future encryption types + As of the release of Windows 7 and Windows Server 2008 R2, this is reserved by Microsoft for additional encryption types that might be implemented. + ### Best practices + You must analyze your environment to determine which encryption types will be supported and then select those that meet that evaluation. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or Group Policy Object (GPO)Default value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

None of these encryption types that are available in this policy are allowed.

Member server effective default settings

None of these encryption types that are available in this policy are allowed.

Effective GPO default settings on client computers

None of these encryption types that are available in this policy are allowed.

+| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy| Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | None of these encryption types that are available in this policy are allowed.| +| Member server effective default settings | None of these encryption types that are available in this policy are allowed.| +| Effective GPO default settings on client computers | None of these encryption types that are available in this policy are allowed.|   ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -Windows Server 2008 R2 and Windows 7 do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running Windows Server 2008 R2 and Windows 7. You can also disable DES for your computers running Windows Vista and Windows Server 2008. + +Windows Server 2008 R2 and Windows 7 do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running +Windows Server 2008 R2 and Windows 7. You can also disable DES for your computers running Windows Vista and Windows Server 2008. + ### Countermeasure + Do not configure this policy. This will force the computers running Windows Server 2008 R2 and Windows 7 to use the AES or RC4 cryptographic suites. + ### Potential impact + If you do not select any of the encryption types, computers running Windows Server 2008 R2 and Windows 7 might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol. + If you do select any encryption type, you will lower the effectiveness of encryption for Kerberos authentication but you will improve interoperability with computers running older versions of Windows. Contemporary non-Windows implementations of the Kerberos protocol support RC4 and AES 128-bit and AES 256-bit encryption. Most implementations, including the MIT Kerberos protocol and the Windows Kerberos protocol, are deprecating DES encryption. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md index 97a0897fcf..11984a8b59 100644 --- a/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md +++ b/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md @@ -2,82 +2,78 @@ title: Network security Do not store LAN Manager hash value on next password change (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Do not store LAN Manager hash value on next password change security policy setting. ms.assetid: 6452b268-e5ba-4889-9d38-db28f919af51 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Do not store LAN Manager hash value on next password change + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network security: Do not store LAN Manager hash value on next password change** security policy setting. + ## Reference + This policy setting determines whether LAN Manager is prevented from storing hash values for the new password the next time the password is changed. Hash values are a representation of the password after the encryption algorithm is applied that corresponds to the format that is specified by the algorithm. To decrypt the hash value, the encryption algorithm must be determined and then reversed. The LAN Manager hash is relatively weak and prone to attack compared to the cryptographically stronger NTLM hash. Because the LM hash is stored on the local device in the security database, the passwords can be compromised if the security database, Security Accounts Manager (SAM), is attacked. + By attacking the SAM file, attackers can potentially gain access to user names and password hashes. Attackers can use a password-cracking tool to determine what the password is. After they have access to this information, they can use it to gain access to resources on your network by impersonating users. Enabling this policy setting will not prevent these types of attacks, but it will make them much more difficult. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + 1. Set **Network security: Do not store LAN Manager hash value on next password change** to **Enabled**. 2. Require all users to set new passwords the next time they log on to the domain so that LAN Manager hashes are removed. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings|Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The SAM file can be targeted by attackers who seek access to user names and password hashes. Such attacks use special tools to discover passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks are not prevented by enabling this policy setting because LAN Manager hashes are much weaker than NTLM hashes, but it is much more difficult for these attacks to succeed. + ### Countermeasure + Enable the **Network security: Do not store LAN Manager hash value on next password change** setting. Require all users to set new passwords the next time they log on to the domain so that LAN Manager hashes are removed. + ### Potential impact + Some non-Microsoft applications might not be able to connect to the system. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md b/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md index 410ead1171..a302a70695 100644 --- a/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md +++ b/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md @@ -2,83 +2,83 @@ title: Network security Force logoff when logon hours expire (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Force logoff when logon hours expire security policy setting. ms.assetid: 64d5dde4-58e4-4217-b2c4-73bd554ec926 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Force logoff when logon hours expire + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network security: Force logoff when logon hours expire** security policy setting. + ## Reference + This security setting determines whether to disconnect users who are connected to the local device outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. + This policy setting does not apply to administrator accounts, but it behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy Object (GPO), even if there is a different account policy that is applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member devices) also receive the same account policy for their local accounts. However, local account policies for member devices can be different from the domain account policy by defining an account policy for the organizational unit that contains the member devices. Kerberos settings are not applied to member devices. + ### Possible values + - Enabled + When enabled, this policy causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire. + - Disabled + When disabled, this policy allows for the continuation of an established client session after the client's logon hours have expired. + - Not defined + ### Best practices + - Set **Network security: Force logoff when logon hours expire** to Enabled. SMB sessions will be terminated on member servers when a user's logon time expires, and the user will be unable to log on to the system until their next scheduled access time begins. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Disabled

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Disabled| +| Default Domain Controller Policy| Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If you disable this policy setting, users can remain connected to the computer outside of their allotted logon hours. + ### Countermeasure + Enable the **Network security: Force logoff when logon hours expire** setting. This policy setting does not apply to administrator accounts. + ### Potential impact + When a user's logon time expires, SMB sessions terminate. The user cannot log on to the device until the next scheduled access time commences. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-lan-manager-authentication-level.md b/windows/keep-secure/network-security-lan-manager-authentication-level.md index 1b3103d943..3ae2b1240e 100644 --- a/windows/keep-secure/network-security-lan-manager-authentication-level.md +++ b/windows/keep-secure/network-security-lan-manager-authentication-level.md @@ -2,25 +2,34 @@ title: Network security LAN Manager authentication level (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security LAN Manager authentication level security policy setting. ms.assetid: bbe1a98c-420a-41e7-9d3c-3a2fe0f1843e -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: LAN Manager authentication level + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network security: LAN Manager authentication level** security policy setting. + ## Reference + This policy setting determines which challenge or response authentication protocol is used for network logons. LAN Manager (LM) includes client computer and server software from Microsoft that allows users to link personal devices together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory uses LM, NTLM, or NTLM version 2 (NTLMv2). + LAN Manager authentication includes the LM, NTLM, and NTLMv2 variants, and it is the protocol that is used to authenticate all client devices running the Windows operating system when they perform the following operations: + - Join a domain - Authenticate between Active Directory forests - Authenticate to domains based on earlier versions of the Windows operating system - Authenticate to computers that do not run Windows operating systems, beginning with Windows 2000 - Authenticate to computers that are not in the domain + ### Possible values + - Send LM & NTLM responses - Send LM & NTLM - use NTLMv2 session security if negotiated - Send NTLM responses only @@ -28,114 +37,68 @@ LAN Manager authentication includes the LM, NTLM, and NTLMv2 variants, and it is - Send NTLMv2 responses only. Refuse LM - Send NTLMv2 responses only. Refuse LM & NTLM - Not Defined -The **Network security: LAN Manager authentication level** setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the authentication level that servers accept. The following table identifies the policy settings, describes the setting, and identifies the security level used in the corresponding registry setting if you choose to use the registry to control this setting instead of the policy setting. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SettingDescriptionRegistry security level

Send LM & NTLM responses

Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

0

Send LM & NTLM – use NTLMv2 session security if negotiated

Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

1

Send NTLM response only

Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

2

Send NTLMv2 response only

Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

3

Send NTLMv2 response only. Refuse LM

Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they will accept only NTLM and NTLMv2 authentication.

4

Send NTLMv2 response only. Refuse LM & NTLM

Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they will accept only NTLMv2 authentication.

5

+ +The **Network security: LAN Manager authentication level** setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the +authentication level that servers accept. The following table identifies the policy settings, describes the setting, and identifies the security level used in the corresponding registry setting if you choose to use the registry to control this setting instead of the policy setting. + +| Setting | Description | Registry security level | +| - | - | - | +| Send LM & NTLM responses | Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 0| +| Send LM & NTLM – use NTLMv2 session security if negotiated | Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 1| +| Send NTLM response only| Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 2| +| Send NTLMv2 response only | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 3| +| Send NTLMv2 response only. Refuse LM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they will accept only NTLM and NTLMv2 authentication.| 4| +| Send NTLMv2 response only. Refuse LM & NTLM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they will accept only NTLMv2 authentication.| 5|   ### Best practices + - Best practices are dependent on your specific security and authentication requirements. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Send NTLMv2 response only

DC Effective Default Settings

Send NTLMv2 response only

Member Server Effective Default Settings

Send NTLMv2 response only

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Send NTLMv2 response only| +| DC Effective Default Settings | Send NTLMv2 response only| +| Member Server Effective Default Settings | Send NTLMv2 response only| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Modifying this setting may affect compatibility with client devices, services, and applications. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + In Windows 7 and Windows Vista, this setting is undefined. In Windows Server 2008 R2 and later, this setting is configured to **Send NTLMv2 responses only**. + ### Countermeasure + Configure the **Network security: LAN Manager Authentication Level** setting to **Send NTLMv2 responses only**. Microsoft and a number of independent organizations strongly recommend this level of authentication when all client computers support NTLMv2. + ### Potential impact + Client devices that do not support NTLMv2 authentication cannot authenticate in the domain and access domain resources by using LM and NTLM. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-ldap-client-signing-requirements.md b/windows/keep-secure/network-security-ldap-client-signing-requirements.md index 533858f613..158b64ed3c 100644 --- a/windows/keep-secure/network-security-ldap-client-signing-requirements.md +++ b/windows/keep-secure/network-security-ldap-client-signing-requirements.md @@ -2,87 +2,86 @@ title: Network security LDAP client signing requirements (Windows 10) description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. ms.assetid: 38b35489-eb5b-4035-bc87-df63de50509c -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: LDAP client signing requirements + **Applies to** - Windows 10 + This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system. + ## Reference + This policy setting determines the level of data signing that is requested on behalf of client devices that issue LDAP BIND requests. The levels of data signing are described in the following list: + - **None**. The LDAP BIND request is issued with the caller-specified options. - **Negotiate signing**. If Transport Layer Security/Secure Sockets Layer (TLS/SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the caller-specified options. If TLS/SSL has been started, the LDAP BIND request is initiated with the caller-specified options. - **Require signing**. This level is the same as **Negotiate signing**. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is returned a message that the LDAP BIND command request failed. + Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. + ### Possible values + - None - Negotiate signing - Require signature - Not Defined + ### Best practices + - Set **Domain controller: LDAP server signing requirements** to **Require signature**. If you set the server to require LDAP signatures, you must also set the client devices to do so. Not setting the client devices will prevent client computers from communicating with the server. This can cause many features to fail, including user authentication, Group Policy, and logon scripts. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Negotiate signing

DC Effective Default Settings

Negotiate signing

Member Server Effective Default Settings

Negotiate signing

Client Computer Effective Default Settings

Negotiate signing

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Negotiate signing| +| DC Effective Default Settings | Negotiate signing| +| Member Server Effective Default Settings | Negotiate signing| +| Client Computer Effective Default Settings | Negotiate signing|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Modifying this setting may affect compatibility with client devices, services, and applications. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client computer and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers. + ### Countermeasure + Configure the **Network security: LDAP server signing requirements** setting to **Require signature**. + ### Potential impact + If you configure the server to require LDAP signatures, you must also configure the client computers. If you do not configure the client devices, they cannot communicate with the server, which could cause many features to fail, including user authentication, Group Policy, and logon scripts. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md index 1fcbb6bbc4..b9a0e71329 100644 --- a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md +++ b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md @@ -2,83 +2,83 @@ title: Network security Minimum session security for NTLM SSP based (including secure RPC) clients (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Minimum session security for NTLM SSP based (including secure RPC) clients security policy setting. ms.assetid: 89903de8-23d0-4e0f-9bef-c00cb7aebf00 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Minimum session security for NTLM SSP based (including secure RPC) clients + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients** security policy setting. + ## Reference + This policy setting allows a client device to require the negotiation of 128-bit encryption or NTLMv2 session security. These values are dependent on the **Network security: LAN Manager Authentication Level policy** setting value. + ### Possible values + - Require NTLMv2 session security + The connection fails if strong encryption (128-bit) is not negotiated. + - Require 128-bit encryption + The connection fails if the NTLMv2 protocol is not negotiated. + ### Best practices + Practices in setting this policy are dependent on your security requirements. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Require 128-bit encryption

DC Effective Default Settings

Require 128-bit encryption

Member Server Effective Default Settings

Require 128-bit encryption

Client Computer Effective Default Settings

Require 128-bit encryption

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy| Not defined| +| Stand-Alone Server Default Settings | Require 128-bit encryption| +| DC Effective Default Settings | Require 128-bit encryption| +| Member Server Effective Default Settings | Require 128-bit encryption| +| Client Computer Effective Default Settings | Require 128-bit encryption|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflicts + The settings for this security policy are dependent on the **Network security: LAN Manager Authentication Level policy** setting value. For info about this policy, see [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md). + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Network traffic that uses the NTLM Security Support Provider (NTLM SSP) could be exposed such that an attacker who has gained access to the network can create man-in-the-middle attacks. + ### Countermeasure + Enable all options that are available for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients policy** setting. + ### Potential impact + Client devices that enforce these settings cannot communicate with older servers that do not support them. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md index 581c58aa2d..752b9c97c1 100644 --- a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md +++ b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md @@ -2,83 +2,81 @@ title: Network security Minimum session security for NTLM SSP based (including secure RPC) servers (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Minimum session security for NTLM SSP based (including secure RPC) servers security policy setting. ms.assetid: c6a60c1b-bc8d-4d02-9481-f847a411b4fc -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Minimum session security for NTLM SSP based (including secure RPC) servers + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** security policy setting. + ## Reference + This policy setting allows a client device to require the negotiation of 128-bit encryption or NTLMv2 session security. These values are dependent on the [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md) policy setting value. + Setting all of these values for this policy setting will help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by a malicious user who has gained access to the same network. That is, these settings help protect against man-in-the-middle attacks. + ### Possible values + - Require 128-bit encryption. The connection fails if strong encryption (128-bit) is not negotiated. - Require NTLMv2 session security. The connection fails if the NTLMv2 protocol is not negotiated. - Not Defined. + ### Best practices + - Enable all values that are available for this security policy. Legacy client devices that do not support these policy settings will be unable to communicate with the server. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Require 128-bit encryption

DC Effective Default Settings

Require 128-bit encryption

Member Server Effective Default Settings

Require 128-bit encryption

Client Computer Effective Default Settings

Require 128-bit encryption

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy| Not defined| +| Stand-Alone Server Default Settings | Require 128-bit encryption| +| DC Effective Default Settings | Require 128-bit encryption| +| Member Server Effective Default Settings | Require 128-bit encryption| +| Client Computer Effective Default Settings | Require 128-bit encryption|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy dependencies + The settings for this security policy are dependent on the [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md) setting value. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Network traffic that uses the NTLM Security Support Provider (NTLM SSP) could be exposed such that an attacker who has gained access to the network can create man-in-the-middle attacks. + ### Countermeasure + Enable all options that are available for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** policy setting. + ### Potential impact + Older client devices that do not support these security settings cannot communicate with the computer on which this policy is set. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md index 64151c9c05..74c9b41100 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md +++ b/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md @@ -2,91 +2,101 @@ title: Network security Restrict NTLM Add remote server exceptions for NTLM authentication (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network security Restrict NTLM Add remote server exceptions for NTLM authentication security policy setting. ms.assetid: 9b017399-0a54-4580-bfae-614c2beda3a1 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication** security policy setting. + ## Reference + The **Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication** policy setting allows you to create an exception list of remote servers to which client devices are allowed to use NTLM authentication if the [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) policy setting is configured. + If you configure this policy setting, you can define a list of remote servers to which client devices are allowed to use NTLM authentication. + If you do not configure this policy setting, no exceptions will be applied, and if [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) is enabled, NTLM authentication attempts from the client devices will fail. + List the NetBIOS server names that are used by the applications as the naming format, one per line. To ensure exceptions, the names that are used by all applications need to be in the list. A single asterisk (\*) can be used anywhere in the string as a wildcard character. + ### Possible values + - User-defined list of remote servers + When you enter a list of remote servers to which clients are allowed to use NTLM authentication, the policy is defined and enabled. + - Not defined + If you do not configure this policy setting by defining a list of servers, the policy is undefined and no exceptions will be applied. + ### Best practices + 1. First enforce the [Network Security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md) or [Network Security: Restrict NTLM: Audit NTLM authentication in this domain](network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md) policy setting and then review the operational event log to understand which servers are involved in these authentication attempts so you can decide which servers to exempt. + 2. After you have set the server exception list, enforce the [Network Security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md) or [Network Security: Restrict NTLM: Audit NTLM authentication in this domain](network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md) policy setting and then review the operational event log again before setting the policies to block NTLM traffic. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

Not defined

Member server effective default settings

Not defined

Client computer effective default settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings| Not defined|   ## Policy management + This section describes the features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy through Group Policy takes precedence over the setting on the local device. If the Group Policy setting is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if your server exception list is functioning as intended. Audit and block events are recorded on this device in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. + There are no security audit policies that can be configured to view output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -When it has been determined that the NTLM authentication protocol should not be used from a client device to any remote servers because you are required to use a more secure protocol such as Kerberos, there might be some client applications that still use NTLM. If so, and you set [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) to any of the deny options, those applications will fail because the outbound NTLM authentication traffic from the client computer will be blocked. + +When it has been determined that the NTLM authentication protocol should not be used from a client device to any remote servers because you are required to use a more secure protocol such as Kerberos, there might be some client applications that still use NTLM. If so, and you set [Network Security: +Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) to any of the deny options, those applications will fail because the outbound NTLM authentication traffic from the client computer will be blocked. + If you define an exception list of servers to which client devices are allowed to use NTLM authentication, then NTLM authentication traffic will continue to flow between those client applications and servers. The servers then are vulnerable to any malicious attack that takes advantage of security weaknesses in NTLM. + ### Countermeasure -When you use [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the remote servers in your environment. When assessed, you will have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. If not, the client application has to be upgraded to use something other than NTLM authentication. + +When you use [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the remote +servers in your environment. When assessed, you will have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. If not, the client application has to be upgraded to use something other than NTLM authentication. + ### Potential impact + Defining a list of servers for this policy setting will enable NTLM authentication traffic from the client application that uses those servers, and this might result in a security vulnerability. + If this list is not defined and [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) is enabled, then client applications that use NTLM will fail to authenticate to those servers that they have previously used. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md index a9dd8ee023..e16e7c0ff3 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md +++ b/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md @@ -2,91 +2,101 @@ title: Network security Restrict NTLM Add server exceptions in this domain (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network security Restrict NTLM Add server exceptions in this domain security policy setting. ms.assetid: 2f981b68-6aa7-4dd9-b53d-d88551277cc0 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: Add server exceptions in this domain + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add server exceptions in this domain** security policy setting. + ## Reference + The **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting allows you to create an exception list of servers in this domain to which client device are allowed to use NTLM pass-through authentication if any of the deny options are set in the [Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) policy setting. + If you configure this policy setting, you can define a list of servers in this domain to which client devices are allowed to use NTLM authentication. + If you do not configure this policy setting, no exceptions will be applied, and if **Network Security: Restrict NTLM: NTLM authentication in this domain** is enabled, all NTLM authentication attempts in the domain will fail. + List the NetBIOS server names as the naming format, one per line. A single asterisk (\*) can be used anywhere in the string as a wildcard character. + ### Possible values + - User-defined list of servers + When you enter a list of servers in this domain to which clients are allowed to use NTLM authentication, the policy is defined and enabled. + - Not defined + If you do not configure this policy setting by defining a list of servers, the policy is undefined and no exceptions will be applied. + ### Best practices + 1. First enforce the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** policy setting, and then review the operational event log to understand what domain controllers are involved in these authentication attempts so you can decide which servers to exempt. 2. After you have set the server exception list, enforce the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** policy setting, and then review the operational event log again before setting the policies to block NTLM traffic. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

Not defined

Member server effective default settings

Not defined

Client computer effective default settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not defined | +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings | Not defined|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy via Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if your server exception list is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. + There are no security audit policies that can be configured to view output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -When it has been determined that the NTLM authentication protocol should not be used within a domain because you are required to use a more secure protocol such as Kerberos, there might be some NTLM authentication traffic that is still present in the domain. If so, and you set Network Security: [Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) to any of the deny options, any NTLM authentication request will fail because the pass-through member server will block the NTLM request. -If you define an exception list of servers in this domain to which client computers are allowed to use NTLM pass-through authentication, then NTLM authentication traffic will continue to flow between those servers, which make them vulnerable to any malicious attack that takes advantage of security weaknesses in NTLM. + +When it has been determined that the NTLM authentication protocol should not be used within a domain because you are required to use a more secure protocol such as Kerberos, there might be some NTLM authentication traffic that is still present in the domain. If so, and you set Network Security: +[Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) to any of the deny options, any NTLM authentication request will fail because the pass-through member server will block the NTLM request. + +If you define an exception list of servers in this domain to which client computers are allowed to use NTLM pass-through authentication, then NTLM authentication traffic will continue to flow between those servers, which make them vulnerable to any malicious attack that takes advantage of security +weaknesses in NTLM. + ### Countermeasure -When you use **Network Security: Restrict NTLM: NTLM authentication in this domain** in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the pass-through authentication servers. When assessed, you will have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. + +When you use **Network Security: Restrict NTLM: NTLM authentication in this domain** in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the pass-through authentication servers. When assessed, you will have to determine on a +case-by-case basis if NTLM authentication still minimally meets your security requirements. + ### Potential impact + Defining a list of servers for this policy setting will enable NTLM authentication traffic between those servers might result in a security vulnerability. + If this list is not defined and **Network Security: Restrict NTLM: NTLM authentication in this domain** is enabled, then NTLM authentication will fail on those pass-through servers in the domain that they have previously used + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md index 1f01809e6d..f5b4bd4032 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md +++ b/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md @@ -2,93 +2,104 @@ title: Network security Restrict NTLM Audit incoming NTLM traffic (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Audit incoming NTLM traffic security policy setting. ms.assetid: 37e380c2-22e1-44cd-9993-e12815b845cf -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: Audit incoming NTLM traffic + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit incoming NTLM traffic** security policy setting. + ## Reference + The **Network Security: Restrict NTLM: Audit incoming NTLM traffic** policy setting allows you to audit incoming NTLM traffic. + When this audit policy is enabled within Group Policy, it is enforced on any server where that Group Policy is distributed. The events will be recorded in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. Using an audit event collection system can help you collect the events for analysis more efficiently. + When you enable this policy on a server, only authentication traffic to that server will be logged. -When you enable this audit policy, it functions in the same way as the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy, but it does not actually block any traffic. Therefore, you can use it effectively to understand the authentication traffic in your environment, and when you are ready to block that traffic, you can enable the Network Security: Restrict NTLM: Incoming NTLM traffic policy setting and select **Deny all accounts** or **Deny all domain accounts**. + +When you enable this audit policy, it functions in the same way as the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy, but it does not actually block any traffic. Therefore, you can use it effectively to understand the +authentication traffic in your environment, and when you are ready to block that traffic, you can enable the Network Security: Restrict NTLM: Incoming NTLM traffic policy setting and select **Deny all accounts** or **Deny all domain accounts**. + ### Possible values + - Disable + The server on which this policy is set will not log events for incoming NTLM traffic. + - Enable auditing for domain accounts + The server on which this policy is set will log events for NTLM pass-through authentication requests only for accounts in the domain that would be blocked when the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy setting is set to **Deny all domain accounts**. + - Enable auditing for all accounts + The server on which this policy is set will log events for all NTLM authentication requests that would be blocked when the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy setting is set to **Deny all accounts**. + - Not defined + This is the same as **Disable**, and it results in no auditing of NTLM traffic. + ### Best practices + Depending on your environment and the duration of your testing, monitor the log size regularly. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

Not defined

Member server effective default settings

Not defined

Client computer effective default settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings | Not defined|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. Using an audit event collection system can help you collect the events for analysis more efficiently. + There are no security audit event policies that can be configured to view output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. + ### Vulnerability + Enabling this policy setting will reveal through logging which servers and client computers within your network or domain handle NTLM traffic. The identity of these devices can be used in malicious ways if NTLM authentication traffic is compromised. The policy setting does not prevent or mitigate any vulnerability because it is for audit purposes only. + ### Countermeasure + Restrict access to the log files when this policy setting is enabled in your production environment. + ### Potential impact + If you do not enable or configure this policy setting, no NTLM authentication traffic information will be logged. If you do enable this policy setting, only auditing functions will occur; no security enhancements will be implemented. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md index 6f7df9f011..c4254e5036 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md +++ b/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md @@ -2,92 +2,101 @@ title: Network security Restrict NTLM Audit NTLM authentication in this domain (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Audit NTLM authentication in this domain security policy setting. ms.assetid: 33183ef9-53b5-4258-8605-73dc46335e6e -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: Audit NTLM authentication in this domain + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** security policy setting. + ## Reference + The **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** policy setting allows you to audit on the domain controller NTLM authentication in that domain. + When you enable this policy setting on the domain controller, only authentication traffic to that domain controller will be logged. + When you enable this audit policy, it functions in the same way as the **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting, but it does not actually block any traffic. Therefore, you can use it effectively to understand the authentication traffic to your domain controllers and when you are ready to block that traffic, you can enable the **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting and select **Deny for domain accounts to domain servers**, **Deny for domain servers**, or **Deny for domain accounts**. + ### Possible values + - **Disable** + The domain controller on which this policy is set will not log events for incoming NTLM traffic. + - **Enable for domain accounts to domain servers** + The domain controller on which this policy is set will log events for NTLM authentication logon attempts for accounts in the domain to domain servers when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts to domain servers**. + - **Enable for domain accounts** + The domain controller will log events for NTLM authentication logon attempts that use domain accounts when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts**. + - Not defined + This is the same as **Disable** and results in no auditing of NTLM traffic. + ### Best practices + Depending on your environment and the duration of your testing, monitor the operational event log size regularly. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

Not defined

Member server effective default settings

Not defined

Client computer effective default settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings | Not defined|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. Using an audit event collection system can help you collect the events for analysis more efficiently. + There are no security audit event policies that can be configured to view output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. + +NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the +Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. + ### Vulnerability + Enabling this policy setting will reveal through logging which devices within your network or domain handle NTLM traffic. The identity of these devices can be used in malicious ways if NTLM authentication traffic is compromised. The policy setting does not prevent or mitigate any vulnerability because it is for audit purposes only. ### Countermeasure + Restrict access to the log files when this policy setting is enabled in your production environment. + ### Potential impact + If you do not enable or configure this policy setting, no NTLM authentication traffic information will be logged. If you do enable this policy setting, only auditing functions will occur; no security enhancements will be implemented. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md index 500af92295..fba51b1a73 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md +++ b/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md @@ -2,90 +2,99 @@ title: Network security Restrict NTLM Incoming NTLM traffic (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Incoming NTLM traffic security policy setting. ms.assetid: c0eff7d3-ed59-4004-908a-2205295fefb8 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: Incoming NTLM traffic + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Incoming NTLM traffic** security policy setting. + ## Reference + The **Network Security: Restrict NTLM: Incoming NTLM traffic** policy setting allows you to deny or allow incoming NTLM traffic from client computers, other member servers, or a domain controller. + ### Possible values + - **Allow all** + The server will allow all NTLM authentication requests. + - **Deny all domain accounts** + The server will deny NTLM authentication requests for domain logon, return an NTLM blocked error message to the client device, and log the error, but the server will allow local account logon. + + - **Deny all accounts** + The server will deny NTLM authentication requests from all incoming traffic (whether domain account logon or local account logon), return an NTLM blocked error message to the client device, and log the error. + - Not defined + This is the same as **Allow all**, and the server will allow all NTLM authentication requests. + ### Best practices + If you select **Deny all domain accounts** or **Deny all accounts**, incoming NTLM traffic to the member server will be restricted. It is better to set the **Network Security: Restrict NTLM: Audit Incoming NTLM traffic** policy setting and then review the Operational log to understand what authentication attempts are made to the member servers, and subsequently what client applications are using NTLM. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

Not defined

Member server effective default settings

Not defined

Client computer effective default settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined | +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings | Not defined|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. + There are no Security Audit Event policies that can be configured to view event output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. + ### Vulnerability + Malicious attacks on NTLM authentication traffic that result in a compromised server can occur only if the server handles NTLM requests. If those requests are denied, brute force attacks on NTLM are eliminated. + ### Countermeasure + When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as Kerberos, you can select one of several options that this security policy setting offers to restrict NTLM usage. + ### Potential impact -If you configure this policy setting, numerous NTLM authentication requests could fail within your network, which could degrade productivity. Before implementing this change through this policy setting, set **Network security: Restrict NTLM: Audit Incoming NTLM traffic** to the same option so that you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md). + +If you configure this policy setting, numerous NTLM authentication requests could fail within your network, which could degrade productivity. Before implementing this change through this policy setting, set **Network security: Restrict NTLM: Audit Incoming NTLM traffic** to the same option so that +you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md). + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md index 27500c1d95..407c4b9976 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md +++ b/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md @@ -2,95 +2,108 @@ title: Network security Restrict NTLM NTLM authentication in this domain (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM NTLM authentication in this domain security policy setting. ms.assetid: 4c7884e9-cc11-4402-96b6-89c77dc908f8 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: NTLM authentication in this domain + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: NTLM authentication in this domain** security policy setting. + ## Reference + The **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy setting does not affect interactive logon to this domain controller. + ### Possible values + - **Disable** + The domain controller will allow all NTLM pass-through authentication requests within the domain. + - **Deny for domain accounts to domain servers** + The domain controller will deny all NTLM authentication logon attempts using accounts from this domain to all servers in the domain. The NTLM authentication attempts will be blocked and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. + NTLM can be used if the users are connecting to other domains. This depends on if any Restrict NTLM policies have been set on those domains. + - **Deny for domain accounts** + Only the domain controller will deny all NTLM authentication logon attempts from domain accounts and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. + - **Deny for domain servers** + The domain controller will deny NTLM authentication requests to all servers in the domain and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. Servers that are not joined to the domain will not be affected if this policy setting is configured. + - **Deny all** + The domain controller will deny all NTLM pass-through authentication requests from its servers and for its accounts and return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. + - Not defined + The domain controller will allow all NTLM authentication requests in the domain where the policy is deployed. + ### Best practices + If you select any of the deny options, incoming NTLM traffic to the domain will be restricted. First, set the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** policy setting, and then review the Operational log to understand what authentication attempts are made to the member servers. You can then add those member server names to a server exception list by using the [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md) policy setting. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default domain policy

Not configured

Default domain controller policy

Not configured

Stand-alone server default settings

Not configured

Domain controller effective default settings

Not configured

Member server effective default settings

Not configured

Client computer effective default settings

Not configured

+ +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not configured| +| Default domain controller policy | Not configured| +| Stand-alone server default settings | Not configured| +| Domain controller effective default settings | Not configured| +| Member server effective default settings | Not configured | +| Client computer effective default settings | Not configured|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. + There are no security audit event policies that can be configured to view output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. + ### Vulnerability + Malicious attacks on NTLM authentication traffic resulting in a compromised server or domain controller can occur only if the server or domain controller handles NTLM requests. If those requests are denied, this attack vector is eliminated. + ### Countermeasure -When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage within the domain. + +When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage +within the domain. + ### Potential impact + If you configure this policy setting, numerous NTLM authentication requests could fail within the domain, which could degrade productivity. Before implementing this change through this policy setting, set **Network security: Restrict NTLM: Audit NTLM authentication in this domain** to the same option so that you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting by using [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md). + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md index b73aff9db6..896cdbadc1 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md +++ b/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md @@ -2,93 +2,100 @@ title: Network security Restrict NTLM Outgoing NTLM traffic to remote servers (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Outgoing NTLM traffic to remote servers security policy setting. ms.assetid: 63437a90-764b-4f06-aed8-a4a26cf81bd1 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting. + ## Reference + The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system. -**Warning**   -Modifying this policy setting may affect compatibility with client computers, services, and applications. + +>**Warning:**  Modifying this policy setting may affect compatibility with client computers, services, and applications.   ### Possible values + - **Allow all** + The device can authenticate identities to a remote server by using NTLM authentication because no restrictions exist. + - **Audit all** + The device that sends the NTLM authentication request to a remote server logs an event for each request. This allows you to identify those servers that receive NTLM authentication requests from the client device + - **Deny all** + The device cannot authenticate any identities to a remote server by using NTLM authentication. You can use the [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) policy setting to define a list of remote servers to which client devices are allowed to use NTLM authentication while denying others. This setting will also log an event on the device that is making the authentication request. + - Not defined + This is the same as **Allow all**, and the device will allow all NTLM authentication requests when the policy is deployed. + ### Best practices + If you select **Deny all**, the client device cannot authenticate identities to a remote server by using NTLM authentication. First, select **Audit all** and then review the operational event log to understand which servers are involved in these authentication attempts. You can then add those server names to a server exception list by using the [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) policy setting. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

Not defined

Member server effective default settings

Not defined

Client computer effective default settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings | Not defined|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. + There are no security audit event policies that can be configured to view event output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. + ### Vulnerability + Malicious attacks on NTLM authentication traffic that result in a compromised server or domain controller can occur only if the server or domain controller handles NTLM requests. If those requests are denied, this attack vector is eliminated. + ### Countermeasure + When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as Kerberos, then you can select from several options to restrict NTLM usage to servers. + ### Potential impact -If you configure this policy setting to deny all requests, numerous NTLM authentication requests to remote servers could fail, which could degrade productivity. Before implementing this restriction through this policy setting, select **Audit all** so that you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting by using [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md). + +If you configure this policy setting to deny all requests, numerous NTLM authentication requests to remote servers could fail, which could degrade productivity. Before implementing this restriction through this policy setting, select **Audit all** so that you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting by using [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) +. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md index baf6178433..eaaa736c69 100644 --- a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Onboard endpoints and set up the Windows Defender ATP user access description: Set up user access in Azure Active Directory and use Group Policy, SCCM, or do manual registry changes to onboard endpoints to the service. keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: iaanw --- diff --git a/windows/keep-secure/optimize-applocker-performance.md b/windows/keep-secure/optimize-applocker-performance.md index f8eb1d4d8e..ff8f099f2d 100644 --- a/windows/keep-secure/optimize-applocker-performance.md +++ b/windows/keep-secure/optimize-applocker-performance.md @@ -2,22 +2,31 @@ title: Optimize AppLocker performance (Windows 10) description: This topic for IT professionals describes how to optimize AppLocker policy enforcement. ms.assetid: a20efa20-bc98-40fe-bd81-28ec4905e0f6 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Optimize AppLocker performance + **Applies to** - Windows 10 + This topic for IT professionals describes how to optimize AppLocker policy enforcement. + ## Optimization of Group Policy + AppLocker policies can be implemented by organization unit (OU) using Group Policy. If so, your Group Policy infrastructure should be optimized and retested for performance when AppLocker policies are added to existing Group Policy Objects (GPOs) or new GPOs are created, as you do with adding any policies to your GPOs. + For more info, see the [Optimizing Group Policy Performance](http://go.microsoft.com/fwlink/p/?LinkId=163238) article in TechNet Magazine. + ### AppLocker rule limitations -The more rules per GPO, the longer AppLocker requires for evaluation. There is no set limitation on the number of rules per GPO, but the number of rules that can fit into a 100 MB GPO varies based on the complexity of the rule, such as the number of file hashes included in a single file hash condition. + +The more rules per GPO, the longer AppLocker requires for evaluation. There is no set limitation on the number of rules per GPO, but the number of rules that can fit into a 100 MB GPO varies based on the complexity of the rule, such as the number of file hashes included in a single file hash +condition. + ### Using the DLL rule collection + When the DLL rule collection is enabled, AppLocker must check each DLL that an application loads. The more DLLs, the longer AppLocker requires to complete the evaluation. -  -  diff --git a/windows/keep-secure/overview-create-edp-policy.md b/windows/keep-secure/overview-create-edp-policy.md index 24e6c6a647..0ca5b7cbd1 100644 --- a/windows/keep-secure/overview-create-edp-policy.md +++ b/windows/keep-secure/overview-create-edp-policy.md @@ -2,9 +2,10 @@ title: Create an enterprise data protection (EDP) policy (Windows 10) description: Microsoft Intune and System Center Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md index 64303436c2..b17006c05a 100644 --- a/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md +++ b/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md @@ -2,26 +2,32 @@ title: Packaged apps and packaged app installer rules in AppLocker (Windows 10) description: This topic explains the AppLocker rule collection for packaged app installers and packaged apps. ms.assetid: 8fd44d08-a0c2-4c5b-a91f-5cb9989f971d -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Packaged apps and packaged app installer rules in AppLocker + **Applies to** - Windows 10 + This topic explains the AppLocker rule collection for packaged app installers and packaged apps. + Universal Windows apps can be installed through the Windows Store or can be sideloaded using the Windows PowerShell cmdlets. Universal Windows apps can be installed by a standard user unlike some Classic Windows applications that sometimes require administrative privileges for installation. Typically, an app consists of multiple components – the installer used to install the app and one or more exes, dlls or scripts. With Classic Windows applications, not all those components always share common attributes such as the publisher name, product name and product version. Therefore, AppLocker has to control each of these components separately through different rule collections – exe, dll, script and Windows Installers. In contrast, all the components of a Universal Windows app share the same attributes: Publisher name, Package name and Package version. It is therefore possible to control an entire app with a single rule. + AppLocker enforces rules for Universal Windows apps separately from Classic Windows applications. A single AppLocker rule for a Universal Windows app can control both the installation and the running of an app. Because all Universal Windows apps are signed, AppLocker supports only publisher rules for Universal Windows apps. A publisher rule for a Universal Windows app is based on the following attributes of the app: + - Publisher name - Package name - Package version + In summary, including AppLocker rules for Universal Windows apps in your policy design provides: + - The ability to control the installation and running of the app - The ability to control all the components of the app with a single rule rather than controlling individual binaries within the app - The ability to create application control policies that survive app updates - Management of Universal Windows apps through Group Policy. -  -  diff --git a/windows/keep-secure/passport-event-300.md b/windows/keep-secure/passport-event-300.md index dfcc826405..9a7c694ae0 100644 --- a/windows/keep-secure/passport-event-300.md +++ b/windows/keep-secure/passport-event-300.md @@ -2,18 +2,22 @@ title: Event ID 300 - Passport successfully created (Windows 10) description: This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD). ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04 -ms.pagetype: security -keywords: ["ngc"] -ms.prod: W10 +keywords: ngc +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: jdeckerMS --- + # Event ID 300 - Passport successfully created + **Applies to** - Windows 10 - Windows 10 Mobile + This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. + ## Event details | | | |--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -21,16 +25,18 @@ This event is created when a Microsoft Passport for Enterprise is successfully c | **ID:** | 300 | | **Source:** | Microsoft Azure Device Registration Service | | **Version:** | 10 | -| **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da. Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} | +| **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da. +Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} |   ## Resolve + This is a normal condition. No further action is required. + ## Related topics -[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) -[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) -[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) -[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md) -[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md) -[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) -  -  + +- [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) +- [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) +- [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) +- [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md) +- [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md) +- [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) diff --git a/windows/keep-secure/password-must-meet-complexity-requirements.md b/windows/keep-secure/password-must-meet-complexity-requirements.md index fba24e4fb4..d51142a117 100644 --- a/windows/keep-secure/password-must-meet-complexity-requirements.md +++ b/windows/keep-secure/password-must-meet-complexity-requirements.md @@ -2,94 +2,98 @@ title: Password must meet complexity requirements (Windows 10) description: Describes the best practices, location, values, and security considerations for the Password must meet complexity requirements security policy setting. ms.assetid: 94482ae3-9dda-42df-9782-2f66196e6afe -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Password must meet complexity requirements + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting. + ## Reference + The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Enabling this policy setting requires passwords to meet the following requirements: + 1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks are not case sensitive. + The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password. + 2. The password contains characters from three of the following categories: + - Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters) - Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters) - Base 10 digits (0 through 9) - Non-alphanumeric characters (special characters) (for example, !, $, \#, %) - Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. + Complexity requirements are enforced when passwords are changed or created. + The rules that are included in the Windows Server password complexity requirements are part of Passfilt.dll, and they cannot be directly modified. + Enabling the default Passfilt.dll may cause some additional Help Desk calls for locked-out accounts because users might not be used to having passwords that contain characters other than those found in the alphabet. However, this policy setting is liberal enough that all users should be able to abide by the requirements with a minor learning curve. + Additional settings that can be included in a custom Passfilt.dll are the use of non–upper-row characters. Upper-row characters are those that are typed by holding down the SHIFT key and typing any of the digits from 1 through 10. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 218,340,105,584,896 different possibilities for a single password. This makes a brute force attack difficult, but still not impossible. + The use of ALT key character combinations can greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements can result in unhappy users and an extremely busy Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of this range can represent standard alphanumeric characters that do not add additional complexity to the password.) + Passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this, passwords should contain additional characters and meet complexity requirements. + ### Location + **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or Group Policy Object (GPO)Default value

Default domain policy

Enabled

Default domain controller policy

Enabled

Stand-alone server default settings

Disabled

Domain controller effective default settings

Enabled

Member server effective default settings

Enabled

Effective GPO default settings on client computers

Disabled

+ +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| Enabled| +| Default domain controller policy| Enabled| +| Stand-alone server default settings | Disabled| +| Domain controller effective default settings | Enabled| +| Member server effective default settings | Enabled| +| Effective GPO default settings on client computers | Disabled|   ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Passwords that contain only alphanumeric characters are extremely easy to discover with several publicly available tools. + ### Countermeasure + Configure the **Passwords must meet complexity requirements** policy setting to Enabled and advise users to use a variety of characters in their passwords. + When combined with a [Minimum password length](minimum-password-length.md) of 8, this policy setting ensures that the number of different possibilities for a single password is so great that it is difficult (but not impossible) for a brute force attack to succeed. (If the Minimum password length policy setting is increased, the average amount of time necessary for a successful attack also increases.) + ### Potential impact + If the default password complexity configuration is retained, additional Help Desk calls for locked-out accounts could occur because users might not be accustomed to passwords that contain non-alphabetical characters, or they might have problems entering passwords that contain accented characters or symbols on keyboards with different layouts. However, all users should be able to comply with the complexity requirement with minimal difficulty. + If your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper-row symbols. (Upper-row symbols are those that require you to press and hold the SHIFT key and then press any of the digits between 1 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password does not contain common dictionary words or fragments. + The use of ALT key character combinations can greatly enhance the complexity of a password. However, such stringent password requirements can result in additional Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128–0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that would not add additional complexity to the password.) + ## Related topics -[Password Policy](password-policy.md) -  -  + +- [Password Policy](password-policy.md) diff --git a/windows/keep-secure/password-policy.md b/windows/keep-secure/password-policy.md index 4d1c366110..4198fac995 100644 --- a/windows/keep-secure/password-policy.md +++ b/windows/keep-secure/password-policy.md @@ -2,66 +2,51 @@ title: Password Policy (Windows 10) description: An overview of password policies for Windows and links to information for each policy setting. ms.assetid: aec1220d-a875-4575-9050-f02f9c54a3b6 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Password Policy + **Applies to** - Windows 10 + An overview of password policies for Windows and links to information for each policy setting. + In many operating systems, the most common method to authenticate a user's identity is to use a secret passphrase or password. A secure network environment requires all users to use strong passwords, which have at least eight characters and include a combination of letters, numbers, and symbols. These passwords help prevent the compromise of user accounts and administrative accounts by unauthorized users who use manual methods or automated tools to guess weak passwords. Strong passwords that are changed regularly reduce the likelihood of a successful password attack. + Introduced in Windows Server 2008 R2 and Windows Server 2008, Windows supports fine-grained password policies. This feature provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups. + To apply a fine-grained password policy to users of an OU, you can use a shadow group. A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups. + Fine-grained password policies include attributes for all the settings that can be defined in the default domain policy (except Kerberos settings) in addition to account lockout settings. When you specify a fine-grained password policy, you must specify all of these settings. By default, only members of the Domain Admins group can set fine-grained password policies. However, you can also delegate the ability to set these policies to other users. The domain must be running at least Windows Server 2008 R2 or Windows Server 2008 to use fine-grained password policies. Fine-grained password policies cannot be applied to an organizational unit (OU) directly. + You can enforce the use of strong passwords through an appropriate password policy. There are password policy settings that control the complexity and lifetime of passwords, such as the **Passwords must meet complexity requirements** policy setting. + You can configure the password policy settings in the following location by using the Group Policy Management Console: + **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** + If individual groups require distinct password policies, these groups should be separated into another domain or forest, based on additional requirements. + The following topics provide a discussion of password policy implementation and best practices considerations, policy location, default values for the server type or GPO, relevant differences in operating system versions, security considerations (including the possible vulnerabilities of each setting), countermeasures that you can take, and the potential impact for each setting. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Enforce password history](enforce-password-history.md)

Describes the best practices, location, values, policy management, and security considerations for the Enforce password history security policy setting.

[Maximum password age](maximum-password-age.md)

Describes the best practices, location, values, policy management, and security considerations for the Maximum password age security policy setting.

[Minimum password age](minimum-password-age.md)

Describes the best practices, location, values, policy management, and security considerations for the Minimum password age security policy setting.

[Minimum password length](minimum-password-length.md)

Describes the best practices, location, values, policy management, and security considerations for the Minimum password length security policy setting.

[Password must meet complexity requirements](password-must-meet-complexity-requirements.md)

Describes the best practices, location, values, and security considerations for the Password must meet complexity requirements security policy setting.

[Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md)

Describes the best practices, location, values, and security considerations for the Store passwords using reversible encryption security policy setting.

+ +| Topic | Description | +| - | - | +| [Enforce password history](enforce-password-history.md)| Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting.| +| [Maximum password age](maximum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting.| +| [Minimum password age](minimum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting.| +| [Minimum password length](minimum-password-length.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.| +| [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) | Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting.| +| [Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md) | Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting.|   ## Related topics -[Configure security policy settings](how-to-configure-security-policy-settings.md) + +- [Configure security policy settings](how-to-configure-security-policy-settings.md)     diff --git a/windows/keep-secure/perform-volume-maintenance-tasks.md b/windows/keep-secure/perform-volume-maintenance-tasks.md index 8080674711..dae56942a1 100644 --- a/windows/keep-secure/perform-volume-maintenance-tasks.md +++ b/windows/keep-secure/perform-volume-maintenance-tasks.md @@ -2,89 +2,91 @@ title: Perform volume maintenance tasks (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Perform volume maintenance tasks security policy setting. ms.assetid: b6990813-3898-43e2-8221-c9c06d893244 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Perform volume maintenance tasks + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Perform volume maintenance tasks** security policy setting. + ## Reference + This policy setting determines which users can perform volume or disk management tasks, such as defragmenting an existing volume, creating or removing volumes, and running the Disk Cleanup tool. + Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. + Constant: SeManageVolumePrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - Ensure that only the local Administrators group is assigned the **Perform volume maintenance tasks** user right. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Administrators

Stand-Alone Server Default Settings

Administrators

DC Effective Default Settings

Administrators

Member Server Effective Default Settings

Administrators

Client Computer Effective Default Settings

Administrators

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Administrators| +| Stand-Alone Server Default Settings | Administrators| +| DC Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + A user who is assigned the **Perform volume maintenance tasks** user right could delete a volume, which could result in the loss of data or a denial-of- service condition. Also, disk maintenance tasks can be used to modify data on the disk, such as user rights assignments that might lead to escalation of privileges. + ### Countermeasure + Ensure that only the local Administrators group is assigned the **Perform volume maintenance tasks** user right. + ### Potential impact + None. Restricting the **Perform volume maintenance tasks** user right to the local Administrators group is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/plan-for-applocker-policy-management.md b/windows/keep-secure/plan-for-applocker-policy-management.md index d7b423cdb3..96d65e5c32 100644 --- a/windows/keep-secure/plan-for-applocker-policy-management.md +++ b/windows/keep-secure/plan-for-applocker-policy-management.md @@ -2,71 +2,112 @@ title: Plan for AppLocker policy management (Windows 10) description: This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. ms.assetid: dccc196f-6ae0-4ae4-853a-a3312b18751b -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Plan for AppLocker policy management + **Applies to** - Windows 10 + This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. + ## Policy management + Before you begin the deployment process, consider how the AppLocker rules will be managed. Developing a process for managing AppLocker rules helps assure that AppLocker continues to effectively control how applications are allowed to run in your organization. + ### Application and user support policy + Developing a process for managing AppLocker rules helps assure that AppLocker continues to effectively control how applications are allowed to run in your organization. Considerations include: + - What type of end-user support is provided for blocked applications? - How are new rules added to the policy? - How are existing rules updated? - Are events forwarded for review? + **Help desk support** + If your organization has an established help desk support department in place, consider the following when deploying AppLocker policies: + - What documentation does your support department require for new policy deployments? - What are the critical processes in each business group both in work flow and timing that will be affected by application control policies and how could they affect your support department's workload? - Who are the contacts in the support department? - How will the support department resolve application control issues between the end user and those who maintain the AppLocker rules? + **End-user support** + Because AppLocker is preventing unapproved apps from running, it is important that your organization carefully plan how to provide end-user support. Considerations include: + - Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app? - How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app? + **Using an intranet site** + AppLocker can be configured to display the default message but with a custom URL. You can use this URL to redirect users to a support site that contains information about why the user received the error and which applications are allowed. If you do not display a custom URL for the message when an app is blocked, the default URL is used. + The following image shows an example of the error message for a blocked app. You can use the **Set a support web link** policy setting to customize the **More information** link. + ![applocker blocked application error message](images/blockedappmsg.gif) + For steps to display a custom URL for the message, see [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md). + **AppLocker event management** -Each time that a process requests permission to run, AppLocker creates an event in the AppLocker event log. The event details which file tried to run, the attributes of that file, the user that initiated the request, and the rule GUID that was used to make the AppLocker execution decision. The AppLocker event log is located in the following path: **Applications and Services Logs\\Microsoft\\Windows\\AppLocker**. The AppLocker log includes three logs: + +Each time that a process requests permission to run, AppLocker creates an event in the AppLocker event log. The event details which file tried to run, the attributes of that file, the user that initiated the request, and the rule GUID that was used to make the AppLocker execution decision. The +AppLocker event log is located in the following path: **Applications and Services Logs\\Microsoft\\Windows\\AppLocker**. The AppLocker log includes three logs: + 1. **EXE and DLL**. Contains events for all files affected by the executable and DLL rule collections (.exe, .com, .dll, and .ocx). 2. **MSI and Script**. Contains events for all files affected by the Windows Installer and script rule collections (.msi, .msp, .ps1, .bat, .cmd, .vbs, and .js). 3. **Packaged app-Deployment** or **Packaged app-Execution**, contains events for all Universal Windows apps affected by the packaged app and packed app installer rule collection (.appx). + Collecting these events in a central location can help you maintain your AppLocker policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](http://go.microsoft.com/fwlink/p/?LinkId=145012). + ### Policy maintenance + As new apps are deployed or existing apps are updated by the software publisher, you will need to make revisions to your rule collections to ensure that the policy is current. + You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more info about Advanced Group Policy Management, see [Advanced Group Policy Management Overview](http://go.microsoft.com/fwlink/p/?LinkId=145013) (http://go.microsoft.com/fwlink/p/?LinkId=145013). -**Caution**   -You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. + +>**Caution:**  You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.   **New version of a supported app** + When a new version of an app is deployed in the organization, you need to determine whether to continue to support the previous version of that app. To add the new version, you might only need to create a new rule for each file that is associated with the app. If you are using publisher conditions and the version is not specified, then the existing rule or rules might be sufficient to allow the updated file to run. You must ensure, however, that the updated app has not altered the file names or added files to support new functionality. If so, then you must modify the existing rules or create new rules. To continue to reuse a publisher-based rule without a specific file version, you must also ensure that the file's digital signature is still identical to the previous version—the publisher, product name, and file name (if configured in your rule) must all match for the rule to be correctly applied. + To determine whether a file has been modified during an app update, review the publisher's release details provided with the update package. You can also review the publisher's web page to retrieve this information. Each file can also be inspected to determine the version. + For files that are allowed or denied with file hash conditions, you must retrieve the new file hash. To add support for a new version and maintain support for the older version, you can either create a new file hash rule for the new version or edit the existing rule and add the new file hash to the list of conditions. + For files with path conditions, you should verify that the installation path has not changed from what is stated in the rule. If the path has changed, you need to update the rule before installing the new version of the app + **Recently deployed app** + To support a new app, you must add one or more rules to the existing AppLocker policy. + **App is no longer supported** + If your organization has determined that it will no longer support an application that has AppLocker rules associated with it, the easiest way to prevent users from running the app is to delete these rules. + **App is blocked but should be allowed** + A file could be blocked for three reasons: + - The most common reason is that no rule exists to allow the app to run. - There may be an existing rule that was created for the file that is too restrictive. - A deny rule, which cannot be overridden, is explicitly blocking the file. + Before editing the rule collection, first determine what rule is preventing the file from running. You can troubleshoot the problem by using the **Test-AppLockerPolicy** Windows PowerShell cmdlet. For more info about troubleshooting an AppLocker policy, see [Testing and Updating an AppLocker Policy](http://go.microsoft.com/fwlink/p/?LinkId=160269) (http://go.microsoft.com/fwlink/p/?LinkId=160269). + ## Next steps + After deciding how your organization will manage your AppLocker policy, record your findings. + - **End-user support policy.** Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel have clear escalation steps so that the administrator can update the AppLocker policy, if necessary. - **Event processing.** Document whether events will be collected in a central location called a store, how that store will be archived, and whether the events will be processed for analysis. - **Policy maintenance.** Detail how rules will be added to the policy and in which GPO the rules are defined. + For information and steps how to document your processes, see [Document your application control management processes](document-your-application-control-management-processes.md). -  -  diff --git a/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md b/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md index 8a2a90eb1f..1fa912d181 100644 --- a/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md +++ b/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md @@ -2,290 +2,283 @@ title: Planning and deploying advanced security audit policies (Windows 10) description: This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies. ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Planning and deploying advanced security audit policies + **Applies to** - Windows 10 -This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies. + +This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit +policies. + Organizations invest a large portion of their information technology budgets on security applications and services, such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on your data, you should not consider the job complete unless you have a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them. + To be well defined and timely, an auditing strategy must provide useful tracking data for an organization's most important resources, critical behaviors, and potential risks. In a growing number of organizations, it must also provide absolute proof that IT operations comply with corporate and regulatory requirements. + Unfortunately, no organization has unlimited resources to monitor every resource and activity on a network. If you do not plan well, you will likely have gaps in your auditing strategy. However, if you try to audit every resource and activity, you may find yourself with far too much monitoring data, including thousands of benign audit entries that an analyst needs to sift through to identify the narrow set of entries that warrant closer examination. This could cause delays or even prevent auditors from identifying suspicious activity. Thus, too much monitoring can leave an organization as vulnerable as not enough monitoring. + Here are some features that can help you focus your effort: + - **Advanced audit policy settings**. You can apply and manage detailed audit policy settings through Group Policy. - **"Reason for access" auditing**. You can specify and identify the permissions that were used to generate a particular object access security event. - **Global object access auditing**. You can define system access control lists (SACLs) for an entire computer file system or registry. + To deploy these features and plan an effective security auditing strategy, you need to: + - Identify your most critical resources and the most important activities that need to be tracked. - Identify the audit settings that can be used to track these activities. - Assess the advantages and potential costs associated with each. - Test these settings to validate your choices. - Develop plans for deploying and managing your audit policy. + ## About this guide + This document will guide you through the steps needed to plan a security auditing policy that uses Windows auditing features. This policy must identify and address vital business needs, including: + - Network reliability - Regulatory requirements - Protection of the organization's data and intellectual property - Users, including employees, contractors, partners, and customers - Client computers and applications - Servers and the applications and services running on those servers + The audit policy also must identify processes for managing audit data after it has been logged, including: + - Collecting, evaluating, and reviewing audit data - Storing and (if required) disposing of audit data + By carefully planning, designing, testing, and deploying a solution based on your organization's business requirements, you can provide the standardized functionality, security, and management control that your organization needs. + ## Understanding the security audit policy design process + The process of designing and deploying a Windows security audit policy involves the following tasks, which are described in greater detail throughout this document: + - [Identifying your Windows security audit policy deployment goals](#bkmk-1) + This section helps define the business objectives that will guide your Windows security audit policy. It also helps you define the resources, users, and computers that will be the focus of your security auditing. + - [Mapping the security audit policy to groups of users, computers, and resources in your organization](#bkmk-2) + This section explains how to integrate security audit policy settings with domain Group Policy settings for different groups of users, computers, and resources. In addition, if your network includes multiple versions of Windows client and server operating systems, it also explains when to use basic audit policy settings and when to use advanced security audit policy settings. + - [Mapping your security auditing goals to a security audit policy configuration](#bkmk-3) + This section explains the categories of Windows security auditing settings that are available. It also identifies individual Windows security auditing policy settings that can be of particular value to address auditing scenarios. + - [Planning for security audit monitoring and management](#bkmk-4) + This section helps you plan to collect, analyze, and store Windows audit data. Depending on the number of computers and types of activity that you want to audit, Windows event logs can fill up quickly. In addition, this section explains how auditors can access and aggregate event data from multiple servers and desktop computers. It also explains how to address storage requirements, including how much audit data to store and how it must be stored. + - [Deploying the security audit policy](#bkmk-5) + This section provides recommendations and guidelines for the effective deployment of a Windows security audit policy. Configuring and deploying Windows audit policy settings in a test lab environment can help you confirm that the settings you have selected will produce the type of audit data you need. However, only a carefully staged pilot and incremental deployments based on your domain and organizational unit (OU) structure will enable you to confirm that the audit data you generate can be monitored and that it meets your organization's audit needs. + ## Identifying your Windows security audit policy deployment goals + A security audit policy must support and be a critical and integrated aspect of an organization's overall security design and framework. + Every organization has a unique set of data and network assets (such as customer and financial data and trade secrets), physical resources (such as desktop computers, portable computers, and servers), and users (which can include various internal groups such as finance and marketing, and external groups such as partners, customers, and anonymous users on the website). Not all of these assets, resources, and users justify the cost of an audit. Your task is to identify which assets, resources, and users provide the strongest justification for the focus of a security audit. + To create your Windows security audit plan, begin by identifying: + - The overall network environment, including the domains, OUs, and security groups. - The resources on the network, the users of those resources, and how those resources are being used. - Regulatory requirements. + ### Network environment + An organization's domain and OU structure provide a fundamental starting point for thinking about how to apply a security audit policy because it likely provides a foundation of Group Policy Objects (GPOs) and logical grouping of resources and activities that you can use to apply the audit settings that you choose. It is also likely that certain portions of your domain and OU structure already provide logical groups of users, resources, and activities that justify the time and resources needed to audit them. For information about how to integrate a security audit policy with your domain and OU structure, see [Mapping security audit policy to groups of users, computers, and resources in your organization](#bkmk-2) later in this document. + In addition to your domain model, you should also find out whether your organization creates and maintains a systematic threat model. A good threat model can help you identify threats to key components in your infrastructure, so you can define and apply audit settings that enhance the organization's ability to identify and counter those threats. -**Important**   -Including auditing within your organization's security plan also makes it possible to budget your resources on the areas where auditing can achieve the most positive results. + +>**Important:**  Including auditing within your organization's security plan also makes it possible to budget your resources on the areas where auditing can achieve the most positive results.   For additional details about how to complete each of these steps and how to prepare a detailed threat model, download the [IT Infrastructure Threat Modeling Guide](http://go.microsoft.com/fwlink/p/?LinkId=163432). + ### Data and resources + For data and resource auditing, you need to identify the most important types of data and resources (such as patient records, accounting data, or marketing plans) that can benefit from the closer monitoring that Windows auditing can provide. Some of these data resources might already be monitored through auditing features in products such as Microsoft SQL Server and Exchange Server. If so, you may want to consider how Windows auditing features can enhance the existing audit strategy. As with the domain and OU structure discussed previously, security auditing should focus on your most critical resources. You also must consider how much audit data you will be able to manage. + You can record if these resources have high business impact, medium business impact, or low business impact, the cost to the organization if these data resources are accessed by unauthorized users, and the risk that this access can pose to the organization. The type of access by users (such as Read, Modify, or Copy) can also pose different levels of risk to an organization. + Increasingly, data access and use is governed by regulations, and a breach can result in severe penalties and a loss in credibility for the organization. If regulatory compliance plays a role in how you manage your data, be sure to also document this information. + The following table provides an example of a resource analysis for an organization. - ------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Resource classWhere storedOrganizational unitBusiness impactSecurity or regulatory requirements

Payroll data

Corp-Finance-1

Accounting: Read/Write on Corp-Finance-1

-

Departmental Payroll Managers: Write only on Corp-Finance-1

High

Financial integrity and employee privacy

Patient medical records

MedRec-2

Doctors and Nurses: Read/Write on Med/Rec-2

-

Lab Assistants: Write only on MedRec-2

-

Accounting: Read only on MedRec-2

High

Strict legal and regulatory standards

Consumer health information

Web-Ext-1

Public Relations Web Content Creators: Read/Write on Web-Ext-1

-

Public: Read only on Web-Ext-1

Low

Public education and corporate image

+ +| Resource class | Where stored | Organizational unit | Business impact | Security or regulatory requirements | +| - | - | - | - | - | +| Payroll data| Corp-Finance-1| Accounting: Read/Write on Corp-Finance-1
Departmental Payroll Managers: Write only on Corp-Finance-1| High| Financial integrity and employee privacy| +| Patient medical records| MedRec-2| Doctors and Nurses: Read/Write on Med/Rec-2
Lab Assistants: Write only on MedRec-2
Accounting: Read only on MedRec-2| High| Strict legal and regulatory standards| +| Consumer health information| Web-Ext-1| Public Relations Web Content Creators: Read/Write on Web-Ext-1
Public: Read only on Web-Ext-1| Low| Public education and corporate image|   ### Users + Many organizations find it useful to classify the types of users they have and base permissions on this classification. This same classification can help you identify which user activities should be the subject of security auditing and the amount of audit data they will generate. + Organizations can create distinctions based on the type of rights and permissions needed by users to perform their jobs. For example, under the classification Administrators, larger organizations might assign local administrator responsibilities for a single computer, for specific applications such as Exchange Server or SQL Server, or for an entire domain. Under Users, permissions and Group Policy settings can apply to as many as all users in an organization or as few as a subset of the employees in a given department. + Also, if your organization is subject to regulatory requirements, user activities such as accessing medical records or financial data may need to be audited to verify that you are complying with these requirements. + To effectively audit user activity, begin by listing the different types of users in your organization and the types of data they need access to—in addition to the data they should not have access to. + Also, if external users can access any of your organization's data, be sure to identify them, including if they belong to a business partner, customer, or general user, the data they have access to, and the permissions they have to access that data. + The following table illustrates an analysis of users on a network. Although our example contains a single column titled "Possible auditing considerations," you may want to create additional columns to differentiate between different types of network activity, such as logon hours and permission use. - ----- - - - - - - - - - - - - - - - - - - - - - - - - -
GroupsDataPossible auditing considerations

Account administrators

User accounts and security groups

Account administrators have full privileges to create new user accounts, reset passwords, and modify security group memberships. We need a mechanism to monitor these changes.

Members of the Finance OU

Financial records

Users in Finance have Read/Write access to critical financial records, but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements.

External partners

Project Z

Employees of partner organizations have Read/Write access to certain project data and servers relating to Project Z, but not to other servers or data on the network.

+ +| Groups | Data | Possible auditing considerations | +| - | - | - | +| Account administrators| User accounts and security groups| Account administrators have full privileges to create new user accounts, reset passwords, and modify security group memberships. We need a mechanism to monitor these changes. | +| Members of the Finance OU| Financial records| Users in Finance have Read/Write access to critical financial records, but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements. | +| External partners | Project Z| Employees of partner organizations have Read/Write access to certain project data and servers relating to Project Z, but not to other servers or data on the network.|   ### Computers + Security and auditing requirements and audit event volume can vary considerably for different types of computers in an organization. These requirements can be based on: + - If the computers are servers, desktop computers, or portable computers. - The important applications the computers run, such as Exchange Server, SQL Server, or Forefront Identity Manager. - **Note**   - If the server applications (including Exchange Server and SQL Server) have audit settings. For more information about auditing in Exchange Server, see the [Exchange 2010 Security Guide](http://go.microsoft.com/fwlink/p/?linkid=128052). For more information about auditing in SQL Server 2008, see [Auditing (Database Engine)](http://go.microsoft.com/fwlink/p/?LinkId=163434). For SQL Server 2012, see [SQL Server Audit (Database Engine)](http://technet.microsoft.com/library/cc280386.aspx). + + >**Note:**  If the server applications (including Exchange Server and SQL Server) have audit settings. For more information about auditing in Exchange Server, see the [Exchange 2010 Security Guide](http://go.microsoft.com/fwlink/p/?linkid=128052). For more information about auditing in SQL Server 2008, see [Auditing (Database Engine)](http://go.microsoft.com/fwlink/p/?LinkId=163434). For SQL Server 2012, see [SQL Server Audit (Database Engine)](http://technet.microsoft.com/library/cc280386.aspx).   - The operating system versions. - **Note**   - The operating system version determines which auditing options are available and the volume of audit event data. + + >**Note:**  The operating system version determines which auditing options are available and the volume of audit event data.   - The business value of the data. + For example, a web server that is accessed by external users requires different audit settings than a root certification authority (CA) that is never exposed to the public Internet or even to regular users on the organization's network. + The following table illustrates an analysis of computers in an organization. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Type of computer and applicationsOperating system versionWhere located

Servers hosting Exchange Server

Windows Server 2008 R2

ExchangeSrv OU

File servers

Windows Server 2012

Separate resource OUs by department and (in some cases) by location

Portable computers

Windows Vista and Windows 7

Separate portable computer OUs by department and (in some cases) by location

Web servers

Windows Server 2008 R2

WebSrv OU

+ +| Type of computer and applications | Operating system version | Where located | +| - | - | - | +| Servers hosting Exchange Server| Windows Server 2008 R2| ExchangeSrv OU| +| File servers | Windows Server 2012| Separate resource OUs by department and (in some cases) by location| +| Portable computers | Windows Vista and Windows 7| Separate portable computer OUs by department and (in some cases) by location| +| Web servers | Windows Server 2008 R2 | WebSrv OU|   ### Regulatory requirements + Many industries and locales have strict and specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, there are strict guidelines for who has access to records and how they are used. Many countries have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that can be used to comply with and verify compliance with these regulations. + For more info, see the [System Center Process Pack for IT GRC](http://technet.microsoft.com/library/dd206732.aspx). + ## Mapping the security audit policy to groups of users, computers, and resources in your organization -By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and resources. To map a security auditing policy to these defined groups in your organization, you should understand the following considerations for using Group Policy to apply security audit policy settings: + +By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and resources. To map a security auditing policy to these defined groups in your organization, you should understand the +following considerations for using Group Policy to apply security audit policy settings: + - The policy settings you identify can be applied by using one or more GPOs. To create and edit a GPO, use the Group Policy Management Console (GPMC). By using the GPMC to link a GPO to selected Active Directory sites, domains, and OUs, you apply the policy settings in the GPO to the users and computers in those Active Directory objects. An OU is the lowest-level Active Directory container to which you can assign Group Policy settings. - For every policy setting that you select, you need to decide whether it should be enforced across the organization, or whether it should apply only to selected users or computers. You can then combine these audit policy settings into GPOs and link them to the appropriate Active Directory containers. - By default, options set in GPOs that are linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, a GPO that is linked at a lower level can overwrite inherited policies. + For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing). + - Audit policies are computer policies. Therefore, they must be applied through GPOs that are applied to computer OUs, not to user OUs. However, in most cases you can apply audit settings for only specified resources and groups of users by configuring SACLs on the relevant objects. This enables auditing for a security group that contains only the users you specify. + For example, you could configure a SACL for a folder called Payroll Data on Accounting Server 1. This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events. + - Advanced security audit policy settings were introduced in Windows Server 2008 R2 or Windows 7 and can be applied to those operating systems and later. These advanced audit polices can only be applied by using Group Policy. - **Important**   - Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting. + + >**Important:**  Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting. + If you use **Advanced Audit Policy Configuration** settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.   + The following are examples of how audit policies can be applied to an organization's OU structure: + - Apply data activity settings to an OU that contains file servers. If your organization has servers that contain particularly sensitive data, consider putting them in a separate OU so that you can configure and apply a more precise audit policy to these servers. - Apply user activity audit policies to an OU that contains all computers in the organization. If your organization places users in OUs based on the department they work in, consider configuring and applying more detailed security permissions on critical resources that are accessed by employees who work in more sensitive areas, such as network administrators or the legal department. - Apply network and system activity audit policies to OUs that contain the organization's most critical servers, such as domain controllers, CAs, email servers, or database servers. + ## Mapping your security auditing goals to a security audit policy configuration + After you identify your security auditing goals, you can begin to map them to a security audit policy configuration. This audit policy configuration must address your most critical security auditing goals, but it also must address your organization's constraints, such as the number of computers that need to be monitored, the number of activities that you want to audit, the number of audit events that your desired audit configuration will generate, and the number of administrators available to analyze and act upon audit data. + To create your audit policy configuration, you need to: + 1. Explore all of the audit policy settings that can be used to address your needs. 2. Choose the audit settings that will most effectively address the audit requirements identified in the previous section. 3. Confirm that the settings you choose are compatible with the operating systems running on the computers that you want to monitor. 4. Decide which configuration options (Success, Failure, or both Success and Failure) you want to use for the audit settings. 5. Deploy the audit settings in a lab or test environment to verify that they meet your desired results in terms of volume, supportability, and comprehensiveness. Then deploy the audit settings in a pilot production environment to ensure that your estimates of how much audit data your audit plan will generate are realistic and that you can manage this data. + ### Exploring audit policy options + Security audit policy settings in the supported versions of Windows can be viewed and configured in the following locations: + - **Security Settings\\Local Policies\\Audit Policy**. - **Security Settings\\Local Policies\\Security Options**. - **Security Settings\\Advanced Audit Policy Configuration**. For more information, see [Advanced security audit policy settings](advanced-security-audit-policy-settings.md). + ### Choosing audit settings to use + Depending on your goals, different sets of audit settings may be of particular value to you. For example, some settings under **Security Settings\\Advanced Audit Policy Configuration** can be used to monitor the following types of activity: + - Data and resources - Users - Network -**Important**   -Settings that are described in the Reference might also provide valuable information about activity audited by another setting. For example, the settings used to monitor user activity and network activity have obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources have huge implications for overall network status, and potentially for how well you are managing the activities of users on the network. + +>**Important:**  Settings that are described in the Reference might also provide valuable information about activity audited by another setting. For example, the settings used to monitor user activity and network activity have obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources have huge implications for overall network status, and potentially for how well you are managing the activities of users on the network.   ### Data and resource activity -For many organizations, compromising the organization's data resources can cause tremendous financial losses, in addition to lost prestige and legal liability. If your organization has critical data resources that need to be protected against any breach, the following settings can provide extremely valuable monitoring and forensic data: + +For many organizations, compromising the organization's data resources can cause tremendous financial losses, in addition to lost prestige and legal liability. If your organization has critical data resources that need to be +protected against any breach, the following settings can provide extremely valuable monitoring and forensic data: + - Object Access\\[Audit File Share](audit-file-share.md). This policy setting allows you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access. The volume of event data generated by this setting will vary depending on the number of client computers that attempt to access the file share. On a file server or domain controller, volume may be high due to SYSVOL access by client computers for policy processing. If you do not need to record routine access by client computers that have permissions on the file share, you may want to log audit events only for failed attempts to access the file share. - Object Access\\[Audit File System](audit-file-system.md). This policy setting determines whether the operating system audits user attempts to access file system objects. Audit events are only generated for objects (such as files and folders) that have configured SACLs, and only if the type of access requested (such as Write, Read, or Modify) and the account that is making the request match the settings in the SACL. + If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. The amount of audit data generated by the **Audit File System** policy setting can vary considerably, depending on the number of objects that have been configured to be monitored. - **Note**   - To audit user attempts to access all file system objects on a computer, use the Global Object Access Auditing settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md). + + >**Note:**  To audit user attempts to access all file system objects on a computer, use the Global Object Access Auditing settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md).   - Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md). This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events, and only if the attempted handle operation matches the SACL. + Event volume can be high, depending on how SACLs are configured. When used together with the **Audit File System** or **Audit Registry** policy settings, the **Audit Handle Manipulation** policy setting can provide an administrator with useful "reason for access" audit data that details the precise permissions on which the audit event is based. For example, if a file is configured as a Read-only resource but a user attempts to save changes to the file, the audit event will log not only the event, but also the permissions that were used (or attempted to be used) to save the file changes. + - **Global Object Access Auditing**. A growing number of organizations are using security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be extremely difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system, which cannot be overridden or circumvented. - **Important**   - The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category. + >**Important:**  The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category.   ### User activity + The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network, and the settings in this section focus on the users, including employees, partners, and customers, who may try to access those resources. + In the majority of cases, these attempts will be legitimate and a network needs to make vital data readily available to legitimate users. However in other cases, employees, partners, and others may attempt to access resources that they have no legitimate reason to access. Security auditing can be used to track a wide variety of user activities on a particular computer to diagnose and resolve problems for legitimate users and identify and address illegitimate activities. The following are a few important settings that you should evaluate to track user activity on your network: + - Account Logon\\[Audit Credential Validation](audit-credential-validation.md). This is an extremely important policy setting because it enables you to track every successful and unsuccessful attempt to present credentials for a user logon. In particular, a pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no longer valid, or attempting to use a variety of credentials in succession in hope that one of these attempts will eventually be successful. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. - Detailed Tracking\\[Audit Process Creation](audit-process-creation.md) and Detailed Tracking\\[Audit Process Termination](audit-process-termination.md). These policy settings can enable you to monitor the applications that a user opens and closes on a computer. - DS Access\\[Audit Directory Service Access](audit-directory-service-access.md) and DS Access\\[Audit Directory Service Changes](audit-directory-service-changes.md). These policy settings provide a detailed audit trail of attempts to access create, modify, delete, move, or undelete objects in Active Directory Domain Services (AD DS). Only domain administrators have permissions to modify AD DS objects, so it is extremely important to identify malicious attempts to modify these objects. In addition, although domain administrators should be among an organization's most trusted employees, the use of **Audit Directory Service Access** and **Audit Directory Service Changes** settings allow you to monitor and verify that only approved changes are made to AD DS. These audit events are logged only on domain controllers. - Logon/Logoff\\[Audit Account Lockout](audit-account-lockout.md). Another common security scenario occurs when a user attempts to log on with an account that has been locked out. It is important to identify these events and to determine whether the attempt to use an account that has been locked out is malicious. - Logon/Logoff\\[Audit Logoff](audit-logoff.md) and Logon/Logoff\\[Audit Logon](audit-logon.md). Logon and logoff events are essential to tracking user activity and detecting potential attacks. Logon events are related to the creation of logon sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For network logon, such as accessing a shared resource, events are generated on the computer that hosts the resource that was accessed. Logoff events are generated when logon sessions are terminated. - **Note**   - There is no failure event for logoff activity because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown, and a logoff event is not generated. + + >**Note:**  There is no failure event for logoff activity because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown, and a logoff event is not generated.   - Logon/Logoff\\[Audit Special Logon](audit-special-logon.md). A special logon has administrator-equivalent rights and can be used to elevate a process to a higher level. It is recommended to track these types of logons. For more information about this feature, see [article 947223](http://go.microsoft.com/fwlink/p/?linkid=120183) in the Microsoft Knowledge Base. - Object Access\\[Audit Certification Services](audit-certification-services.md). This policy setting allows you to track and monitor a wide variety of activities on a computer that hosts Active Directory Certificate Services (AD CS) role services to ensure that only authorized users are performing or attempting to perform these tasks, and that only authorized or desired tasks are being performed. - Object Access\\[Audit File System](audit-file-system.md) and Object Access\\[Audit File Share](audit-file-share.md). These policy settings are described in the previous section. - Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md). This policy setting and its role in providing "reason for access" audit data is described in the previous section. - Object Access\\[Audit Registry](audit-registry.md). Monitoring for changes to the registry is one of the most critical means that an administrator has to ensure malicious users do not make changes to essential computer settings. Audit events are only generated for objects that have configured SACLs, and only if the type of access that is requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL. - **Important**   - On critical systems where all attempts to change registry settings need to be tracked, you can combine the **Audit Registry** policy setting with the **Global Object Access Auditing** policy settings to ensure that all attempts to modify registry settings on a computer are tracked. + + >**Important:**  On critical systems where all attempts to change registry settings need to be tracked, you can combine the **Audit Registry** policy setting with the **Global Object Access Auditing** policy settings to ensure that all attempts to modify registry settings on a computer are tracked.   - Object Access\\[Audit SAM](audit-sam.md). The Security Accounts Manager (SAM) is a database that is present on computers running Windows that stores user accounts and security descriptors for users on the local computer. Changes to user and group objects are tracked by the **Account Management** audit category. However, user accounts with the proper user rights could potentially alter the files where the account and password information is stored in the system, bypassing any **Account Management** events. - Privilege Use\\[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md). **Privilege Use** policy settings and audit events allow you to track the use of certain rights on one or more systems. If you configure this policy setting, an audit event is generated when sensitive rights requests are made. + ### Network activity + The following network activity policy settings allow you to monitor security-related issues that are not necessarily covered in the data or user activity categories, but that can be equally important for network status and protection. + - **Account Management**. The policy settings in this category can be used to track attempts to create, delete, or modify user or computer accounts, security groups, or distribution groups. Monitoring these activities complements the monitoring strategies you select in the user activity and data activity sections. - Account Logon\\[Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) and Account Logon\\[Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md). Audit policy settings in the **Account Logon** category monitor activities that relate to the use of domain account credentials. These policy settings complement the policy settings in the **Logon/Logoff** category. The **Audit Kerberos Authentication Service** policy setting allows you to monitor the status of and potential threats to the Kerberos service. The Audit **Kerberos Service Ticket Operations** policy setting allows you to monitor the use of Kerberos service tickets. - **Note**   - **Account Logon** policy settings apply only to specific domain account activities, regardless of the computer that is accessed, whereas **Logon/Logoff** policy settings apply to the computer that hosts the resources being accessed. + + >**Note:**  **Account Logon** policy settings apply only to specific domain account activities, regardless of the computer that is accessed, whereas **Logon/Logoff** policy settings apply to the computer that hosts the resources being accessed.   - Account Logon\\[Audit Other Account Logon Events](audit-other-account-logon-events.md). This policy setting can be used to track a number of different network activities, including attempts to create Remote Desktop connections, wired network connections, and wireless connections. - **DS Access**. Policy settings in this category allow you to monitor the AD DS role services, which provide account data, validate logons, maintain network access permissions, and provide other services that are critical to the secure and proper functioning of a network. Therefore, auditing the rights to access and modify the configuration of a domain controller can help an organization maintain a secure and reliable network. In addition, one of the key tasks performed by AD DS is the replication of data between domain controllers. @@ -295,41 +288,65 @@ The following network activity policy settings allow you to monitor security-rel - Policy Change\\[Audit Audit Policy Change](audit-audit-policy-change.md). This policy setting allows you to monitor changes to the audit policy. If malicious users obtain domain administrator credentials, they can temporarily disable essential security audit policy settings so that their other activities on the network cannot be detected. - Policy Change\\[Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md). This policy setting can be used to monitor a large variety of changes to an organization's IPsec policies. - Policy Change\\[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md). This policy setting determines if the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe), which is used by Windows Firewall. Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks. + ### Confirm operating system version compatibility + Not all versions of Windows support advanced audit policy settings or the use of Group Policy to apply and manage these settings. For more info, see [Which editions of Windows support advanced audit policy configuration](which-editions-of-windows-support-advanced-audit-policy-configuration.md). + The audit policy settings under **Local Policies\\Audit Policy** overlap with audit policy settings under **Security Settings\\Advanced Audit Policy Configuration**. However, the advanced audit policy categories and subcategories make it possible to focus your auditing efforts on the most critical activities while reducing the amount of audit data that is less important to your organization. + For example, **Local Policies\\Audit Policy** contains a single setting called [Audit account logon events](http://technet.microsoft.com/library/cc787176.aspx). When this setting is configured, it generates at least 10 types of audit events. + In comparison, the Account Logon category under **Security Settings\\Advanced Audit Policy Configuration** provides the following advanced settings, which allow you to focus your auditing: + - Credential Validation - Kerberos Authentication Service - Kerberos Service Ticket Operations - Other Account Logon Events + These settings allow you to exercise much tighter control over which activities or events generate event data. Some activities and events will be more important to your organization, so define the scope of your security audit policy as narrowly as possible. + ### Success, failure, or both + Whichever event settings you include in your plan, you also have to decide whether you want to log an event when the activity fails, when an activity succeeds, or both successes and failures. This is an important question, and the answer will be based on the criticality of the event and the implications of the decision on event volume. + For example, on a file server that is accessed frequently by legitimate users, you may be interested in logging an event only when an unsuccessful attempt to access data takes place, because this could be evidence of an unauthorized or malicious user. And in this instance, logging successful attempts to access the server would quickly fill the event log with benign events. + On the other hand, if the file share has extremely sensitive and valuable information, such as trade secrets, you may want to log every access attempt, whether successful or unsuccessful, so that you have an audit trail of every user who accessed the resource. + ## Planning for security audit monitoring and management + Networks can contain hundreds of servers running critical services or storing critical data, all of which need to be monitored. The number of client computers on the network can easily range into the tens or even hundreds of thousands. This may not be an issue if the ratio of servers or client computers per administrator is low. Even if an administrator who is responsible for auditing security and performance issues has relatively few computers to monitor, you need to decide how an administrator will obtain event data to review. Following are some options for obtaining the event data. + - Will you keep event data on a local computer until an administrator logs on to review this data? If so, then the administrator needs to have physical or remote access to the Event Viewer on each client computer or server, and the remote access and firewall settings on each client computer or server need to be configured to enable this access. In addition, you need to decide how often an administrator can visit each computer, and adjust the size of the audit log so that critical information is not deleted if the log reaches its maximum capacity. - Will you collect event data so that it can be reviewed from a central console? If so, there are a number of computer management products, such as the Audit Collection Services in Operations Manager 2007 and 2012, which can be used to collect and filter event data. Presumably this solution enables a single administrator to review larger amounts of data than using the local storage option. But in some cases, this can make it more difficult to detect clusters of related events that can occur on a single computer. + In addition, whether you choose to leave audit data on an individual computer or consolidate it at a central location, you need to decide how large the log file should be and what should happen when the log reaches its maximum size. To configure these options, open Event Viewer, expand **Windows Logs**, right-click **Security**, and click **Properties**. You can configure the following properties: + - **Overwrite events as needed (oldest events first)**. This is the default option, which is an acceptable solution in most situations. - **Archive the log when full, do not overwrite events**. This option can be used when all log data needs to be saved, but it also suggests that you may not be reviewing audit data frequently enough. - **Do not overwrite events (Clear logs manually)**. This option stops the collection of audit data when the log file reaches its maximum size. Older data is retained at the expense of the most recent audit events. Use this option only if you do not want to lose any audit data, do not want to create an archive of the event log, and are committed to reviewing data before the maximum log size is reached. -You can also configure the audit log size and other key management options by using Group Policy settings. You can configure the event log settings in the following locations within the GPMC: **Computer Configuration\\Administrative Templates\\Windows Components\\Event Log Service\\Security**. These options include: + +You can also configure the audit log size and other key management options by using Group Policy settings. You can configure the event log settings in the following locations within the GPMC: **Computer +Configuration\\Administrative Templates\\Windows Components\\Event Log Service\\Security**. These options include: + - **Maximum Log Size (KB)**. This policy setting specifies the maximum size of the log files. The user interfaces in the Local Group Policy Editor and Event Viewer allow you to enter values as large as 2 TB. If this setting is not configured, event logs have a default maximum size of 20 megabytes. + - **Log Access**. This policy setting determines which user accounts have access to log files and what usage rights are granted. - **Retain old events**. This policy setting controls event log behavior when the log file reaches its maximum size. When this policy setting is enabled and a log file reaches its maximum size, new events are not written to the log and are lost. When this policy setting is disabled and a log file reaches its maximum size, new events overwrite old events. - **Backup log automatically when full**. This policy setting controls event log behavior when the log file reaches its maximum size and takes effect only if the **Retain old events** policy setting is enabled. If you enable these policy settings, the event log file is automatically closed and renamed when it is full. A new file is then started. If you disable or do not configure this policy setting and the **Retain old events** policy setting is enabled, new events are discarded and the old events are retained. + In addition, a growing number of organizations are being required to store archived log files for a number of years. You should consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](http://go.microsoft.com/fwlink/p/?LinkId=163435). + ## Deploying the security audit policy + Before deploying the audit policy in a production environment, it is critical that you determine the effects of the policy settings that you have configured. The first step in assessing your audit policy deployment is to create a test environment in a lab and use it to simulate the various use scenarios that you have identified to confirm that the audit settings you have selected are configured correctly and generate the type of results you intend. + However, unless you are able to run fairly realistic simulations of network usage patterns, a lab setup cannot provide you with accurate information about the volume of audit data that the audit policy settings you selected will generate and how effective your plan for monitoring audit data will be. To provide this type of information, you need to conduct one or more pilot deployments. These pilot deployments could involve: + - A single OU that contains critical data servers or an OU that contains all desktop computers in a specified location. - A limited set of security audit policy settings, such as **Logon/Logoff** and **Account Logon**. - A combination of limited OUs and audit policy settings—for example, targeting servers in only the Accounting OU with **Object Access** policy settings. + After you have successfully completed one or more limited deployments, you should confirm that the audit data that is collected is manageable with your management tools and administrators. When you have confirmed that the pilot deployment is effective, you need to confirm that you have the necessary tools and staff to expand the deployment to include additional OUs and sets of audit policy settings until the production deployment is complete. -  -  diff --git a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md index b5dae385ac..4eaf0224ec 100644 --- a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Windows Defender Advanced Threat Protection portal overview description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches. keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines view, preferences setup, client onboarding, advanced attacks search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: DulceMV --- diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md index 74cebb3914..d377aafd3e 100644 --- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md +++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md @@ -3,7 +3,7 @@ title: Prepare people to use Microsoft Passport (Windows 10) description: When you set a policy to require Microsoft Passport in the workplace, you will want to prepare people in your organization. ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B keywords: identity, PIN, biometric, Hello -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md index 56db3e6526..c30af5a4c1 100644 --- a/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -2,17 +2,22 @@ title: Prepare your organization for BitLocker Planning and policies (Windows 10) description: This topic for the IT professional explains how can you plan your BitLocker deployment. ms.assetid: 6e3593b5-4e8a-40ac-808a-3fdbc948059d -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Prepare your organization for BitLocker: Planning and policies + **Applies to** - Windows 10 + This topic for the IT professional explains how can you plan your BitLocker deployment. + When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics will help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems. + - [Audit your environment](#bkmk-audit) - [Encryption keys and authentication](#bkk-encrypt) - [TPM hardware configurations](#bkmk-tpmconfigurations) @@ -23,244 +28,203 @@ When you design your BitLocker deployment strategy, define the appropriate polic - [Active Directory Domain Services considerations](#bkmk-addscons) - [FIPS support for recovery password protector](#bkmk-fipssupport) - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) + ## Audit your environment + To plan your enterprise deployment of BitLocker, you must first understand your current environment. Conduct an informal audit to define your current policies, procedures, and hardware environment. Begin by reviewing your existing corporate security policies as they relate to disk encryption software. If your organization is not currently using disk encryption software, none of these policies will exist. If you are using disk encryption software, then you might need to modify your organization's policies to address the capabilities of BitLocker. + Use the following questions to help you document your organization's current disk encryption security policies: + 1. Are there policies to address which computers will use BitLocker and which computers will not use BitLocker? 2. What policies exist to control recovery password and recovery key storage? 3. What are the policies for validating the identity of users that need to perform BitLocker recovery? 4. What policies exist to control who in the organization has access to recovery data? 5. What policies exist to control computer decommissioning or retirement? + ## Encryption keys and authentication + BitLocker helps prevent unauthorized access to data on lost or stolen computers by: + - Encrypting the entire Windows operating system volume on the hard disk. - Verifying the boot process integrity. + The trusted platform module (TPM)is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. + In addition, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented. + On computers that do not have a TPM version 1.2 or higher, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM. + **BitLocker key protectors** - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Key protectorDescription

TPM

A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM version 1.2 or higher.

PIN

A user-entered numeric key protector that can only be used in addition to the TPM.

Enhanced PIN

A user-entered alphanumeric key protector that can only be used in addition to the TPM.

Startup key

An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.

Recovery password

A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers.

Recovery key

An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.

+ +| Key protector | Description | +| - | - | +| TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM version 1.2 or higher.| +| PIN | A user-entered numeric key protector that can only be used in addition to the TPM.| +| Enhanced PIN | A user-entered alphanumeric key protector that can only be used in addition to the TPM.| +| Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.| +| Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers.| +| Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.|   **BitLocker authentication methods** - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Authentication methodRequires user interactionDescription

TPM only

No

TPM validates early boot components.

TPM + PIN

Yes

TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM will enter lockout if the incorrect PIN is entered repeatedly to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.

TPM + Network key

No

The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication.

TPM + startup key

Yes

The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.

Startup key only

Yes

The user is prompted to insert the USB flash drive that holds the recovery key and/or startup key and reboot the computer.

+ +| Authentication method | Requires user interaction | Description | +| - | - | - | +| TPM only| No| TPM validates early boot components.| +| TPM + PIN | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM will enter lockout if the incorrect PIN is entered repeatedly to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.| +| TPM + Network key | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. | +| TPM + startup key| Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.| +| Startup key only | Yes| The user is prompted to insert the USB flash drive that holds the recovery key and/or startup key and reboot the computer.|   **Will you support computers without TPM version 1.2 or higher?** + Determine whether you will support computers that do not have a TPM version 1.2 or higher in your environment. If you choose to support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This requires additional support processes similar to multifactor authentication. + **What areas of your organization need a baseline level of data protection?** + The TPM-only authentication method will provide the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended. + However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components, but the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker’s multifactor authentication methods significantly increase the overall level of data protection. + **What areas of your organization need a more secure level of data protection?** + If there are areas of your organization where data residing on user computers is considered highly-sensitive, consider the best practice of deploying BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. You can also use BitLocker Network Unlock to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key. + **What multifactor authentication method does your organization prefer?** + The protection differences provided by multifactor authentication methods cannot be easily quantified. Consider each authentication method's impact on Helpdesk support, user education, user productivity, and automated systems management processes. + ## TPM hardware configurations + In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice, so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment. + ### TPM states of existence + For each of the TPM states of existence, the TPM can transition into another state (for example, moving from disabled to enabled). The states are not exclusive. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
StateDescription

Enabled

Most features of the TPM are available.

-

The TPM may be enabled and disabled multiple times within a boot period, if ownership is taken.

Disabled

The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and to perform hashing and basic initialization.

-

The TPM may be enabled and disabled multiple times within a boot period.

Activated

Most features of the TPM are available. The TPM may be activated and deactivated only through physical presence which requires a reboot.

Deactivated

Similar to disabled, with the exception that ownership can be taken while deactivated and enabled. The TPM may be activated and deactivated only through physical presence which requires a reboot.

Owned

Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.

Un-owned

The TPM does not have a storage root key and may or may not have an endorsement key.

+ +| State | Description | +| - | - | +| Enabled| Most features of the TPM are available.
The TPM may be enabled and disabled multiple times within a boot period, if ownership is taken.| +| Disabled | The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and to perform hashing and basic initialization.
The TPM may be enabled and disabled multiple times within a boot period.| +| Activated| Most features of the TPM are available. The TPM may be activated and deactivated only through physical presence which requires a reboot.| +| Deactivated| Similar to disabled, with the exception that ownership can be taken while deactivated and enabled. The TPM may be activated and deactivated only through physical presence which requires a reboot.| +| Owned| Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.| +| Un-owned| The TPM does not have a storage root key and may or may not have an endorsement key.|   -**Important**   -BitLocker cannot use the TPM until it is in the following state: enabled, activated, and owned. When the TPM is in this state and only when it is in this state, all operations are available. +>**Important:**  BitLocker cannot use the TPM until it is in the following state: enabled, activated, and owned. When the TPM is in this state and only when it is in this state, all operations are available.   The state of the TPM exists independent of the computer’s operating system. Once the TPM is enabled, activated, and owned, the state of the TPM is preserved if the operating system is reinstalled. + ### Endorsement keys + For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM does not contain an endorsement key, BitLocker will force the TPM to generate one automatically as part of BitLocker setup. + An endorsement key can be created at various points in the TPM’s lifecycle, but needs to be created only once for the lifetime of the TPM. If an endorsement key does not exist for the TPM, it must be created before TPM ownership can be taken. + For more information about the TPM and the TCG, see the Trusted Computing Group: Trusted Platform Module (TPM) Specifications (). + ## Non-TPM hardware configurations + Devices that do not include a TPM can still be protected by drive encryption. Windows To Go workspaces can be BitLocker protected using a startup password and PCs without a TPM can use a startup key. + Use the following questions to identify issues that might affect your deployment in a non-TPM configuration: + - Are password complexity rules in place? - Do you have budget for USB flash drives for each of these computers? - Do your existing non-TPM devices support USB devices at boot time? + Test your individual hardware platforms with the BitLocker system check option while you are enabling BitLocker. The system check will ensure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives cannot act as a block storage device and cannot be used to store the BitLocker recovery material. + ## Disk configuration considerations + To function correctly, BitLocker requires a specific disk configuration. BitLocker requires two partitions that meet the following requirements: + - The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system - The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms the system partition must be formatted with the FAT 32 file system. On BIOS platforms the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size + Windows setup will automatically configure the disk drives of your computer to support BitLocker encryption. + Windows Recovery Environment (Windows RE) is an extensible recovery platform that is based on Windows Pre-installation Environment (Windows PE). When the computer fails to start, Windows automatically transitions into this environment, and the Startup Repair tool in Windows RE automates the diagnosis and repair of an unbootable Windows installation. Windows RE also contains the drivers and tools that are needed to unlock a volume protected by BitLocker by providing a recovery key or recovery password. To use Windows RE in conjunction with BitLocker, the Windows RE boot image must reside on a volume that is not protected by BitLocker. + Windows RE can also be used from boot media other than the local hard disk. If you choose not to install Windows RE on the local hard disk of BitLocker-enabled computers, you can use alternate boot methods, such as Windows Deployment Services, CD-ROM, or USB flash drive, for recovery. + ## BitLocker provisioning + In Windows Vista and Windows 7, BitLocker was provisioned post installation for system and data volumes through either the manage-bde command line interface or the Control Panel user interface. With newer operating systems, BitLocker can be easily provisioned before the operating system is installed. Preprovisioning requires that the computer have a TPM. + To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet or Windows Explorer. A status of "Waiting For Activation" with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not protected and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the control panel options, manage-bde tool or WMI APIs to add an appropriate key protector and the volume status will be updated. + When using the control panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then the drive security window is presented prior to changing the volume status. + Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment (WinPE). This is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option this step takes only a few seconds and so incorporates well into regular deployment processes. + ## Used Disk Space Only encryption + The BitLocker Setup wizard provides administrators the ability to choose the Used Disk Space Only or Full encryption method when enabling BitLocker for a volume. Administrators can use the new BitLocker Group Policy setting to enforce either Used Disk Space Only or Full disk encryption. + Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, you are asked to choose the drive encryption type, either Used Disk Space Only or Full drive encryption. + Used Disk Space Only means that only the portion of the drive that contains data will be encrypted, unused space will remain unencrypted. This causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method as data is added to the drive the portion of the drive used will be encrypted, so there is never unencrypted data stored on the drive. + Full drive encryption means that the entire drive will be encrypted, regardless of whether data is stored on it or not. This is useful for drives that have been repurposed and may contain data remnants from their previous use. + ## Active Directory Domain Services considerations + BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure Group Policy settings to enable backup of BitLocker or TPM recovery information. Before configuring these settings verify that access permissions have been granted to perform the backup. + By default, domain administrators are the only users that will have access to BitLocker recovery information. When you plan your support process, define what parts of your organization need access to BitLocker recovery information. Use this information to define how the appropriate rights will be delegated in your AD DS environment. + It is a best practice to require backup of recovery information for both the TPM and BitLocker to AD DS. You can implement this practice by configuring the Group Policy settings below for your BitLocker-protected computers. - ---- - - - - - - - - - - - - - - - - -
BitLocker Group Policy settingConfiguration

BitLocker Drive Encryption: Turn on BitLocker backup to Active Directory Domain Services

Require BitLocker backup to AD DS (Passwords and key packages)

Trusted Platform Module Services: Turn on TPM backup to Active Directory Domain Services

Require TPM backup to AD DS

+ +| BitLocker Group Policy setting | Configuration | +| - | - | +| BitLocker Drive Encryption: Turn on BitLocker backup to Active Directory Domain Services| Require BitLocker backup to AD DS (Passwords and key packages)| +| Trusted Platform Module Services: Turn on TPM backup to Active Directory Domain Services | Require TPM backup to AD DS|   The following recovery data will be saved for each computer object: + - **Recovery password** + A 48-digit recovery password used to recover a BitLocker-protected volume. Users enter this password to unlock a volume when BitLocker enters recovery mode. + - **Key package data** + With this key package and the recovery password, you will be able decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package will only work with the volume it was created on, which can be identified by the corresponding volume ID. + - **TPM owner authorization password hash** + When ownership of the TPM is taken a hash of the ownership password can be taken and stored in AD DS. This information can then be used to reset ownership of the TPM. + Starting in Windows 8, a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 and later schemas. + To take advantage of this integration, you must upgrade your domain controllers to Windows Server 2012 or extend the Active Directory schema and configure BitLocker-specific Group Policy objects. -**Note**   -The account that you use to update the Active Directory schema must be a member of the Schema Admins group. + +>**Note:**  The account that you use to update the Active Directory schema must be a member of the Schema Admins group.   Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. + **To support Windows 8 and later computers that are managed by a Windows Server 2003 or Windows 2008 domain controller** + There are two schema extensions that you can copy down and add to your AD DS schema: + - **TpmSchemaExtension.ldf** + This schema extension brings parity with the Windows Server 2012 schema. With this change, the TPM owner authorization information is stored in a separate TPM object linked to the corresponding computer object. Only the Computer object that has created the TPM object can update it. This means that any subsequent updates to the TPM objects will not succeed in dual boot scenarios or scenarios where the computer is reimaged resulting in a new AD computer object being created. To support such scenarios, an update to the schema was created. + - **TpmSchemaExtensionACLChanges.ldf** + This schema update modifies the ACLs on the TPM object to be less restrictive so that any subsequent operating system which takes ownership of the computer object can update the owner authorization value in AD DS. However, this is less secure as any computer in the domain can now update the OwnerAuth of the TPM object (although it cannot read the OwnerAuth) and DOS attacks can be made from within the enterprise. The recommended mitigation in such a scenario is to do regular backup of TPM objects and enable auditing to track changes for these objects. + To download the schema extensions, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md). + If you have a Windows Server 2012 domain controller in your environment, the schema extensions are already in place and do not need to be updated. -**Caution**   -To configure Group Policy objects to backup TPM and BitLocker information in AD DS at least one of the domain controllers in your forest must be running at least Windows Server 2008 R2. + +>**Caution:**  To configure Group Policy objects to backup TPM and BitLocker information in AD DS at least one of the domain controllers in your forest must be running at least Windows Server 2008 R2. If Active Directory backup of the TPM owner authorization value is enabled in an environment without the required schema extensions, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8 and later.   **Setting the correct permissions in AD DS** + To initialize the TPM successfully so that you can turn on BitLocker requires that the correct permissions for the SELF account in be set in AD DS for the **ms-TPMOwnerInformation** attribute. The following steps detail setting these permissions as required by BitLocker: + 1. Open **Active Directory Users and Computers**. 2. Select the organizational unit (OU) which contains the computer accounts that will have BitLocker turned on. 3. Right-click the OU and click **Delegate Control** to open the **Delegation of Control** wizard. @@ -270,26 +234,32 @@ To initialize the TPM successfully so that you can turn on BitLocker requires th 7. On the **Active Directory Object Type** page, choose **Only the following objects in the folder** and then check **Computer Objects** and then click **Next**. 8. On the **Permissions** page, for **Show these permissions**, check **General**, **Property-specific**, and **Creation/deletion of specific child objects**. Scroll down the **Permissions** list and check both **Write msTPM-OwnerInformation** and **Write msTPM-TpmInformationForComputer** then click **Next**. 9. Click **Finish** to apply the permissions settings. + ## FIPS support for recovery password protector + Functionality introduced in Windows Server 2012 R2 and Windows 8.1, allows BitLocker to be fully functional in FIPS mode. -**Note**   -The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS 140 standard. An implementation of a cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm.  + +>**Note:**  The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS 140 standard. An implementation of a cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm.    Prior to these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [kb947249](http://support.microsoft.com/kb/947249). + But on computers running these supported systems with BitLocker enabled: + - FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS 140 NIST SP800-132 algorithm. - Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems. - Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords. - When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode. - FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode. + The BitLocker Group Policy settings for recovery passwords work the same for all Windows versions that support BitLocker, whether in FIPs mode or not. + However, you cannot use recovery passwords generated on a system in FIPS mode for systems earlier than Windows Server 2012 R2 and Windows 8.1. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are incompatible with BitLocker on operating systems prior to Windows Server 2012 R2 and Windows 8.1; so recovery keys should be used instead. + ## More information -[Trusted Platform Module](trusted-platform-module-overview.md) -[TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) -[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) -[BitLocker](bitlocker-overview.md) -[BitLocker Group Policy settings](bitlocker-group-policy-settings.md) -[BitLocker basic deployment](bitlocker-basic-deployment.md) -  -  + +- [Trusted Platform Module](trusted-platform-module-overview.md) +- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) +- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) +- [BitLocker](bitlocker-overview.md) +- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) +- [BitLocker basic deployment](bitlocker-basic-deployment.md) diff --git a/windows/keep-secure/profile-single-process.md b/windows/keep-secure/profile-single-process.md index bcdfcfa6c0..0dce3bdffe 100644 --- a/windows/keep-secure/profile-single-process.md +++ b/windows/keep-secure/profile-single-process.md @@ -2,89 +2,90 @@ title: Profile single process (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Profile single process security policy setting. ms.assetid: c0963de4-4f5e-430e-bfcd-dfd68e66a075 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Profile single process + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Profile single process** security policy setting. + ## Reference + This policy setting determines which users can view a sample performance of an application process. Typically, you do not need this user right to use the performance reporting tools included in the operating system. However, you do need this user right if the system’s monitor components are configured to collect data through Windows Management Instrumentation (WMI). + Constant: SeProfileSingleProcessPrivilege + ### Possible values + - User-defined list of accounts - Administrators - Not Defined + ### Best practices + - This right should not be granted to individual users. It should be granted only for trusted applications that monitor other programs. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Administrators

Stand-Alone Server Default Settings

Administrators

Domain Controller Effective Default Settings

Administrators

Member Server Effective Default Settings

Administrators

Client Computer Effective Default Settings

Administrators

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Administrators| +| Stand-Alone Server Default Settings | Administrators| +| Domain Controller Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings| Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The **Profile single process** user right presents a moderate vulnerability. Attackers with this user right could monitor a computer's performance to help identify critical processes that they might want to attack directly. Attackers may be able to determine what processes run on the computer so that they could identify countermeasures that they may need to avoid, such as anti-virus software or an intrusion-detection system. They could also identify other users who are logged on to a computer. + ### Countermeasure + Ensure that only the local Administrators group is assigned the **Profile single process** user right. + ### Potential impact + If you remove the **Profile single process** user right from the Power Users group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks are not negatively affected. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/profile-system-performance.md b/windows/keep-secure/profile-system-performance.md index c35951cd49..d7b5f3b8fc 100644 --- a/windows/keep-secure/profile-system-performance.md +++ b/windows/keep-secure/profile-system-performance.md @@ -2,90 +2,92 @@ title: Profile system performance (Windows 10) description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for the Profile system performance security policy setting. ms.assetid: ffabc3c5-9206-4105-94ea-84f597a54b2e -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Profile system performance + **Applies to** - Windows 10 + This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for the **Profile system performance** security policy setting. + ## Reference + This security setting determines which users can use Windows performance monitoring tools to monitor the performance of system processes. + Constant: SeSystemProfilePrivilege + ### Possible values + - User-defined list of accounts - Administrators - Not defined + ### Best practices + - Ensure that only the local Administrators group is assigned the **Profile system performance** user right. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Administrators

Stand-Alone Server Default Settings

Administrators

Domain Controller Effective Default Settings

Administrators

Member Server Effective Default Settings

Administrators

Client Computer Effective Default Settings

Administrators

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Administrators| +| Stand-Alone Server Default Settings | Administrators| +| Domain Controller Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + Depending on your version of Windows and your environment, you might need to add this user right to the Local System account or the Local Service account if you encounter access errors when you use the Administrators account. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The **Profile system performance** user right poses a moderate vulnerability. Attackers with this user right could monitor a computer's performance to help identify critical processes that they might want to attack directly. Attackers might also be able to determine what processes are active on the computer so that they could identify countermeasures to avoid, such as anti-virus software or an intrusion detection system. + ### Countermeasure + Ensure that only the local Administrators group is assigned the **Profile system performance** user right. + ### Potential impact + None. Restricting the **Profile system performance** user right to the local Administrators group is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md b/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md index 8edf687f07..197d906dd6 100644 --- a/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md +++ b/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md @@ -2,27 +2,41 @@ title: Protect BitLocker from pre-boot attacks (Windows 10) description: This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. ms.assetid: 24d19988-fc79-4c45-b392-b39cba4ec86b -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Protect BitLocker from pre-boot attacks + + **Applies to** - Windows 10 + This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. -BitLocker uses encryption to protect the data on your drive, but BitLocker security is only effective when the encryption key is protected. Many users have relied on pre-boot authentication to protect the operating system’s integrity, disk encryption solution (for example, encryption keys), and the PC’s data from offline attacks. With pre-boot authentication, users must provide some form of credential before unlocking encrypted volumes and starting Windows. Typically, they authenticate themselves using a PIN or a USB flash drive as a key. + +BitLocker uses encryption to protect the data on your drive, but BitLocker security is only effective when the encryption key is protected. Many users have relied on pre-boot authentication to protect the operating system’s integrity, disk encryption solution (for example, encryption keys), and the PC’s data from offline attacks. With pre-boot authentication, users must provide some form of credential before unlocking encrypted volumes and starting +Windows. Typically, they authenticate themselves using a PIN or a USB flash drive as a key. + Full-volume encryption using BitLocker Drive Encryption is vital for protecting data and system integrity on devices running the Windows 10, Windows 8.1, Windows 8, or Windows 7 operating system. It is equally important to protect the BitLocker encryption key. On Windows 7 devices, sufficiently protecting that key often required pre-boot authentication, which many users find inconvenient and complicates device management. + Pre-boot authentication provides excellent startup security, but it inconveniences users and increases IT management costs. Every time the PC is unattended, the device must be set to hibernate (in other words, shut down and powered off); when the computer restarts, users must authenticate before the encrypted volumes are unlocked. This requirement increases restart times and prevents users from accessing remote PCs until they can physically access the computer to authenticate, making pre-boot authentication unacceptable in the modern IT world, where users expect their devices to turn on instantly and IT requires PCs to be constantly connected to the network. + If users lose their USB key or forget their PIN, they can’t access their PC without a recovery key. With a properly configured infrastructure, the organization’s support will be able to provide the recovery key, but doing so increases support costs, and users might lose hours of productive work time. + Starting with Windows 8, Secure Boot and Windows Trusted Boot startup process ensures operating system integrity, allowing Windows to start automatically while minimizing the risk of malicious startup tools and rootkits. In addition, many modern devices are fundamentally physically resistant to sophisticated attacks against the computer’s memory, and now Windows authenticates the user before making devices that may represent a threat to the device and encryption keys available for use. + ## In this topic + The sections that follow help you understand which PCs still need pre-boot authentication and which can meet your security requirements without the inconvenience of it. + - [Types of attacks for volume encryption keys](types-of-attacks-for-volume-encryption-keys.md) - [BitLocker countermeasures](bitlocker-countermeasures.md) - [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md) + ## See also + - [BitLocker overview](bitlocker-overview.md)     diff --git a/windows/keep-secure/protect-enterprise-data-using-edp.md b/windows/keep-secure/protect-enterprise-data-using-edp.md index d647af4367..e3da331f91 100644 --- a/windows/keep-secure/protect-enterprise-data-using-edp.md +++ b/windows/keep-secure/protect-enterprise-data-using-edp.md @@ -2,10 +2,11 @@ title: Protect your enterprise data using enterprise data protection (EDP) (Windows 10) description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032 -keywords: ["EDP", "Enterprise Data Protection"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index bc3658f201..61313be105 100644 --- a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -2,232 +2,331 @@ title: Control the health of Windows 10-based devices (Windows 10) description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices. ms.assetid: 45DB1C41-C35D-43C9-A274-3AD5F31FE873 -ms.pagetype: security; devices -keywords: ["security", "BYOD", "malware", "device health attestation", "mobile"] -ms.prod: W10 +keywords: security, BYOD, malware, device health attestation, mobile +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +ms.pagetype: security, devices author: arnaudjumelet + --- + # Control the health of Windows 10-based devices + **Applies to** + - Windows 10 + This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices. + ## Introduction + In Bring Your Own Device (BYOD) scenarios, employees bring commercially available devices to access both work-related resources and their personal data. Users want to use the device of their choice to access the organization’s applications, data, and resources not only from the internal network but also from anywhere. This phenomenon is also known as the consumerization of IT. + Users want to have the best productivity experience when accessing corporate applications and working on organization data from their devices. That means they will not tolerate being prompted to enter their work credentials each time they access an application or a file server. From a security perspective, it also means that users will manipulate corporate credentials and corporate data on unmanaged devices. + With the increased use of BYOD, there will be more unmanaged and potentially unhealthy systems accessing corporate services, internal resources, and cloud apps. + Even managed devices can be compromised and become harmful. Organizations need to detect when security has been breached and react as early as possible in order to protect high-value assets. + As Microsoft moves forward, security investments are increasingly focused on security preventive defenses and also on detection and response capabilities. + Windows 10 is an important component of an end-to-end security solution that focuses not only on the implementation of security preventive defenses, but adds device health attestation capabilities to the overall security strategy. + ## Description of a robust end-to-end security solution + Today’s computing threat landscape is increasing at a speed never encountered before. The sophistication of criminal attacks is growing, and there is no doubt that malware now targets both consumers and professionals in all industries. + During recent years, one particular category of threat has become prevalent: advanced persistent threats (APTs). The term APT is commonly used to describe any attack that seems to target individual organizations on an on-going basis. In fact, this type of attack typically involves determined adversaries who may use any methods or techniques necessary. + With the BYOD phenomena, a poorly maintained device represents a target of choice. For an attacker, it’s an easy way to breach the security network perimeter, gain access to, and then steal high-value assets. + The attackers target individuals, not specifically because of who they are, but because of who they work for. An infected device will bring malware into an organization, even if the organization has hardened the perimeter of networks or has invested in its defensive posture. A defensive strategy is not sufficient against these threats. + ### A different approach + Rather than the traditional focus on the prevention of compromise, an effective security strategy assumes that determined adversaries will successfully breach any defenses. It means that it’s necessary to shift focus away from preventative security controls to detection of, and response to, security issues. The implementation of the risk management strategy, therefore, balances investment in prevention, detection, and response. + Because mobile devices are increasingly being used to access corporate information, some way to evaluate device security or health is required. This section describes how to provision device health assessment in such a way that high-value assets can be protected from unhealthy devices. + Devices that are used to access corporate resources must be trusted. An efficient end-to-end security approach is able to evaluate device health and use the current security state when granting access to a high-value asset. + ![figure 1](images/hva-fig1-endtoend1.png) + A robust design needs to establish the user’s identity, strengthen the authentication method if needed, and learn behavior like the network location the user regularly connects from. Also, a modern approach must be able to release sensitive content only if user devices are determined to be healthy and secure. + The following figure shows a solution built to assess device health from the cloud. The device authenticates the user through a connection to an identity provider in the cloud. If the managed asset contains highly confidential information, the conditional access engine of the identity provider may elect to verify the security compliance of the mobile device before access is granted. The user’s device is able to prove its health status that can be sent at any time or when mobile device management (MDM) requests it. + ![figure 2](images/hva-fig2-assessfromcloud2.png) + Windows devices can be protected from low-level rootkits and bootkits by using low-level hardware technologies such as Unified Extensible Firmware Interface (UEFI) Secure Boot. + Secure Boot is a firmware validation process that helps prevent rootkit attacks; it is part of the UEFI specification. The intent of UEFI is to define a standard way for the operating system to communicate with modern hardware, which can perform faster and with more efficient input/output (I/O) functions than older, software interrupt-driven BIOS systems. + A device health attestation module can communicate measured boot data that is protected by a Trusted Platform Module (TPM) to a remote service. After the device successfully boots, boot process measurement data is sent to a trusted cloud service (Health Attestation Service) using a more secure and tamper-resistant communication channel. + Remote health attestation service performs a series of checks on the measurements. It validates security related data points, including boot state (Secure Boot, Debug Mode, and so on), and the state of components that manage security (BitLocker, Device Guard, and so on). It then conveys the health state of the device by sending a health encrypted blob back to the device. + An MDM solution typically applies configuration policies and deploys software to devices. MDM defines the security baseline and knows the level of compliance of the device with regular checks to see what software is installed and what configuration is enforced, as well as determining the health status of the device. + An MDM solution asks the device to send device health information and forward the health encrypted blob to the remote health attestation service. The remote health attestation service verifies device health data, checks that MDM is communicating to the same device, and then issues a device health report back to the MDM solution. + An MDM solution evaluates the health assertions and, depending on the health rules belonging to the organization, can decide if the device is healthy. If the device is healthy and compliant, MDM passes that information to the identity provider so the organization’s access control policy can be invoked to grant access. + Access to content is then authorized to the appropriate level of trust for whatever the health status and other conditional elements indicate. + Depending on the requirements and the sensitivity of the managed asset, device health status can be combined with user identity information when processing an access request. Access to content is then authorized to the appropriate level of trust. The Conditional Access engine may be structured to allow additional verification as needed by the sensitivity of the managed asset. For example, if access to high-value data is requested, additional security authentication may need to be established by querying the user to answer a phone call before access is granted. + ### Microsoft’s security investments in Windows 10 + In Windows 10, there are three pillars of investments: + - **Secure identities.** Microsoft is part of the FIDO Alliance which aims to provide an interoperable method of secure authentication by moving away from the use of passwords for authentication, both on the local system as well as for services like on-premises resources and cloud resources. - **Information protection.** Microsoft is making investments to allow organizations to have better control over who has access to important data and what they can do with that data. With Windows 10, organizations can take advantage of policies that specify which applications are considered to be corporate applications and can be trusted to access secure data. - **Threat resistance.** Microsoft is helping organizations to better secure enterprise assets against the threats of malware and attacks by using security defenses relying on hardware. + ### Protect, control, and report on the security status of Windows 10-based devices + This section is an overview that describes different parts of the end-to-end security solution that helps protect high-value assets and information from attackers and malware. + ![figure 3](images/hva-fig3-endtoendoverview3.png) - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NumberPart of the solutionDescription

1

Windows 10-based device

The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.

-

A Windows 10-based device with TPM 2.0 can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.

2

Identity provider

Azure AD contains users, registered devices, and registered application of organization’s tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.

-

Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that leverages the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.

3

Mobile device management

Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent.

-

MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10.

4

Remote health attestation

The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device.

-

Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).

5

Enterprise managed asset

Enterprise managed asset is the resource to protect.

-

For example, the asset can be Office 365, other cloud apps, on-premises web resources published by Azure AD, or even VPN access.

+ +| Number | Part of the solution | Description | +| - | - | - | +| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.
A Windows 10-based device with TPM 2.0 can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.| +| **2** | Identity provider | Azure AD contains users, registered devices, and registered application of organization’s tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.
Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that leverages the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.| +| **3**|Mobile device management| Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent.
MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10.| +| **4** | Remote health attestation | The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device.
Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).| +| **5** | Enterprise managed asset | Enterprise managed asset is the resource to protect.
For example, the asset can be Office 365, other cloud apps, on-premises web resources published by Azure AD, or even VPN access.|   The combination of Windows 10-based devices, identity provider, MDM, and remote health attestation creates a robust end-to-end-solution that provides validation of health and compliance of devices that access high-value assets. + ## Protect devices and enterprise credentials against threats + This section describes what Windows 10 offers in terms of security defenses and what control can be measured and reported to. + ### Windows 10 hardware-based security defenses + The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start. Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-req) section. + ![figure 4](images/hva-fig4-hardware.png) + Windows 10 supports features to help prevent sophisticated low-level malware like rootkits and bootkits from loading during the startup process: + - **Trusted Platform Module.** A Trusted Platform Module (TPM) is a hardware component that provides unique security features. + Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation. + A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other: + - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard. - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015. + Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Microsoft Passport, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=733948). + Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. TPM 2.0 is required for device health attestation. + TPM 2.0 provides a major revision to the capabilities over TPM 1.2: + - Update crypto strength to meet modern security needs + - Support for SHA-256 for PCRs - Support for HMAC command + - Cryptographic algorithms flexibility to support government needs + - TPM 1.2 is severely restricted in terms of what algorithms it can support - TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents + - Consistency across implementations + - The TPM 1.2 specification allows vendors wide latitude when choosing implementation details - TPM 2.0 standardizes much of this behavior + - **Secure Boot.** Devices with UEFI firmware can be configured to load only trusted operating system bootloaders. Secure Boot does not require a TPM. + The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture. On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you can boot using only an OS loader that’s signed using a certificate stored in the UEFI Secure Boot DB. Naturally, the Microsoft certificate used to digitally sign the Windows 10 OS loaders are in that store, which allows UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default on all computers that are certified for Windows 10 under the Windows Hardware Compatibility Program. + Secure Boot is a UEFI firmware-based feature, which allows for the signing and verification of critical boot files and drivers at boot time. Secure Boot checks signature values of the Windows Boot Manager, BCD store, Windows OS loader file, and other boot critical DLLs at boot time before the system is allowed to fully boot into a usable operating system by using policies that are defined by the OEM at build time. Secure Boot prevents many types of boot-based rootkit, malware, and other security-related attacks against the Windows platform. Secure Boot protects the operating system boot process whether booting from local hard disk, USB, PXE, or DVD, or into full Windows or Windows Recovery Environment (RE). Secure Boot protects the boot environment of a Windows 10 installation by verifying the signatures of the critical boot components to confirm malicious activity did not compromise them. Secure Boot protection ends after the Windows kernel file (ntoskrnl.exe) has been loaded. - **Note**   - Secure Boot protects the platform until the Windows kernel is loaded. Then protections like ELAM take over. + + >**Note:**  Secure Boot protects the platform until the Windows kernel is loaded. Then protections like ELAM take over.   - **Secure Boot configuration policy.** Extends Secure Boot functionality to critical Windows 10 configuration. + Examples of protected configuration information include protecting Disable Execute bit (NX option) or ensuring that the test signing policy (code integrity) cannot be enabled. This ensures that the binaries and configuration of the computer can be trusted after the boot process has completed. Secure Boot configuration policy does this with UEFI policy. These signatures for these policies are signed in the same way that operating system binaries are signed for use with Secure Boot. + The Secure Boot configuration policy must be signed by a private key that corresponds to one of the public keys stored in the Key Exchange Key (KEK) list. The Microsoft Certificate Authority (CA) will be present in the KEK list of all Windows certified Secure Boot systems. By default, a policy signed by the Microsoft KEK shall be work on all Secure Boot systems. BootMgr must verify the signature against the KEK list before applying a signed policy. With Windows 10, the default Secure Boot configuration policy is embedded in bootmgr. + The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and the ELAM component. This step is important and protects the rest of the boot process by verifying that all Windows boot components have integrity and can be trusted. + - **Early Launch Antimalware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading. + Traditional antimalware apps don’t start until after the boot drivers have been loaded, which gives a rootkit that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a previous version of Windows that allows antimalware software to run very early in the boot sequence. Thus, the antimalware component is the first third-party component to run and control the initialization of other boot drivers until the Windows operating system is operational. When the system is started with a complete runtime environment (network access, storage, and so on), then a full-featured antimalware is loaded. + ELAM can load a Microsoft or non-Microsoft antimalware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not trusted, Windows won’t load it. - **Note**   - Windows Defender, Microsoft's antimalware included by default in Windows 10, supports ELAM; it can be replaced with a third-party antimalware compatible solution. The name of the Windows Defender ELAM driver is WdBoot.sys. Windows Defender in Windows 10 uses its ELAM driver to roll back any malicious changes made to the Windows Defender driver at the next reboot. This prevents kernel mode malware making lasting changes to Windows Defender’s mini-filter driver before shutdown or reboot. + + >**Note:**  Windows Defender, Microsoft's antimalware included by default in Windows 10, supports ELAM; it can be replaced with a third-party antimalware compatible solution. The name of the Windows Defender ELAM driver is WdBoot.sys. Windows Defender in Windows 10 uses its ELAM driver to roll back any malicious changes made to the Windows Defender driver at the next reboot. This prevents kernel mode malware making lasting changes to Windows Defender’s mini-filter driver before shutdown or reboot.   The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the antimalware software to detect and block any attempts to tamper with the boot process by trying to load unsigned or untrusted code. + The ELAM driver is a small driver with a small policy database that has a very narrow scope, focused on drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be signed by Microsoft and the associated certificate must contain the complementary EKU (1.3.6.1.4.1.311.61.4.1). - **Virtualization-based security (Hyper-V + Secure Kernel).** Virtualization-based security is a completely new enforced security boundary that allows you to protect critical parts of Windows 10. + Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate domain credentials from the rest of the Windows operating system. For more information, refer to the [Virtualization-based security](#virtual) section. + - **Hyper-V Code Integrity (HVCI).** Hyper-V Code Integrity is a feature of Device Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity policy are allowed to run. + When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services, including Hyper-V Code Integrity (HVCI). HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware solutions, by preventing malware from running early in the boot process, or after startup. + HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This means that kernel memory pages can never be Writable and Executable (W+X) and executable code cannot be directly modified. - **Note**   - Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must have compatible drivers. For additional information, please read the [Driver compatibility with Device Guard in Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=691612) blog post. + + >**Note:**  Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must have compatible drivers. For additional information, please read the [Driver compatibility with Device Guard in Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=691612) blog post.   The Device Guard Code Integrity feature lets organizations control what code is trusted to run into the Windows kernel and what applications are approved to run in user mode. It’s configurable by using a policy. Device Guard Code Integrity policy is a binary file that Microsoft recommends you sign. The signing of the Code Integrity policy aids in the protection against a malicious user with Administrator privileges trying to modify or remove the current Code Integrity policy. + - **Credential Guard.** Credential Guard protects corporate credentials with hardware-based credential isolation. + In Windows 10, Credential Guard aims to protect domain corporate credentials from theft and reuse by malware. With Credential Guard, Windows 10 implemented an architectural change that fundamentally prevents the current forms of the pass-the-hash (PtH) attack. + This is accomplished by leveraging Hyper-V and the new virtualization-based security feature to create a protected container where trusted code and secrets are isolated from the Windows kernel. That means that even if the Windows kernel is compromised an attacker has no way to read and extract the data required to initiate a PtH attack. Credential Guard prevents this because the memory where secrets are stored is no longer accessible from the regular OS, even in kernel mode - the hypervisor controls who can access the memory. + - **Health attestation.** The device’s firmware logs the boot process, and Windows 10 can send it to a trusted server that can check and assess the device’s health. + Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware components are made as they load during the boot process. Additionally, they are taken and measured sequentially, not all at once. When these measurements are complete, their values are digitally signed and stored securely in the TPM and cannot be changed unless the system is reset. + For more information, see [Secured Boot and Measured Boot: Hardening Early Boot Components Against Malware](http://go.microsoft.com/fwlink/p/?LinkId=733950). + During each subsequent boot, the same components are measured, which allows comparison of the measurements against an expected baseline. For additional security, the values measured by the TPM can be signed and transmitted to a remote server, which can then perform the comparison. This process, called *remote device health attestation*, allows the server to verify health status of the Windows device. + Health attestation requires the presence of TPM 2.0. On Windows 10, TPM 2.0 also requires UEFI firmware. + Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM vendor. Unlike Secure Boot, health attestation will not stop the boot process and enter remediation when a measurement does not work. But with conditional access control, health attestation will help to prevent access to high-value assets. + ### Virtualization-based security + Virtualization-based security provides a new trust boundary for Windows 10. leverages Hyper-V hypervisor technology to enhance platform security. Virtualization-based security provides a secure execution environment to run specific Windows trusted code (trustlet) and to protect sensitive data. + Virtualization-based security helps to protect against a compromised kernel or a malicious user with Administrator privileges. Note that virtualization-based security is not trying to protect against a physical attacker. + The following Windows 10 services are protected with virtualization-based security: + - **Credential Guard** (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft that happens by reading and dumping the content of lsass memory - **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container. - **Other isolated services**: for example, on Windows Server Technical Preview 2016, there is the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers. -**Note**   -Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended. + +>**Note:**  Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended.   + The schema below is a high-level view of Windows 10 with virtualization-based security. + ![figure 5](images/hva-fig5-virtualbasedsecurity.png) + ### Credential Guard -In Windows 10, when Credential Guard is enabled, Local Security Authority Subsystem Service (lsass.exe) runs sensitive code in an Isolated user mode to help protect data from malware that may be running in the normal user mode. This helps ensure that protected data is not stolen and reused on remote machines, which mitigates many PtH-style attacks. + +In Windows 10, when Credential Guard is enabled, Local Security Authority Subsystem Service (lsass.exe) runs sensitive code in an Isolated user mode to help protect data from malware that may be running in the normal user mode. This helps ensure that protected data is not stolen and reused on +remote machines, which mitigates many PtH-style attacks. + Credential Guard helps protect credentials by encrypting them with either a per-boot or persistent key: + - **The per-boot key** is used for any in-memory credentials that do not require persistence. An example of such a credential would be a ticket-granting ticket (TGT) session key. This key is negotiated with a Key Distribution Center (KDC) every time authentication occurs and is protected with a per-boot key. - **The persistent key**, or some derivative, is used to help protect items that are stored and reloaded after a reboot. Such protection is intended for long-term storage, and must be protected with a consistent key. -Credential Guard is activated by a registry key and then enabled by using an UEFI variable. This is done to protect against remote modifications of the configuration. The use of a UEFI variable implies that physical access is required to change the configuration. When lsass.exe detects that credential isolation is enabled, it then spawns LsaIso.exe as an isolated process, which ensures that it runs within isolated user mode. The startup of LsaIso.exe is performed before initialization of a security support provider, which ensures that the secure mode support routines are ready before any authentication begins. +Credential Guard is activated by a registry key and then enabled by using an UEFI variable. This is done to protect against remote modifications of the configuration. The use of a UEFI variable implies that physical access is required to change the configuration. When lsass.exe detects that +credential isolation is enabled, it then spawns LsaIso.exe as an isolated process, which ensures that it runs within isolated user mode. The startup of LsaIso.exe is performed before initialization of a security support provider, which ensures that the secure mode support routines are ready before any authentication begins. + ### Device Guard + Device Guard is a new feature of Windows 10 Enterprise that allows organizations to lock down a device to help protect it from running untrusted software. In this configuration, the only applications allowed to run are those that are trusted by the organization. + The trust decision to execute code is performed by using Hyper-V Code Integrity, which runs in virtualization-based security, a Hyper-V protected container that runs alongside regular Windows. + Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with Administrator privileges. On x64-based versions of Windows 10 kernel-mode drivers must be digitally signed. -**Note**   -Independently of activation of Device Guard Policy, [Windows 10 by default raises the bar for what runs in the kernel](http://go.microsoft.com/fwlink/p/?LinkId=691613). Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation (“EV”) Code Signing Certificate. + +>**Note:**  Independently of activation of Device Guard Policy, [Windows 10 by default raises the bar for what runs in the kernel](http://go.microsoft.com/fwlink/p/?LinkId=691613). Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation (“EV”) Code Signing Certificate.   With Device Guard in Windows 10, organizations are now able to define their own Code Integrity policy for use on x64 systems running Windows 10 Enterprise. Organizations have the ability to configure the policy that determines what is trusted to run. These include drivers and system files, as well as traditional desktop applications and scripts. The system is then locked down to only run applications that the organization trusts. + Device Guard is a built-in feature of Windows 10 Enterprise that prevents the execution of unwanted code and applications. Device Guard can be configured using two rule actions - allow and deny: + - **Allow** limits execution of applications to an allowed list of code or trusted publisher and blocks everything else. - **Deny** completes the allow trusted publisher approach by blocking the execution of a specific application. + At the time of this writing, and according to Microsoft’s latest research, more than 90 percent of malware is unsigned completely. So implementing a basic Device Guard policy can simply and effectively help block the vast majority of malware. In fact, Device Guard has the potential to go further, and can also help block signed malware. + Device Guard needs to be planned and configured to be truly effective. It is not just a protection that is enabled or disabled. Device Guard is a combination of hardware security features and software security features that, when configured together, can lock down a computer to help ensure the most secure and resistant system possible. + There are three different parts that make up the Device Guard solution in Windows 10: + - The first part is a base **set of hardware security features** introduced with the previous version of Windows. TPM for hardware cryptographic operations and UEFI with modern firmware, along with Secure Boot, allows you to control what the device is running when the systems start. - After the hardware security feature, there is the code integrity engine. In Windows 10, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security. - The last part of Device Guard is **manageability**. Code Integrity configuration is exposed through specific Group Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs). + For more information on how to deploy Device Guard in an enterprise, see the [Device Guard deployment guide](device-guard-deployment-guide.md). + ### Device Guard scenarios + As previously described, Device Guard is a powerful way to lock down systems. Device Guard is not intended to be used broadly and it may not always be applicable, but there are some high-interest scenarios. -Device Guard is useful and applicable on fixed workloads systems like cash registers, kiosk machines, Secure Admin Workstations (SAWs), or well managed desktops. Device Guard is highly relevant on systems that have very well-defined software that are expected to run and don’t change too frequently. It could also help protect Information Workers (IWs) beyond just SAWs, as long as what they need to run is known and the set of applications is not going to change on a daily basis. + +Device Guard is useful and applicable on fixed workloads systems like cash registers, kiosk machines, Secure Admin Workstations (SAWs), or well managed desktops. Device Guard is highly relevant on systems that have very well-defined software that are expected to run and don’t change too frequently. +It could also help protect Information Workers (IWs) beyond just SAWs, as long as what they need to run is known and the set of applications is not going to change on a daily basis. + SAWs are computers that are built to help significantly reduce the risk of compromise from malware, phishing attacks, bogus websites, and PtH attacks, among other security risks. Although SAWs can’t be considered a “silver bullet” security solution to these attacks, these types of clients are helpful as part of a layered, defense-in-depth approach to security. + To protect high-value assets, SAWs are used to make secure connections to those assets. + Similarly, on corporate fully-managed workstations, where applications are installed by using a distribution tool like System Center Configuration Manager, Intune, or any third-party device management, then Device Guard is very applicable. In that type of scenario, the organization has a good idea of the software that an average user is running. + It could be challenging to use Device Guard on corporate, lightly-managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, it’s quite difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run. + Before you can benefit from the protection included in Device Guard, Code Integrity policy must be created by using tools provided by Microsoft, but the policy can be deployed with common management tools, like Group Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10, along with restrictions on Windows 10 script hosts. Device Guard Code Integrity policy restricts what code can run on a device. -**Note**   -Device Guard policy can be signed in Windows 10, which adds additional protection against administrative users changing or removing this policy. + +>**Note:**  Device Guard policy can be signed in Windows 10, which adds additional protection against administrative users changing or removing this policy.   Signed Device Guard policy offers stronger protection against a malicious local administrator trying to defeat Device Guard. -When the policy is signed, the GUID of the policy is stored in a UEFI pre-OS secure variable which offers tampering protection. The only way to update the Device Guard policy subsequently is to provide a new version of the policy signed by the same signer or from a signer specified as part of the Device Guard policy into the UpdateSigner section. + +When the policy is signed, the GUID of the policy is stored in a UEFI pre-OS secure variable which offers tampering protection. The only way to update the Device Guard policy subsequently is to provide a new version of the policy signed by the same signer or from a signer specified as part of the +Device Guard policy into the UpdateSigner section. + ### The importance of signing applications + On computers with Device Guard, Microsoft proposes to move from a world where unsigned apps can be run without restriction to a world where only signed and trusted code is allowed to run on Windows 10. -With Windows 10, organizations will make line-of-business (LOB) apps available to members of the organization through the Windows Store infrastructure. More specifically, LOB apps will be available in a private store within the public Windows Store. Windows Store signs and distributes Universal Windows apps and Classic Windows apps. All apps downloaded from the Windows Store are signed. + +With Windows 10, organizations will make line-of-business (LOB) apps available to members of the organization through the Windows Store infrastructure. More specifically, LOB apps will be available in a private store within the public Windows Store. Windows Store signs and distributes Universal +Windows apps and Classic Windows apps. All apps downloaded from the Windows Store are signed. + In organizations today, the vast majority of LOB applications are unsigned. Code signing is frequently viewed as a tough problem to solve for a variety of reasons, like the lack of code signing expertise. Even if code signing is a best practice, a lot of internal applications are not signed. + Windows 10 includes tools that allow IT pros to take applications that have been already packaged and run them through a process to create additional signatures that can be distributed along with existing applications. + ### Why are antimalware and device management solutions still necessary? + Although allow-list mechanisms are extremely efficient at ensuring that only trusted applications can be run, they cannot prevent the compromise of a trusted (but vulnerable) application by malicious content designed to exploit a known vulnerability. Device Guard doesn’t protect against user mode malicious code run by exploiting vulnerabilities. + Vulnerabilities are weaknesses in software that could allow an attacker to compromise the integrity, availability, or confidentiality of the device. Some of the worst vulnerabilities allow attackers to exploit the compromised device by causing it to run malicious code without the user’s knowledge. + It’s common to see attackers distributing specially crafted content in an attempt to exploit known vulnerabilities in user mode software like web browsers (and their plug-ins), Java virtual machines, PDF readers, or document editors. As of today, 90 percent of discovered vulnerabilities affect user mode applications compared to the operating system and kernel mode drivers that host them. + To combat these threats, patching is the single most effective control, with antimalware software forming complementary layers of defense. + Most application software has no facility for updating itself, so even if the software vendor publishes an update that fixes the vulnerability, the user may not know that the update is available or how to obtain it, and therefore remains vulnerable to attack. Organizations still need to manage devices and to patch vulnerabilities. + MDM solutions are becoming prevalent as a light-weight device management technology. Windows 10 extends the management capabilities that have become available for MDMs. One key feature Microsoft has added to Windows 10 is the ability for MDMs to acquire a strong statement of device health from managed and registered devices. + ### Device health attestation + Device health attestation leverages the TPM 2.0 to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device. + For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy. + For more information on device health attestation, see the [Detect an unhealthy Windows 10-based device](#detect-unhealthy) section. + ### Hardware requirements + The following table details the hardware requirements for both virtualization-based security services and the health attestation feature. For more information, see [Minimum hardware requirements](http://go.microsoft.com/fwlink/p/?LinkId=733951). + @@ -274,33 +373,57 @@ The following table details the hardware requirements for both virtualization-ba
  This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach helps to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them. + ## Detect an unhealthy Windows 10-based device + As of today, many organizations only consider devices to be compliant with company policy after they’ve passed a variety of checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today’s systems, this form of reporting is not entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools. + The biggest challenge with rootkits is that they can be undetectable to the client. Because they start before antimalware, and they have system-level privileges, they can completely disguise themselves while continuing to access system resources. As a result, traditional computers infected with rootkits appear to be healthy, even with antimalware running. + As previously discussed, the health attestation feature of Windows 10 uses the TPM 2.0 hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because, health attestation leverages the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware. + By attesting a trusted boot state, devices can prove that they are not running low-level malware that could spoof later compliance checks. TPM-based health attestation provides a reliable anchor of trust for assets that contain high-value data. + ### What is the concept of device health? + To understand the concept of device health, it’s important to know traditional measures that IT pros have taken to prevent the breach of malware. Malware control technologies are highly focused on the prevention of installation and distribution. + However, the use of traditional malware prevention technologies like antimalware or patching solutions brings a new set of issues for IT pros: the ability to monitor and control the compliance of devices accessing organization’s resources. + The definition of device compliance will vary based on an organization’s installed antimalware, device configuration settings, patch management baseline, and other security requirements. But health of the device is part of the overall device compliance policy. + The health of the device is not binary and depends on the organization’s security implementation. The Health Attestation Service provides information back to the MDM on which security features are enabled during the boot of the device by leveraging trustworthy hardware TPM. + But health attestation only provides information, which is why an MDM solution is needed to take and enforce a decision. + ### Remote device health attestation + In Windows 10, health attestation refers to a feature where Measured Boot data generated during the boot process is sent to a remote device health attestation service operated by Microsoft. + This is the most secure approach available for Windows 10-based devices to detect when security defenses are down. During the boot process, the TCG log and PCRs values are sent to a remote Microsoft cloud service. Logs are then checked by the Health Attestation Service to determine what changes have occurred on the device. + A relying party like an MDM can inspect the report generated by the remote health attestation service. -**Note**   -To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM 2.0. There is no restriction on any particular edition of Windows 10. + +>**Note:**  To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM 2.0. There is no restriction on any particular edition of Windows 10.   Windows 10 supports health attestation scenarios by allowing applications access to the underlying health attestation configuration service provider (CSP) so that applications can request a health attestation token. The measurement of the boot sequence can be checked at any time locally by an antimalware or an MDM agent. + Remote device health attestation combined with an MDM provides a hardware-rooted method for reporting the current security status and detecting any changes, without having to trust the software running on the system. + In the case where malicious code is running on the device, the use of a remote server is required. If a rootkit is present on the device, the antimalware is no longer reliable, and its behavior can be hijacked by a malicious code running early in the startup sequence. That's why it's important to use Secure Boot and Device Guard, to control which code is loaded during the boot sequence. + The antimalware software can search to determine whether the boot sequence contains any signs of malware, such as a rootkit. It can also send the TCG log and the PCRs to a remote health attestation server to provide a separation between the measurement component and the verification component. + Health attestation logs the measurements in various TPM Platform Configuration Registers (PCRs) and TCG logs during the boot process. + ![figure 6](images/hva-fig6-logs.png) + When starting a device equipped with a TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log. + ![figure 7](images/hva-fig7-measurement.png) + The health attestation process works as follows: + 1. Hardware boot components are measured. 2. Operating system boot components are measured. 3. If Device Guard is enabled, current Device Guard policy is measured. @@ -309,90 +432,138 @@ The health attestation process works as follows: 6. Boot start drivers are measured. 7. MDM server through the MDM agent issues a health check command by leveraging the Health Attestation CSP. 8. Boot measurements are validated by the Health Attestation Service -**Note**   -By default, the last 100 system boot logs and all associated resume logs are archived in the %SystemRoot%\\logs\\measuredboot folder. + +>**Note:**  By default, the last 100 system boot logs and all associated resume logs are archived in the %SystemRoot%\\logs\\measuredboot folder. The number of retained logs may be set with the registry **REG\_DWORD** value **PlatformLogRetention** under the **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM** key. A value of **0** will turn off log archival and a value of **0xffffffff** will keep all logs.   The following process describes how health boot measurements are sent to the health attestation service: + 1. The client (a Windows 10-based device with a TPM 2.0) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client. 2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information. 3. The remote device heath attestation service then: + 1. Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not revoked. 2. Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value. 3. Parses the properties in the TCG log. 4. Issues the device health token that contains the health information, the AIK information, and the boot counter information. The health token also contains valid issuance time. The device health token is encrypted and signed, that means that the information is protected and only accessible to issuing health attestation service. + 4. The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter. + ![figure 8](images/hva-fig8a-healthattest8a.png) + ### Device health attestation components + The device health attestation solution involves different components that are TPM, Health Attestation CSP, and the Windows Health Attestation Service. Those components are described in this section. + ### Trusted Platform Module + *It’s all about TPM 2.0 and endorsement certificates.* This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting. + In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device. + A TPM incorporates in a single component: + - A RSA 2048-bit key generator - A random number generator - Nonvolatile memory for storing EK, SRK, and AIK keys - A cryptographic engine to encrypt, decrypt, and sign - Volatile memory for storing the PCRs and RSA keys + ### Endorsement key + The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits). + The endorsement key public key is generally used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs. + The endorsement key acts as an identity card for the TPM. For more information, see [Understand the TPM endorsement key](http://go.microsoft.com/fwlink/p/?LinkId=733952). + The endorsement key is often accompanied by one or two digital certificates: + - One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it’s a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service. - The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device. For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10. -**Note**   -Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must authorize the following URLs: + +>**Note:**  Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must authorize the following URLs: + - For Intel firmware TPM: **https://ekop.intel.com/ekcertservice** - For Qualcomm firmware TPM: **https://ekcert.spserv.microsoft.com/**   ### Attestation Identity Keys + Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service. -**Note**   -Before the device can report its health using the TPM 2.0 attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK. + +>**Note:**  Before the device can report its health using the TPM 2.0 attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.   The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations. -Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10-based device. + +Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft +Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10-based device. + Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Microsoft Passport without TPM. + In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate. + ### Storage root key + The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is created when the ownership of the TPM is taken. + ### Platform Configuration Registers + The TPM contains a set of registers that are designed to provide a cryptographic representation of the software and state of the system that booted. These registers are called Platform Configuration Registers (PCRs). + The measurement of the boot sequence is based on the PCR and TCG log. To establish a static root of trust, when the device is starting, the device must be able to measure the firmware code before execution. In this case, the Core Root of Trust for Measurement (CRTM) is executed from the boot, calculates the hash of the firmware, then stores it by expanding the register PCR\[0\] and transfers execution to the firmware. + PCRs are set to zero when the platform is booted, and it is the job of the firmware that boots the platform to measure components in the boot chain and to record the measurements in the PCRs. Typically, boot components take the hash of the next component that is to be run and record the measurements in the PCRs. The initial component that starts the measurement chain is implicitly trusted. This is the CRTM. Platform manufacturers are required to have a secure update process for the CRTM or not permit updates to it. The PCRs record a cumulative hash of the components that have been measured. + The value of a PCR on its own is hard to interpret (it is just a hash value), but platforms typically keep a log with details of what has been measured, and the PCRs merely ensure that the log has not been tampered with. The logs are referred as a TCG log. Each time a register PCR is extended, an entry is added to the TCG log. Thus, throughout the boot process, a trace of the executable code and configuration data is created in the TCG log. + ### TPM provisioning + For the TPM of a Windows 10-based device to be usable, it must first be provisioned. The process of provisioning differs somewhat based on TPM versions, but, when successful, it results in the TPM being usable and the owner authorization data (ownerAuth) for the TPM being stored locally on the registry. + When the TPM is provisioned, Windows 10 will first attempt to determine the EK and locally stored **ownerAuth** values by looking in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Endorsement** + During the provisioning process, the device may need to be restarted. + Note that the **Get-TpmEndorsementKeyInfo PowerShell** cmdlet can be used with administrative privilege to get information about the endorsement key and certificates of the TPM. -If the TPM ownership is not known but the EK exists, the client library will provision the TPM and will store the resulting **ownerAuth** value into the registry if the policy allows it will store the SRK public portion at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Admin\\SRKPub** + +If the TPM ownership is not known but the EK exists, the client library will provision the TPM and will store the resulting **ownerAuth** value into the registry if the policy allows it will store the SRK public portion at the following location: +**HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Admin\\SRKPub** + As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub** -**Note**   -For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: **https://\*.microsoftaik.azure.net** + +>**Note:**  For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: **https://\*.microsoftaik.azure.net**   ### Windows 10 Health Attestation CSP + Windows 10 contains a configuration service provider (CSP) specialized for interacting with the health attestation feature. A CSP is a component that plugs into the Windows MDM client and provides a published protocol for how MDM servers can configure settings and manage Windows-based devices. The management protocol is represented as a tree structure that can be specified as URIs with functions to perform on the URIs such as “get”, “set”, “delete”, and so on. + The following is a list of functions performed by the Windows 10 Health Attestation CSP: + - Collects data that is used to verify a device’s health status - Forwards the data to the Health Attestation Service - Provisions the Health Attestation Certificate that it receives from the Health Attestation Service - Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification + During a health attestation session, the Health Attestation CSP forwards the TCG logs and PCRs values that are measured during the boot, by using a secure communication channel to the Health Attestation Service. + When an MDM server validates that a device has attested to the Health Attestation Service, it will be given a set of statements and claims about how that device booted, with the assurance that the device did not reboot between the time that it attested its health and the time that the MDM server validated it. + ### Windows Health Attestation Service + The role of Windows Health Attestation Service is essentially to evaluate a set of health data (TCG log and PCR values), make a series of detections (based on available health data) and generate encrypted health blob or produce report to MDM servers. -**Note**   -Both device and MDM servers must have access to **has.spserv.microsoft.com** using the TCP protocol on port 443 (HTTPS). + +>**Note:**  Both device and MDM servers must have access to **has.spserv.microsoft.com** using the TCP protocol on port 443 (HTTPS).   Checking that a TPM attestation and the associated log are valid takes several steps: + 1. First, the server must check that the reports are signed by **trustworthy AIKs**. This might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked. 2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it is a **valid signature over PCR values**. 3. Next the logs should be checked to ensure that they match the PCR values reported. 4. Finally, the logs themselves should be examined by an MDM solution to see whether they represent **known or valid security configurations**. For example, a simple check might be to see whether the measured early OS components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to determine whether or not the client should be granted access to a resource. + The Health Attestation Service provides the following information to an MDM solution about the health of the device: + - Secure Boot enablement - Boot and kernel debug enablement - BitLocker enablement @@ -401,8 +572,11 @@ The Health Attestation Service provides the following information to an MDM solu - ELAM loaded - Safe Mode boot, DEP enablement, test signing enablement - Device TPM has been provisioned with a trusted endorsement certificate + For completeness of the measurements, see [Health Attestation CSP](http://go.microsoft.com/fwlink/p/?LinkId=733949). + The following table presents some key items that can be reported back to MDM depending on the type of Windows 10-based device. + @@ -446,90 +620,139 @@ The following table presents some key items that can be reported back to MDM dep
  ### Leverage MDM and the Health Attestation Service + To make device health relevant, the MDM solution evaluates the device health report and is configured to the organization’s device health requirements. + A solution that leverages MDM and the Health Attestation Service consists of three main parts: + 1. A device with health attestation enabled. This will usually be done as a part of enrollment with an MDM provider (health attestation will be disabled by default). 2. After this is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return. 3. At any point after this, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it’s been attested. + ![figure 9](images/hva-fig8-evaldevicehealth8.png) + Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows: + 1. The client initiates a session with the MDM server. The URI for the MDM server would be part of the client app that initiates the request. The MDM server at this time could request the health attestation data by using the appropriate CSP URI. 2. The MDM server specifies a nonce along with the request. 3. The client then sends the AIK quoted nonce + the boot counter and the health blob information. This health blob is encrypted with a Health Attestation Service public key that only the Health Attestation Service can decrypt. 4. The MDM server: + 1. Verifies that the nonce is as expected. 2. Passes the quoted data, the nonce and the encrypted health blob to the Health Attestation Service server. + 5. The Health Attestation Service: + 1. Decrypts the health blob. 2. Verifies that the boot counter in the quote is correct using the AIK in the health blob and matches the value in the health blob. 3. Verifies that the nonce matches in the quote and the one that is passed from MDM. 4. Because the boot counter and the nonce are quoted with the AIK from the health blob, it also proves that the device is the same one as the one for which the health blob has been generated. 5. Sends data back to the MDM server including health parameters, freshness, and so on. -**Note**   -The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns. + +>**Note:**  The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns.   Setting the requirements for device compliance is the first step to ensure that registered devices that do not meet health and compliance requirements are detected, tracked, and have actions enforced by the MDM solution. -Devices that attempt to connect to resources must have their health evaluated so that unhealthy and noncompliant devices can be detected and reported. To be fully efficient, an end-to-end security solution must impose a consequence for unhealthy devices like refusing access to high-value assets. That is the purpose of conditional access control, which is detailed in the next section. + +Devices that attempt to connect to resources must have their health evaluated so that unhealthy and noncompliant devices can be detected and reported. To be fully efficient, an end-to-end security solution must impose a consequence for unhealthy devices like refusing access to high-value assets. +That is the purpose of conditional access control, which is detailed in the next section. + ## Control the security of a Windows 10-based device before access is granted + Today’s access control technology, in most cases, focuses on ensuring that the right people get access to the right resources. If users can authenticate, they get access to resources using a device that the organization’s IT staff and systems know very little about. Perhaps there is some check such as ensuring that a device is encrypted before giving access to email, but what if the device is infected with malware? + The remote device health attestation process uses measured boot data to verify the health status of the device. The health of the device is then available for an MDM solution like Intune. -**Note**   -For the latest information on Intune and Windows 10 features support, see the [Microsoft Intune blog](http://go.microsoft.com/fwlink/p/?LinkId=691614) and [What's new in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=733956). + +>**Note:**  For the latest information on Intune and Windows 10 features support, see the [Microsoft Intune blog](http://go.microsoft.com/fwlink/p/?LinkId=691614) and [What's new in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=733956).   The figure below shows how the Health Attestation Service is expected to work with Microsoft’s cloud-based Intune MDM service. + ![figure 10](images/hva-fig9-intune.png) -An MDM solution can then leverage health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware free, its antimalware system is functional and up to date, the firewall is running, and the devices patch state is compliant. + +An MDM solution can then leverage health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware free, its antimalware system is functional and up to date, the +firewall is running, and the devices patch state is compliant. + Finally, resources can be protected by denying access to endpoints that are unable to prove they’re healthy. This feature is much needed for BYOD devices that need to access organizational resources. + ### Built-in support of MDM in Windows 10 + Windows 10 has an MDM client that ships as part of the operating system. This enables MDM servers to manage Windows 10-based devices without requiring a separate agent. + ### Third-party MDM server support + Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For additional information, see [Azure Active Directory integration with MDM](http://go.microsoft.com/fwlink/p/?LinkId=733954). -**Note**   -MDM servers do not need to create or download a client to manage Windows 10. For more information, see [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=733955). + +>**Note:**  MDM servers do not need to create or download a client to manage Windows 10. For more information, see [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=733955).   The third-party MDM server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. + ### Management of Windows Defender by third-party MDM + This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren’t domain joined. IT pros will be able to manage and configure all of the actions and settings they are familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms. + For more information on how to manage Windows 10 security and system settings with an MDM solution, see [Custom URI settings for Windows 10 devices](http://go.microsoft.com/fwlink/p/?LinkId=733953). + ### Conditional access control + On most platforms, the Azure Active Directory (Azure AD) device registration happens automatically during enrollment. The device states are written by the MDM solution into Azure AD, and then read by Office 365 (or by any authorized Windows app that interacts with Azure AD) the next time the client tries to access an Office 365 compatible workload. + If the device is not registered, the user will get a message with instructions on how to register (also known as enrolling). If the device is not compliant, the user will get a different message that redirects them to the MDM web portal where they can get more information on the compliance problem and how to resolve it. + **Azure AD** authenticates the user and the device, **MDM** manages the compliance and conditional access policies, and the **Health Attestation Service** reports about the health of the device in an attested way. + ![figure 11](images/hva-fig10-conditionalaccesscontrol.png) + ### Office 365 conditional access control -Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company’s device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include additional target groups. + +Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company’s device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include additional +target groups. + When a user requests access to an Office 365 service from a supported device platform, Azure AD authenticates the user and device from which the user launches the request; and grants access to the service only when the user conforms to the policy set for the service. Users that do not have their device enrolled are given remediation instructions on how to enroll and become compliant to access corporate Office 365 services. + When a user enrolls, the device is registered with Azure AD, and enrolled with a compatible MDM solution like Intune. -**Note**   -Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the [Windows 10, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud!](http://go.microsoft.com/fwlink/p/?LinkId=691615) blog post. + +>**Note**  Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the [Windows 10, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud!](http://go.microsoft.com/fwlink/p/?LinkId=691615) blog post.   When a user enrolls a device successfully, the device becomes trusted. Azure AD provides single-sign-on to access company applications and enforces conditional access policy to grant access to a service not only the first time the user requests access, but every time the user requests to renew access. + The user will be denied access to services when sign-in credentials are changed, a device is lost/stolen, or the compliance policy is not met at the time of request for renewal. + Depending on the type of email application that employees use to access Exchange online, the path to establish secured access to email can be slightly different. However, the key components: Azure AD, Office 365/Exchange Online, and Intune, are the same. The IT experience and end-user experience also are similar. + ![figure 12](images/hva-fig11-office365.png) + Clients that attempt to access Office 365 will be evaluated for the following properties: + - Is the device managed by an MDM? - Is the device registered with Azure AD? - Is the device compliant? + To get to a compliant state, the Windows 10-based device needs to: + - Enroll with an MDM solution. - Register with Azure AD. - Be compliant with the device policies set by the MDM solution. -**Note**   -At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](http://go.microsoft.com/fwlink/p/?LinkId=691616) blog post. + +>**Note:**  At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](http://go.microsoft.com/fwlink/p/?LinkId=691616) blog post.   ### Cloud and on-premises apps conditional access control + Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's logon to make real-time decisions about which applications they should be allowed to access. + IT pros can configure conditional access control policies for cloud SaaS applications secured by Azure AD and even on-premises applications. Access rules in Azure AD leverage the conditional access engine to check device health and compliance state reported by a compatible MDM solution like Intune in order to determine whether to allow access. + For more information about conditional access, see [Azure Conditional Access Preview for SaaS Apps.](http://go.microsoft.com/fwlink/p/?LinkId=524807) -**Note**   -Conditional access control is an Azure AD Premium feature that's also available with EMS. If you don't have an Azure AD Premium subscription, you can get a trial from the [Microsoft Azure](http://go.microsoft.com/fwlink/p/?LinkId=691617) site. + +>**Note:**  Conditional access control is an Azure AD Premium feature that's also available with EMS. If you don't have an Azure AD Premium subscription, you can get a trial from the [Microsoft Azure](http://go.microsoft.com/fwlink/p/?LinkId=691617) site.   For on-premises applications there are two options to enable conditional access control based on a device's compliance state: + - For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more details, see the [Azure AD Conditional Access preview updated: Now supports On-Premises and Custom LOB apps](http://go.microsoft.com/fwlink/p/?LinkId=691618) blog post. - Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server Technical Preview 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications. + ![figure 13](images/hva-fig12-conditionalaccess12.png) + The following process describes how Azure AD conditional access works: + 1. User has already enrolled with MDM through Workplace Access/Azure AD join which registers device with Azure AD. 2. When the device boots or resumes from hibernate, a task “Tpm-HASCertRetr” is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service. 3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any). @@ -544,34 +767,59 @@ The following process describes how Azure AD conditional access works: 12. Access gated by compliance claim in Azure AD. 13. If the device is compliant and the user is authorized, an access token is generated. 14. User can access the corporate managed asset. + For more information about Azure AD join, see the [Azure AD & Windows 10: Better Together for Work or School](http://go.microsoft.com/fwlink/p/?LinkId=691619) white paper. + Conditional access control is a topic that many organizations and IT pros may not know as well as they should. The different attributes that describe a user, a device, compliance, and context of access are very powerful when used with a conditional access engine. Conditional access control is an essential step that helps organizations secure their environment. + ## Takeaways and summary + The following list contains high-level key take-aways to improve the security posture of any organization. However, the few take-aways presented in this section should not be interpreted as an exhaustive list of security best practices. + - **Understand that no solution is 100 percent secure** + If determined adversaries with malicious intent gain physical access to the device, they could eventually break through its security layers and control it. + - **Use health attestation with an MDM solution** + Devices that attempt to connect to high-value assets must have their health evaluated so that unhealthy and noncompliant devices can be detected, reported, and eventually blocked. + - **Use Credential Guard** + Credential Guard is a feature that greatly helps protect corporate domain credentials from pass-the-hash attacks. + - **Use Device Guard** + Device Guard is a real advance in security and an effective way to help protect against malware. The new Device Guard feature in Windows 10 blocks untrusted apps (apps not authorized by your organization). + - **Sign Device Guard policy** + Signed Device Guard policy helps protect against a user with administrator privileges trying to defeat the current policy. When a policy is signed, the only way to modify Device Guard subsequently is to provide a new version of the policy signed by the same signer or from a signer specify as part of the Device Guard policy. + - **Use virtualization-based security** + When you have Kernel Mode Code Integrity protected by virtualization-based security, the code integrity rules are still enforced even if a vulnerability allows unauthorized kernel mode memory access. Keep in mind that Device Guard devices that run Kernel Code Integrity with virtualization-based security must have compatible drivers. + - **Start to deploy Device Guard with Audit mode** + Deploy Device Guard policy to targeted computers and devices in Audit mode. Monitor the Code Integrity event log that indicates a program or a driver would have been blocked if Device Guard was configured in Enforcement mode. Adjust Device Guard rules until a high level of confidence has been reached. After the testing phase has been completed, Device Guard policy can be switched to Enforcement mode. + - **Build an isolated reference machine when deploying Device Guard** + Because the corporate network can contain malware, you should start to configure a reference environment that is isolated from your main corporate network. After that, you can create a code integrity policy that includes the trusted applications you want to run on your protected devices. + - **Use AppLocker when it makes sense** + Although AppLocker is not considered a new Device Guard feature, it complements Device Guard functionality for some scenarios like being able to deny a specific Universal Windows apps for a specific user or a group of users. + - **Lock down firmware and configuration** + After Windows 10 is installed, lock down firmware boot options access. This prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool. + Health attestation is a key feature of Windows 10 that includes client and cloud components to control access to high-value assets based on a user and their device’s identity and compliance with corporate governance policy. Organizations can choose to detect and report unhealthy devices, or to configure health enforcement rules based on their needs. Health attestation provides an end-to-end security model and integration points, which vendors and software developers can use to build and integrate a customized solution. + ## Related topics -[Protect derived domain credentials with Credential Guard](credential-guard.md) -[Device Guard deployment guide](device-guard-deployment-guide.md) -[Trusted Platform Module technology overview](http://go.microsoft.com/fwlink/p/?LinkId=733957) -  -  + +- [Protect derived domain credentials with Credential Guard](credential-guard.md) +- [Device Guard deployment guide](device-guard-deployment-guide.md) +- [Trusted Platform Module technology overview](http://go.microsoft.com/fwlink/p/?LinkId=733957) diff --git a/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index a1a5ed3f34..aaf71600b1 100644 --- a/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -2,112 +2,163 @@ title: Protecting cluster shared volumes and storage area networks with BitLocker (Windows 10) description: This topic for IT pros describes how to protect CSVs and SANs with BitLocker. ms.assetid: ecd25a10-42c7-4d31-8a7e-ea52c8ebc092 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Protecting cluster shared volumes and storage area networks with BitLocker + **Applies to** - Windows 10 + This topic for IT pros describes how to protect CSVs and SANs with BitLocker. + BitLocker can protect both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators can also add an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. + ## Configuring BitLocker on Cluster Shared Volumes + ### Using BitLocker with Clustered Volumes + BitLocker on volumes within a cluster are managed based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a storage area network (SAN) or network attached storage (NAS). -**Important**   -SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx). + +>**Important**  SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx).   -Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume will need to turn on BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete. +Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume will need to turn on +BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete. + Windows PowerShell or the manage-bde command line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item. -**Note**   -Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption. + +>**Note:**  Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption.   -For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde –WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This occurs because Full Encryption requires an end marker for the volume and dynamically expanding VHDs do not have a static end of volume marker. +For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde –WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This occurs because Full +Encryption requires an end marker for the volume and dynamically expanding VHDs do not have a static end of volume marker. + ### Active Directory-based protector + You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order: + 1. Clear key 2. Driver-based auto-unlock key 3. ADAccountOrGroup protector + 1. Service context protector 2. User protector + 4. Registry-based auto-unlock key -**Note**   -A Windows Server 2012 or later domain controller is required for this feature to work properly. + +>**Note:**  A Windows Server 2012 or later domain controller is required for this feature to work properly.   ### Turning on BitLocker before adding disks to a cluster using Windows PowerShell + BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster, do the following: + 1. Install the BitLocker Drive Encryption feature if it is not already installed. 2. Ensure the disk is formatted NTFS and has a drive letter assigned to it. 3. Enable BitLocker on the volume using your choice of protector. A password protector is used in the Windows PowerShell script example below. + ``` syntax Enable-BitLocker E: -PasswordProtector -Password $pw ``` + 4. Identify the name of the cluster with Windows PowerShell. + ``` syntax Get-Cluster + ``` 5. Add an **ADAccountOrGroup**protector to the volume using the cluster name using a command such as: + ``` syntax Add-BitLockerProtector E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` - **Warning**   - You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster. + + >**Warning:**  You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster.   6. Repeat steps 1-6 for each disk in the cluster. 7. Add the volume(s) to the cluster. + ### Turning on BitLocker for a clustered disk using Windows PowerShell + When the cluster service owns a disk resource already, it needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning BitLocker on for a clustered disk: + 1. Install the BitLocker Drive Encryption feature if it is not already installed. 2. Check the status of the cluster disk using Windows PowerShell. + ``` syntax Get-ClusterResource "Cluster Disk 1" ``` + 3. Put the physical disk resource into maintenance mode using Windows PowerShell. + ``` syntax Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource ``` + 4. Enable BitLocker on the volume using your choice of protector. A password protector is used in the example below. + ``` syntax Enable-BitLocker E: -PasswordProtector -Password $pw ``` + 5. Identify the name of the cluster with Windows PowerShell + ``` syntax Get-Cluster ``` + 6. Add an **ADAccountOrGroup** protector with the Cluster Name Object (CNO) to the volume using a command such as: + ``` syntax Add-BitLockerProtector E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ + ``` - **Warning**   - You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster. + >**Warning:**  You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster.   7. Repeat steps 1-6 for each disk in the cluster. 8. Add the volume(s) to the cluster + ### Adding BitLocker encrypted volumes to a cluster using manage-bde + You can also use manage-bde to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster includes the following: + 1. Verify the BitLocker Drive Encryption feature is installed on the computer. 2. Ensure new storage is formatted as NTFS. 3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using the manage-bde command line interface (see example): + - `Manage-bde -on -used -RP -sid domain\CNO$ -sync` + 1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption will continue. 2. Using the -sync parameter is optional. Using it ensures the command waits until the encryption for the volume is completed before releasing the volume for use in the cluster storage pool. + 4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered + - Once the disk is clustered it can also be enabled for CSV. + 5. During the resource online operation, cluster will check to see if the disk is BitLocker encrypted. + 1. If the volume is not BitLocker enabled, traditional cluster online operations occur. 2. If the volume is BitLocker enabled, the following check occurs: + - If volume is **locked**, BitLocker will impersonate the CNO and unlock the volume using the CNO protector. If this operation fails an event will be logged that the volume could not be unlocked and the online operation will fail. + 6. Once the disk is online in the storage pool, it can be added to a CSV by right clicking on the disk resource and choosing "**Add to cluster shared volumes**". CSVs can include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators can utilize the manage-bde -status command with a path to the volume inside the CSV namespace as seen in the example command line below. + ``` syntax manage-bde -status "C:\ClusterStorage\volume1" ``` + ### Physical Disk Resources + Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This means that operations such as encrypting, decrypting, locking or unlocking volumes require context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available. + ### Restrictions on BitLocker actions with cluster volumes + The following table contains information about both Physical Disk Resources (i.e. traditional failover cluster volumes) and Cluster Shared Volumes (CSV) and the actions that are allowed by BitLocker in each situation. + @@ -211,11 +262,12 @@ The following table contains information about both Physical Disk Resources (i.e
  -**Note**   -Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node +>**Note:**  Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node   In the case where a physical disk resource experiences a failover event during conversion, the new owning node will detect the conversion is not complete and will complete the conversion process. + ### Other considerations when using BitLocker on CSV2.0 + Some other considerations to take into account for BitLocker on clustered storage include the following: - BitLocker volumes have to be initialized and beginning encryption before they are available to add to a CSV2.0 volume. - If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete. @@ -224,5 +276,3 @@ Some other considerations to take into account for BitLocker on clustered storag - If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver will automatically resume conversion when the volume is online to the cluster. - If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) will automatically resume conversion when moving the volume back from maintenance. - If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver will automatically resume conversion when the volume is moved back from maintenance mode. -  -  diff --git a/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md b/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md index e1f339479c..4ef6ba5277 100644 --- a/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md +++ b/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md @@ -2,88 +2,93 @@ title: Recovery console Allow automatic administrative logon (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Recovery console Allow automatic administrative logon security policy setting. ms.assetid: be2498fc-48f4-43f3-ad09-74664e45e596 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Recovery console: Allow automatic administrative logon + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting. + ## Reference + This policy setting determines whether the built-in Administrator account password must be provided before access to the device is granted. If you enable this setting, the built-in Administrator account is automatically logged on to the computer at the Recovery Console; no password is required. + The Recovery Console can be very useful when troubleshooting and repairing systems that cannot be restarted. However, enabling this policy setting so a user can automatically log on to the console is dangerous. Anyone can walk up to the server, shut it down by disconnecting the power, reboot it, select **Recovery Console** from the **Restart** menu, and then assume full control of the server. + ### Possible values + - Enabled + The built-in Administrator account is automatically logged on to the computer at the Recovery Console; no password is required + - Disabled + Automatic administrative logon is not allowed. + - Not defined + Automatic administrative logon is not allowed. + ### Best practices + - Set **Recovery Console: Allow automatic administrative logon** to **Disabled**. This requires a user to enter a user name and password to access the Recovery Console account. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy| Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device + ### Policy conflicts + None. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The Recovery Console can be very useful when you must troubleshoot and repair device that do not start. However, allowing automatic logon to the Recovery Console can make it possible for someone to assume full control of the server. + ### Countermeasure + Disable the **Recovery console: Allow automatic administrative logon** setting. + ### Potential impact + Users must enter a user name and password to access the Recovery Console. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md index 113bafb66c..d8945335fa 100644 --- a/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md +++ b/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md @@ -2,95 +2,99 @@ title: Recovery console Allow floppy copy and access to all drives and folders (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Recovery console Allow floppy copy and access to all drives and folders security policy setting. ms.assetid: a5b4ac0c-f33d-42b5-a866-72afa7cbd0bd -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Recovery console: Allow floppy copy and access to all drives and folders + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow floppy copy and access to all drives and folders** security policy setting. + ## Reference + This policy setting enables or disables the Recovery Console SET command, which allows you to set the following Recovery Console environment variables. + - **AllowWildCards**. Enables wildcard support for some commands, such as the DEL command. - **AllowAllPaths**. Allows access to all files and folders on the device. - **AllowRemovableMedia**. Allows files to be copied to removable media, such as a floppy disk. - **NoCopyPrompt**. Suppresses the prompt that typically displays before an existing file is overwritten. + You might forget to remove removable media, such as CD or floppy disk, with sensitive data or applications that a malicious user could then steal. Or you could accidentally leave a startup disk in the computer after using the Recovery Console. If the device is restarted for any reason and the BIOS has been configured to boot from the removable media before the hard disk drive, the server will start from the removable disk. This causes the server's network services to be unavailable. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Set **Recovery Console: Allow floppy copy and access to drives and folders** to **Disabled**. Users who have started a server by using the Recovery Console and logged in with the built-in Administrator account will not be able to copy files and folders to a floppy disk. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. + ### Policy conflicts + None. + ### Command-line tools + Enabling this security option makes the Recovery Console SET command available, which allows you to set the following Recovery Console environment variables: + - AllowWildCards: Enable wildcard support for some commands (such as the DEL command). - AllowAllPaths: Allow access to all files and folders on the device. - AllowRemovableMedia: Allow files to be copied to removable media, such as a floppy disk. - NoCopyPrompt: Do not prompt when overwriting an existing file. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An attacker who can cause the system to restart into the Recovery Console could steal sensitive data and leave no audit or access trail. + ### Countermeasure + Disable the **Recovery console: Allow floppy copy and access to drives and folders** setting. + ### Potential impact + Users who have started a server through the Recovery Console and logged in with the built-in Administrator account cannot copy files and folders to a floppy disk. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/refresh-an-applocker-policy.md b/windows/keep-secure/refresh-an-applocker-policy.md index b94e1582a1..719bfb599b 100644 --- a/windows/keep-secure/refresh-an-applocker-policy.md +++ b/windows/keep-secure/refresh-an-applocker-policy.md @@ -2,39 +2,55 @@ title: Refresh an AppLocker policy (Windows 10) description: This topic for IT professionals describes the steps to force an update for an AppLocker policy. ms.assetid: 3f24fcbc-3926-46b9-a1a2-dd036edab8a9 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Refresh an AppLocker policy + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to force an update for an AppLocker policy. + If you update the rule collection on a local computer by using the Local Security Policy snap-in, the policy will take effect immediately. If Group Policy is used to distribute the AppLocker policy and you want to immediately implement the policy, you must manually refresh the policy. The Group Policy refresh might take several minutes, depending upon the number of policies within the Group Policy Object (GPO) and the number of target computers. + To use Group Policy to distribute the AppLocker policy change, you need to retrieve the deployed AppLocker policy first. To prepare for the update and subsequent refresh, see [Edit an AppLocker policy](edit-an-applocker-policy.md) + [Edit an AppLocker policy](edit-an-applocker-policy.md) and [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md). + To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. + **To manually refresh the AppLocker policy by using Group Policy** + 1. From a command prompt, type **gpupdate /force**, and then press ENTER. 2. When the command finishes, close the command prompt window, and then verify that the intended rule behavior is correct. You can do this by checking the AppLocker event logs for events that include "policy applied." -To change a policy on an individual computer, or to implement that policy on other computers, without using Group Policy, you first need to update the rule within the rule collection. For information about updating existing rules, see [Edit AppLocker rules](edit-applocker-rules.md). For information about creating a new rule for an existing policy, see: + +To change a policy on an individual computer, or to implement that policy on other computers, without using Group Policy, you first need to update the rule within the rule collection. For information about updating existing rules, see [Edit AppLocker rules](edit-applocker-rules.md). For information +about creating a new rule for an existing policy, see: - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) - [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) - [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) + Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. + **To refresh the AppLocker policy on the local computer** + - Update the rule collection by using the Local Security Policy console with one of the following procedures: + - [Edit AppLocker rules](edit-applocker-rules.md) - [Delete an AppLocker rule](delete-an-applocker-rule.md) - [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) + When finished, the policy is in effect. + To make the same change on another device, you can use any of the following methods: + - From the device that you made the change on, export the AppLocker policy, and then import the policy onto the other device. To do this, use the AppLocker **Export Policy** and **Import Policy** features to copy the rules from the changed computer. - **Caution**   - When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied. + + >**Caution:**  When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied.   - Merge AppLocker policies. For procedures to do this, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) and [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). -  -  diff --git a/windows/keep-secure/registry-global-object-access-auditing.md b/windows/keep-secure/registry-global-object-access-auditing.md index cf9eaa2938..b734cec46b 100644 --- a/windows/keep-secure/registry-global-object-access-auditing.md +++ b/windows/keep-secure/registry-global-object-access-auditing.md @@ -2,19 +2,24 @@ title: Registry (Global Object Access Auditing) (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Registry (Global Object Access Auditing), which enables you to configure a global system access control list (SACL) on the registry of a computer. ms.assetid: 953bb1c1-3f76-43be-ba17-4aed2304f578 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Registry (Global Object Access Auditing) + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Registry (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the registry of a computer. + If you select the **Configure security** check box on this policy’s property page, you can add a user or group to the global SACL. This enables you to define computer system access control lists (SACLs) per object type for the registry. The specified SACL is then automatically applied to every registry object type. + This policy setting must be used in combination with the **Registry** security policy setting under Object Access. For more info, see [Audit Registry](audit-registry.md). + ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) -  -  + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) diff --git a/windows/keep-secure/remove-computer-from-docking-station.md b/windows/keep-secure/remove-computer-from-docking-station.md index fa16818895..ee3b81a7d3 100644 --- a/windows/keep-secure/remove-computer-from-docking-station.md +++ b/windows/keep-secure/remove-computer-from-docking-station.md @@ -2,93 +2,96 @@ title: Remove computer from docking station (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Remove computer from docking station security policy setting. ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Remove computer from docking station + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Remove computer from docking station** security policy setting. + ## Reference + This security setting determines whether a user can undock a portable device from its docking station without logging on. This policy setting only affects scenarios that involve a portable computer and its docking station. + If this user right is assigned to the user’s account (or if the user is a member of the assigned group), the user must log on before removing the portable device from its docking station. Otherwise, as a security measure, the user will not be able to log on after the device is removed from the docking station. If this policy is not assigned, the user may remove the portable device from its docking station without logging on, and then have the ability to start and log on to the device afterwards in its undocked state. + Constant: SeUndockPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - Assign this user right to only those accounts that are permitted to use the portable device. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + Although this portable device scenario does not normally apply to servers, by default this setting is Administrators on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Administrators

Stand-Alone Server Default Settings

Administrators

Domain Controller Effective Default Settings

Administrators

Member Server Effective Default Settings

Administrators

Client Computer Effective Default Settings

Administrators

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Administrators| +| Stand-Alone Server Default Settings | Administrators| +| Domain Controller Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Anyone who has the **Remove computer from docking station** user right can log on and then remove a portable device from its docking station. If this setting is not defined, it has the same effect as if everyone was granted this right. However, the value of implementing this countermeasure is reduced by the following factors: + - If attackers can restart the device, they could remove it from the docking station after the BIOS starts but before the operating system starts. - This setting does not affect servers because they typically are not installed in docking stations. - An attacker could steal the device and the docking station together. - Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality. + ### Countermeasure + Ensure that only the local Administrators group and the user account to which the device is allocated are assigned the **Remove computer from docking station** user right. + ### Potential impact + By default, only members of the local Administrators group are granted this right. Other user accounts must be explicitly granted this user right as necessary. If your organization's users are not members of the local Administrators groups on their portable devices, they cannot remove their portable devices from their docking stations if they do not first shut down the device. Therefore, you may want to assign the **Remove computer from docking station** privilege to the local Users group for portable devices. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/replace-a-process-level-token.md b/windows/keep-secure/replace-a-process-level-token.md index 237f74debf..5361f2a589 100644 --- a/windows/keep-secure/replace-a-process-level-token.md +++ b/windows/keep-secure/replace-a-process-level-token.md @@ -2,96 +2,94 @@ title: Replace a process level token (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Replace a process level token security policy setting. ms.assetid: 5add02db-6339-489e-ba21-ccc3ccbe8745 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Replace a process level token + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Replace a process level token** security policy setting. + ## Reference + This policy setting determines which parent processes can replace the access token that is associated with a child process. + Specifically, the **Replace a process level token** setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler, where the user right is extended to any processes that can be managed by Task Scheduler. + An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account that is associated with the process or thread. With this user right, every child process that runs on behalf of this user account would have its access token replaced with the process level token. + Constant: SeAssignPrimaryTokenPrivilege + ### Possible values + - User-defined list of accounts - Defaults - Not defined + ### Best practices + - For member servers, ensure that only the Local Service and Network Service accounts have the **Replace a process level token** user right. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Network Service and Local Service on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Network Service

-

Local Service

Stand-Alone Server Default Settings

Network Service

-

Local Service

Domain Controller Effective Default Settings

Network Service

-

Local Service

Member Server Effective Default Settings

Network Service

-

Local Service

Client Computer Effective Default Settings

Network Service

-

Local Service

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Network Service
Local Service | +| Stand-Alone Server Default Settings | Network Service
Local Service| +| Domain Controller Effective Default Settings | Network Service
Local Service| +| Member Server Effective Default Settings | Network Service
Local Service| +| Client Computer Effective Default Settings | Network Service
Local Service|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users with the **Replace a process level token** user right can start processes as another user if they know the user’s credentials. + ### Countermeasure + For member servers, ensure that only the Local Service and Network Service accounts have the **Replace a process level token** user right. + ### Potential impact + On most computers, restricting the **Replace a process level token** user right to the Local Service and the Network Service built-in accounts is the default configuration, and there is no negative impact. However, if you have installed optional components such as ASP.NET or IIS, you may need to assign the **Replace a process level token** user right to additional accounts. For example, IIS requires that the Service, Network Service, and IWAM\_*<ComputerName>* accounts be explicitly granted this user right. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/requirements-for-deploying-applocker-policies.md b/windows/keep-secure/requirements-for-deploying-applocker-policies.md index 996718cd10..e3b6c29aa7 100644 --- a/windows/keep-secure/requirements-for-deploying-applocker-policies.md +++ b/windows/keep-secure/requirements-for-deploying-applocker-policies.md @@ -2,23 +2,30 @@ title: Requirements for deploying AppLocker policies (Windows 10) description: This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. ms.assetid: 3e55bda2-3cd7-42c7-bad3-c7dfbe193d48 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Requirements for deploying AppLocker policies + **Applies to** - Windows 10 + This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. + The following requirements must be met or addressed before you deploy your AppLocker policies: - [Deployment plan](#bkmk-reqdepplan) - [Supported operating systems](#bkmk-reqsupportedos) - [Policy distribution mechanism](#bkmk-reqpolicydistmech) - [Event collection and analysis system](#bkmk-reqeventcollectionsystem) + ### Deployment plan + An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). + @@ -116,6 +123,7 @@ An AppLocker policy deployment plan is the result of investigating which applica
  **Event processing policy** + @@ -153,6 +161,7 @@ An AppLocker policy deployment plan is the result of investigating which applica
  **Policy maintenance policy** + @@ -194,15 +203,20 @@ An AppLocker policy deployment plan is the result of investigating which applica
  ### Supported operating systems + AppLocker is supported only on certain operating systems. Some features are not available on all operating systems. For more information, see [Requirements to use AppLocker](requirements-to-use-applocker.md). + ### Policy distribution mechanism + You need a way to distribute the AppLocker policies throughout the targeted business groups. AppLocker uses Group Policy management architecture to effectively distribute application control policies. AppLocker policies can also be configured on individual computers by using the Local Security Policy snap-in. + ### Event collection and analysis system + Event processing is important to understand application usage. You must have a process in place to collect and analyze AppLocker events so that application usage is appropriately restricted and understood. For procedures to monitor AppLocker events, see: - [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) - [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) - [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) + ## See also -[AppLocker deployment guide](applocker-policies-deployment-guide.md) -  -  + +- [AppLocker deployment guide](applocker-policies-deployment-guide.md) diff --git a/windows/keep-secure/requirements-to-use-applocker.md b/windows/keep-secure/requirements-to-use-applocker.md index db3259ce0a..6389eb2755 100644 --- a/windows/keep-secure/requirements-to-use-applocker.md +++ b/windows/keep-secure/requirements-to-use-applocker.md @@ -2,211 +2,60 @@ title: Requirements to use AppLocker (Windows 10) description: This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. ms.assetid: dc380535-071e-4794-8f9d-e5d1858156f0 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Requirements to use AppLocker + **Applies to** - Windows 10 + This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. + ## General requirements + To use AppLocker, you need: + - A device running a supported operating system to create the rules. The computer can be a domain controller. - For Group Policy deployment, at least one device with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules. - Devices running a supported operating system to enforce the AppLocker rules that you create. -**Note**   -You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md). + +>**Note:**  You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md).   ## Operating system requirements + The following table show the on which operating systems AppLocker features are supported. - ------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
VersionCan be configuredCan be enforcedAvailable rulesNotes

Windows 10

Yes

Yes

Packaged apps

-

Executable

-

Windows Installer

-

Script

-

DLL

You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016 Technical Preview.

Windows Server 2012 R2

Yes

Yes

Packaged apps

-

Executable

-

Windows Installer

-

Script

-

DLL

Windows 8.1

Yes

Yes

Packaged apps

-

Executable

-

Windows Installer

-

Script

-

DLL

Only the Enterprise edition supports AppLocker

Windows RT 8.1

No

No

N/A

Windows Server 2012 Standard

Yes

Yes

Packaged apps

-

Executable

-

Windows Installer

-

Script

-

DLL

Windows Server 2012 Datacenter

Yes

Yes

Packaged apps

-

Executable

-

Windows Installer

-

Script

-

DLL

Windows 8 Pro

No

No

N/A

Windows 8 Enterprise

Yes

Yes

Packaged apps

-

Executable

-

Windows Installer

-

Script

-

DLL

Windows RT

No

No

N/A

Windows Server 2008 R2 Standard

Yes

Yes

Executable

-

Windows Installer

-

Script

-

DLL

Packaged app rules will not be enforced.

Windows Server 2008 R2 Enterprise

Yes

Yes

Executable

-

Windows Installer

-

Script

-

DLL

Packaged app rules will not be enforced.

Windows Server 2008 R2 Datacenter

Yes

Yes

Executable

-

Windows Installer

-

Script

-

DLL

Packaged app rules will not be enforced.

Windows Server 2008 R2 for Itanium-Based Systems

Yes

Yes

Executable

-

Windows Installer

-

Script

-

DLL

Packaged app rules will not be enforced.

Windows 7 Ultimate

Yes

Yes

Executable

-

Windows Installer

-

Script

-

DLL

Packaged app rules will not be enforced.

Windows 7 Enterprise

Yes

Yes

Executable

-

Windows Installer

-

Script

-

DLL

Packaged app rules will not be enforced.

Windows 7 Professional

Yes

No

Executable

-

Windows Installer

-

Script

-

DLL

No AppLocker rules are enforced.

+ +| Version | Can be configured | Can be enforced | Available rules | Notes | +| - | - | - | - | - | +| Windows 10| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016 Technical Preview. | +| Windows Server 2012 R2| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| | +| Windows 8.1| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| Only the Enterprise edition supports AppLocker| +| Windows RT 8.1| No| No| N/A|| +| Windows Server 2012 Standard| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL|| +| Windows Server 2012 Datacenter| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL|| +| Windows 8 Pro| No| No| N/A|| +| Windows 8 Enterprise| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL|| +| Windows RT| No| No| N/A| | +| Windows Server 2008 R2 Standard| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules will not be enforced.| +| Windows Server 2008 R2 Enterprise|Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules will not be enforced.| +| Windows Server 2008 R2 Datacenter| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules will not be enforced.| +| Windows Server 2008 R2 for Itanium-Based Systems| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules will not be enforced.| +| Windows 7 Ultimate| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules will not be enforced.| +| Windows 7 Enterprise| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules will not be enforced.| +| Windows 7 Professional| Yes| No| Executable
Windows Installer
Script
DLL| No AppLocker rules are enforced.|   + AppLocker is not supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature is not supported on the above operating systems. + ## See also -[Administer AppLocker](administer-applocker.md) -[Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) -[Optimize AppLocker performance](optimize-applocker-performance.md) -[Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md) -[Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) -[AppLocker Design Guide](applocker-policies-design-guide.md) -  -  +- [Administer AppLocker](administer-applocker.md) +- [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) +- [Optimize AppLocker performance](optimize-applocker-performance.md) +- [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md) +- [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) +- [AppLocker Design Guide](applocker-policies-design-guide.md) diff --git a/windows/keep-secure/reset-account-lockout-counter-after.md b/windows/keep-secure/reset-account-lockout-counter-after.md index 04fdcce682..d3e6f545ed 100644 --- a/windows/keep-secure/reset-account-lockout-counter-after.md +++ b/windows/keep-secure/reset-account-lockout-counter-after.md @@ -2,76 +2,68 @@ title: Reset account lockout counter after (Windows 10) description: Describes the best practices, location, values, and security considerations for the Reset account lockout counter after security policy setting. ms.assetid: d5ccf6dd-5ba7-44a9-8e0b-c478d8b1442c -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Reset account lockout counter after + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting. + ## Reference + The **Reset account lockout counter after** policy setting determines the number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0. If [Account lockout threshold](account-lockout-threshold.md) is set to a number greater than zero, this reset time must be less than or equal to the value of [Account lockout duration](account-lockout-duration.md). + A disadvantage to setting this too high is that users lock themselves out for an inconveniently long period if they exceed the account lockout threshold through logon errors. Users may make excessive Help Desk calls. + ### Possible values + - A user-defined number of minutes from 1 through 99,999 - Not defined + ### Best practices + - You need to determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements. + ### Location + **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy** + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or Group Policy Object (GPO)Default value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not applicable

Domain controller effective default settings

Not defined

Member server effective default settings

Not defined

Client computer effective default settings

Not applicable

+ +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not applicable| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings | Not applicable|   ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users can accidentally lock themselves out of their accounts if they mistype their password multiple times. + ### Countermeasure + Configure the **Reset account lockout counter after** policy setting to 30. + ### Potential impact + If you do not configure this policy setting or if the value is configured to an interval that is too long, an attacker could attempt to log on to each user's account numerous times and lock out their accounts, a denial-of-service (DoS) attack might succeed, or administrators might have to manually unlock all locked-out accounts. If you configure this policy setting to a reasonable value, users can perform new attempts to log on after a failed logon within a reasonable time, without making brute force attacks feasible at high speeds. Be sure that you notify users of the values that are used for this policy setting so that they wait for the lockout timer to expire before they call the Help Desk. + ## Related topics -[Account Lockout Policy](account-lockout-policy.md) -  -  + +- [Account Lockout Policy](account-lockout-policy.md) diff --git a/windows/keep-secure/restore-files-and-directories.md b/windows/keep-secure/restore-files-and-directories.md index dc9f47c01a..e8bb7e6f85 100644 --- a/windows/keep-secure/restore-files-and-directories.md +++ b/windows/keep-secure/restore-files-and-directories.md @@ -2,102 +2,97 @@ title: Restore files and directories (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Restore files and directories security policy setting. ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Restore files and directories + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Restore files and directories** security policy setting. + ## Reference + This security setting determines which users can bypass file, directory, registry, and other persistent object permissions when they restore backed up files and directories, and it determines which users can set valid security principals as the owner of an object. + Granting this user right to an account is similar to granting the account the following permissions to all files and folders on the system: + - **Traverse folder / execute file** - **Write** + Constant: SeRestorePrivilege + ### Possible values + - User-defined list of accounts - Defaults - Not Defined + ### Best practices + - Users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, so only assign this user right to trusted users. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, this right is granted to the Administrators, Backup Operators, and Server Operators groups on domain controllers, and to the Administrators and Backup Operators groups on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Default Domain Controller Policy

Administrators

-

Backup Operators

-

Server Operators

Stand-Alone Server Default Settings

Administrators

-

Backup Operators

Domain Controller Effective Default Settings

Administrators

-

Backup Operators

-

Server Operators

Member Server Effective Default Settings

Administrators

-

Backup Operators

Client Computer Effective Default Settings

Administrators

-

Backup Operators

+ +| Server type or GPO | Default value | +| - | - | +|Default Domain Policy | | +| Default Domain Controller Policy| Administrators
Backup Operators
Server Operators| +| Stand-Alone Server Default Settings | Administrators
Backup Operators| +| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators| +| Member Server Effective Default Settings | Administrators
Backup Operators| +| Client Computer Effective Default Settings | Administrators
Backup Operators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An attacker with the **Restore files and directories** user right could restore sensitive data to a computer and overwrite data that is more recent, which could lead to loss of important data, data corruption, or a denial-of-service condition. Attackers could overwrite executable files that are used by legitimate administrators or system services with versions that include malicious software to grant themselves elevated privileges, compromise data, or install programs that provide continued access to the device -**Note**   -Even if the following countermeasure is configured, an attacker could restore data to a computer in a domain that is controlled by the attacker. Therefore, it is critical that organizations carefully protect the media that are used to back up data. + +>**Note:**  Even if the following countermeasure is configured, an attacker could restore data to a computer in a domain that is controlled by the attacker. Therefore, it is critical that organizations carefully protect the media that are used to back up data.   ### Countermeasure + Ensure that only the local Administrators group is assigned the **Restore files and directories** user right unless your organization has clearly defined roles for backup and for restore personnel. + ### Potential impact + If you remove the **Restore files and directories** user right from the Backup Operators group and other accounts, users who are not members of the local Administrators group cannot load data backups. If restoring backups is delegated to a subset of IT staff in your organization, you should verify that this change does not negatively affect the ability of your organization's personnel to do their jobs. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md new file mode 100644 index 0000000000..9e6debeb0f --- /dev/null +++ b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md @@ -0,0 +1,54 @@ +--- +title: Run a scan from the command line in Windows Defender in Windows 10 (Windows 10) +description: IT professionals can run a scan using the command line in Windows Defender in Windows 10. +keywords: scan, command line, mpcmdrun, defender +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +--- + +# Run a Windows Defender scan from the command line + +**Applies to:** + +- Windows 10 + +IT professionals can use a command-line utility to run a Windows Defender scan. + +The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_ + +This utility can be handy when you want to automate the use of Windows Defender. + +**To run a full system scan from the command line** + +1. Click **Start**, type **cmd**, and press **Enter**. +2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**: + +``` +C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 2 +``` +The full scan will start. When the scan completes, you'll see a message indicating that the scan is finished. + + +The utility also provides other commands that you can run: + +``` +MpCmdRun.exe [command] [-options] +``` + +Command | Description +:---|:--- +\- ? / -h | Displays all available options for the tool +\-Scan [-ScanType #] [-File [-DisableRemediation] [-BootSectorScan]][-Timeout ] | Scans for malicious softare +\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing +\-GetFiles | Collects support information +\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures +\-AddDynamicSignature [-Path] | Loads a dyanmic signature +\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures +\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature +\-EnableIntegrityServices | Enables integrity services +\-SubmitSamples | Submit all sample requests \ No newline at end of file diff --git a/windows/keep-secure/run-the-automatically-generate-rules-wizard.md b/windows/keep-secure/run-the-automatically-generate-rules-wizard.md index 105d076374..565f6331da 100644 --- a/windows/keep-secure/run-the-automatically-generate-rules-wizard.md +++ b/windows/keep-secure/run-the-automatically-generate-rules-wizard.md @@ -2,19 +2,26 @@ title: Run the Automatically Generate Rules wizard (Windows 10) description: This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device. ms.assetid: 8cad1e14-d5b2-437c-8f88-70cffd7b3d8e -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Run the Automatically Generate Rules wizard + **Applies to** - Windows 10 + This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device. + AppLocker allows you to automatically generate rules for all files within a folder. It will scan the specified folder and create the condition types that you choose for each file in that folder. + You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local device or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To automatically generate rules** + 1. Open the AppLocker console. 2. Right-click the appropriate rule type for which you want to automatically generate rules. You can automatically generate rules for executable, Windows Installer, script and packaged app rules. 3. Click **Automatically Generate Rules**. @@ -22,15 +29,13 @@ You can perform this task by using the Group Policy Management Console for an Ap 5. Click **Select** to choose the security group in which the default rules should be applied. By default, this is the **Everyone** group. 6. The wizard provides a name in the **Name to identify this set of rules** box based on the name of the folder that you have selected. Accept the provided name or type a different name, and then click **Next**. 7. On the **Rule Preferences** page, choose the conditions that you want the wizard to use while creating rules, and then click **Next**. For more info about rule conditions, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). - **Note**   - The **Reduce the number of rules created by grouping similar files** check box is selected by default. This helps you organize AppLocker rules and reduce the number of rules that you create by performing the following operations for the rule condition that you select: + + >**Note:**  The **Reduce the number of rules created by grouping similar files** check box is selected by default. This helps you organize AppLocker rules and reduce the number of rules that you create by performing the following operations for the rule condition that you select: + - One publisher condition is created for all files that have the same publisher and product name. - One path condition is created for the folder that you select. For example, if you select *C:\\Program Files\\ProgramName\\* and the files in that folder are not signed, the wizard creates a rule for *%programfiles%\\ProgramName\\\**. - One file hash condition is created that contains all of the file hashes. When rule grouping is disabled, the wizard creates a file hash rule for each file.   8. Review the files that were analyzed and the rules that will be automatically created. To make changes, click **Previous** to return to the page where you can change your selections. After reviewing the rules, click **Create**. -**Note**   -If you are running the wizard to create your first rules for a GPO, you will be prompted to create the default rules, which allow critical system files to run, after completing the wizard. You may edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after replacing them with your custom rules. -  -  -  + +>**Note:**  If you are running the wizard to create your first rules for a GPO, you will be prompted to create the default rules, which allow critical system files to run, after completing the wizard. You may edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after replacing them with your custom rules. diff --git a/windows/keep-secure/script-rules-in-applocker.md b/windows/keep-secure/script-rules-in-applocker.md index 5f1570086a..6fd0ec9196 100644 --- a/windows/keep-secure/script-rules-in-applocker.md +++ b/windows/keep-secure/script-rules-in-applocker.md @@ -2,61 +2,35 @@ title: Script rules in AppLocker (Windows 10) description: This topic describes the file formats and available default rules for the script rule collection. ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Script rules in AppLocker + **Applies to** - Windows 10 + This topic describes the file formats and available default rules for the script rule collection. + AppLocker defines script rules to include only the following file formats: - .ps1 - .bat - .cmd - .vbs - .js + The following table lists the default rules that are available for the script rule collection. - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PurposeNameUserRule condition type

Allows members of the local Administrators group to run all scripts

(Default Rule) All scripts

BUILTIN\Administrators

Path: *

Allow all users to run scripts in the Windows folder

(Default Rule) All scripts located in the Windows folder

Everyone

Path: %windir%\*

Allow all users to run scripts in the Program Files folder

(Default Rule) All scripts located in the Program Files folder

Everyone

Path: %programfiles%\*

+ +| Purpose | Name | User | Rule condition type | +| - | - | - | - | +| Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: *| +| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: %windir%\*| +| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: %programfiles%\*|   ## Related topics -[Understanding AppLocker default rules](understanding-applocker-default-rules.md) -  -  + +- [Understanding AppLocker default rules](understanding-applocker-default-rules.md) diff --git a/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md b/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md index 768c9de4a0..e3f6f2ce53 100644 --- a/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md +++ b/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md @@ -2,22 +2,28 @@ title: Advanced security audit policy settings (Windows 10) description: Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate. ms.assetid: 6BF9A642-DBC3-4101-94A3-B2316C553CE3 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Advanced security audit policy settings + **Applies to** - Windows 10 + Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate. + The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as: + - A group administrator has modified settings or data on servers that contain finance information. - An employee within a defined group has accessed an important file. - The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access. + You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local device or by using Group Policy. + These Advanced Audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity. + For more info, see [Advanced security audit policies](advanced-security-auditing.md). -  -  diff --git a/windows/keep-secure/security-auditing-overview.md b/windows/keep-secure/security-auditing-overview.md index ee62474c85..cde9b0865f 100644 --- a/windows/keep-secure/security-auditing-overview.md +++ b/windows/keep-secure/security-auditing-overview.md @@ -2,42 +2,31 @@ title: Security auditing (Windows 10) description: Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network. ms.assetid: 2d9b8142-49bd-4a33-b246-3f0c2a5f32d4 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Security auditing + **Applies to** - Windows 10 + Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network. + ## + Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment. + For info on the changes that were added in Windows 10, see [Security auditing](../whats-new/security-auditing.md). + ## In this section - ---- - - - - - - - - - - - - - - - - -
TopicDescription

[Basic security audit policies](basic-security-audit-policies.md)

Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization.

[Advanced security audit policies](advanced-security-auditing.md)

Advanced security audit policy settings are found in Security Settings\Advanced Audit Policy Configuration\System Audit Policies and appear to overlap with basic security audit policies, but they are recorded and applied differently.

+| Topic | Description | +| - | - | +|[Basic security audit policies](basic-security-audit-policies.md) |Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization. | +|[Advanced security audit policies](advanced-security-auditing.md) |Advanced security audit policy settings are found in **Security Settings\Advanced Audit Policy Configuration\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently. |       diff --git a/windows/keep-secure/security-considerations-for-applocker.md b/windows/keep-secure/security-considerations-for-applocker.md index 023305b4f1..f7c0df0eab 100644 --- a/windows/keep-secure/security-considerations-for-applocker.md +++ b/windows/keep-secure/security-considerations-for-applocker.md @@ -2,33 +2,45 @@ title: Security considerations for AppLocker (Windows 10) description: This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. ms.assetid: 354a5abb-7b31-4bea-a442-aa9666117625 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Security considerations for AppLocker + **Applies to** - Windows 10 + This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. -The purpose of AppLocker is to restrict the access to software, and therefore, the data accessed by the software, to a specific group of users or within a defined business group. The following are security considerations for AppLocker: + +The purpose of AppLocker is to restrict the access to software, and therefore, the data accessed by the software, to a specific group of users or within a defined business group. The following are security considerations for +AppLocker: + AppLocker is deployed within an enterprise and administered centrally by those in IT with trusted credentials. This makes its policy creation and deployment conform to similar policy deployment processes and security restrictions. + AppLocker policies are distributed through known processes and by known means within the domain through Group Policy. But AppLocker policies can also be set on individual computers if the person has administrator privileges, and those policies might be contrary to the organization's written security policy. The enforcement settings for local policies are overridden by the same AppLocker policies in a Group Policy Object (GPO). However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer. + Microsoft does not provide a way to develop any extensions to AppLocker. The interfaces are not public. A user with administrator credentials can automate some AppLocker processes by using Windows PowerShell cmdlets. For info about the Windows PowerShell cmdlets for AppLocker, see the [AppLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/ee460962.aspx). + AppLocker runs in the context of Administrator or LocalSystem, which is the highest privilege set. This security context has the potential of misuse. If a user with administrative credentials makes changes to an AppLocker policy on a local device that is joined to a domain, those changes could be overwritten or disallowed by the GPO that contains the AppLocker rule for the same file (or path) that was changed on the local device. However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer. If the local computer is not joined to a domain and is not administered by Group Policy, a person with administrative credentials can alter the AppLocker policy. + When securing files in a directory with a rule of the path condition type, whether using the allow or deny action on the rule, it is still necessary and good practice to restrict access to those files by setting the access control lists (ACLs) according to your security policy. + AppLocker does not protect against running 16-bit DOS binaries in the Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or later when there is already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it is a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the executable rule collection for NTVDM.exe. + You cannot use AppLocker (or Software Restriction Policies) to prevent code from running outside the Win32 subsystem. In particular, this applies to the (POSIX) subsystem in Windows NT. If it is a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem. + AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example, Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To control interpreted code by using AppLocker, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision returned by AppLocker. Not all host processes call into AppLocker and, therefore, AppLocker cannot control every kind of interpreted code, such as Microsoft Office macros. -**Important**   -You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded. + +>**Important:**  You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded.   AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules. -**Note**   -Two flags that illustrate this condition are `SANDBOX_INERT`, which can be passed to `CreateRestrictedToken`, and `LOAD_IGNORE_CODE_AUTHZ_LEVEL`, which can be passed to `LoadLibraryEx`. Both of these flags signal AppLocker to circumvent the rules and allow a child .exe or .dll to be loaded. + +>**Note:**  Two flags that illustrate this condition are `SANDBOX_INERT`, which can be passed to `CreateRestrictedToken`, and `LOAD_IGNORE_CODE_AUTHZ_LEVEL`, which can be passed to `LoadLibraryEx`. Both of these flags signal AppLocker to circumvent the rules and allow a child .exe or .dll to be loaded.   ## Related topics -[AppLocker technical reference](applocker-technical-reference.md) -  -  + +- [AppLocker technical reference](applocker-technical-reference.md) diff --git a/windows/keep-secure/security-options.md b/windows/keep-secure/security-options.md index 1e083a249a..2d25a87621 100644 --- a/windows/keep-secure/security-options.md +++ b/windows/keep-secure/security-options.md @@ -2,417 +2,127 @@ title: Security Options (Windows 10) description: Provides an introduction to the settings under Security Options of the local security policies and links to information about each setting. ms.assetid: 405ea253-8116-4e57-b08e-14a8dcdca92b -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Security Options + **Applies to** - Windows 10 + Provides an introduction to the settings under **Security Options** of the local security policies and links to information about each setting. + The **Security Options** contain the following groupings of security policy settings that allow you to configure the behavior of the local computer. Some of these policies can be included in a Group Policy Object and distributed over your organization. + If you edit policy settings locally on a device, you will affect the settings on only that one device. If you configure the settings in a Group Policy Object (GPO), the settings apply to all devices that are subject to that GPO. + For info about setting security policies, see [Configure security policy settings](how-to-configure-security-policy-settings.md). + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Accounts: Administrator account status](accounts-administrator-account-status.md)

Describes the best practices, location, values, and security considerations for the Accounts: Administrator account status security policy setting.

[Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md)

Describes the best practices, location, values, management, and security considerations for the Accounts: Block Microsoft accounts security policy setting.

[Accounts: Guest account status](accounts-guest-account-status.md)

Describes the best practices, location, values, and security considerations for the Accounts: Guest account status security policy setting.

[Accounts: Limit local account use of blank passwords to console logon only](accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md)

Describes the best practices, location, values, and security considerations for the Accounts: Limit local account use of blank passwords to console logon only security policy setting.

[Accounts: Rename administrator account](accounts-rename-administrator-account.md)

This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.

[Accounts: Rename guest account](accounts-rename-guest-account.md)

Describes the best practices, location, values, and security considerations for the Accounts: Rename guest account security policy setting.

[Audit: Audit the access of global system objects](audit-audit-the-access-of-global-system-objects.md)

Describes the best practices, location, values, and security considerations for the Audit: Audit the access of global system objects security policy setting.

[Audit: Audit the use of Backup and Restore privilege](audit-audit-the-use-of-backup-and-restore-privilege.md)

Describes the best practices, location, values, and security considerations for the Audit: Audit the use of Backup and Restore privilege security policy setting.

[Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](audit-force-audit-policy-subcategory-settings-to-override.md)

Describes the best practices, location, values, and security considerations for the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings security policy setting.

[Audit: Shut down system immediately if unable to log security audits](audit-shut-down-system-immediately-if-unable-to-log-security-audits.md)

Describes the best practices, location, values, management practices, and security considerations for the Audit: Shut down system immediately if unable to log security audits security policy setting.

[DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)

Describes the best practices, location, values, and security considerations for the DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting.

[DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)

Describes the best practices, location, values, and security considerations for the DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax security policy setting.

[Devices: Allow undock without having to log on](devices-allow-undock-without-having-to-log-on.md)

Describes the best practices, location, values, and security considerations for the Devices: Allow undock without having to log on security policy setting.

[Devices: Allowed to format and eject removable media](devices-allowed-to-format-and-eject-removable-media.md)

Describes the best practices, location, values, and security considerations for the Devices: Allowed to format and eject removable media security policy setting.

[Devices: Prevent users from installing printer drivers](devices-prevent-users-from-installing-printer-drivers.md)

Describes the best practices, location, values, and security considerations for the Devices: Prevent users from installing printer drivers security policy setting.

[Devices: Restrict CD-ROM access to locally logged-on user only](devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md)

Describes the best practices, location, values, and security considerations for the Devices: Restrict CD-ROM access to locally logged-on user only security policy setting.

[Devices: Restrict floppy access to locally logged-on user only](devices-restrict-floppy-access-to-locally-logged-on-user-only.md)

Describes the best practices, location, values, and security considerations for the Devices: Restrict floppy access to locally logged-on user only security policy setting.

[Domain controller: Allow server operators to schedule tasks](domain-controller-allow-server-operators-to-schedule-tasks.md)

Describes the best practices, location, values, and security considerations for the Domain controller: Allow server operators to schedule tasks security policy setting.

[Domain controller: LDAP server signing requirements](domain-controller-ldap-server-signing-requirements.md)

Describes the best practices, location, values, and security considerations for the Domain controller: LDAP server signing requirements security policy setting.

[Domain controller: Refuse machine account password changes](domain-controller-refuse-machine-account-password-changes.md)

Describes the best practices, location, values, and security considerations for the Domain controller: Refuse machine account password changes security policy setting.

[Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)

Describes the best practices, location, values, and security considerations for the Domain member: Digitally encrypt or sign secure channel data (always) security policy setting.

[Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)

Describes the best practices, location, values, and security considerations for the Domain member: Digitally encrypt secure channel data (when possible) security policy setting.

[Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)

Describes the best practices, location, values, and security considerations for the Domain member: Digitally sign secure channel data (when possible) security policy setting.

[Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md)

Describes the best practices, location, values, and security considerations for the Domain member: Disable machine account password changes security policy setting.

[Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md)

Describes the best practices, location, values, and security considerations for the Domain member: Maximum machine account password age security policy setting.

[Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)

Describes the best practices, location, values, and security considerations for the Domain member: Require strong (Windows 2000 or later) session key security policy setting.

[Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)

Describes the best practices, location, values, and security considerations for the Interactive logon: Display user information when the session is locked security policy setting.

[Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md)

Describes the best practices, location, values, and security considerations for the Interactive logon: Do not display last user name security policy setting.

[Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)

Describes the best practices, location, values, and security considerations for the Interactive logon: Do not require CTRL+ALT+DEL security policy setting.

[Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md)

Describes the best practices, location, values, management, and security considerations for the Interactive logon: Machine account lockout threshold security policy setting.

[Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)

Describes the best practices, location, values, management, and security considerations for the Interactive logon: Machine inactivity limit security policy setting.

[Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md)

Describes the best practices, location, values, management, and security considerations for the Interactive logon: Message text for users attempting to log on security policy setting.

[Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)

Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Message title for users attempting to log on security policy setting.

[Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)

Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Number of previous logons to cache (in case domain controller is not available) security policy setting.

[Interactive logon: Prompt user to change password before expiration](interactive-logon-prompt-user-to-change-password-before-expiration.md)

Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Prompt user to change password before expiration security policy setting.

[Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)

Describes the best practices, location, values, policy management, and security considerations for the Interactive logon: Require Domain Controller authentication to unlock workstation security policy setting.

[Interactive logon: Require smart card](interactive-logon-require-smart-card.md)

Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Require smart card security policy setting.

[Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md)

Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Smart card removal behavior security policy setting.

[Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)

Describes the best practices, location, values, policy management and security considerations for the Microsoft network client: Digitally sign communications (always) security policy setting.

[Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)

Describes the best practices, location, values, and security considerations for the Microsoft network client: Digitally sign communications (if server agrees) security policy setting.

[Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)

Describes the best practices, location, values, policy management and security considerations for the Microsoft network client: Send unencrypted password to third-party SMB servers security policy setting.

[Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)

Describes the best practices, location, values, and security considerations for the Microsoft network server: Amount of idle time required before suspending session security policy setting.

[Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)

Describes the best practices, location, values, management, and security considerations for the Microsoft network server: Attempt S4U2Self to obtain claim information security policy setting.

[Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)

Describes the best practices, location, values, policy management and security considerations for the Microsoft network server: Digitally sign communications (always) security policy setting.

[Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)

Describes the best practices, location, values, policy management and security considerations for the Microsoft network server: Digitally sign communications (if client agrees) security policy setting.

[Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)

Describes the best practices, location, values, and security considerations for the Microsoft network server: Disconnect clients when logon hours expire security policy setting.

[Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)

Describes the best practices, location, and values, policy management and security considerations for the Microsoft network server: Server SPN target name validation level security policy setting.

[Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)

Describes the best practices, location, values, policy management and security considerations for the Network access: Allow anonymous SID/Name translation security policy setting.

[Network access: Do not allow anonymous enumeration of SAM accounts](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)

Describes the best practices, location, values, and security considerations for the Network access: Do not allow anonymous enumeration of SAM accounts security policy setting.

[Network access: Do not allow anonymous enumeration of SAM accounts and shares](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)

Describes the best practices, location, values, and security considerations for the Network access: Do not allow anonymous enumeration of SAM accounts and shares security policy setting.

[Network access: Do not allow storage of passwords and credentials for network authentication](network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)

Describes the best practices, location, values, policy management and security considerations for the Network access: Do not allow storage of passwords and credentials for network authentication security policy setting.

[Network access: Let Everyone permissions apply to anonymous users](network-access-let-everyone-permissions-apply-to-anonymous-users.md)

Describes the best practices, location, values, policy management and security considerations for the Network access: Let Everyone permissions apply to anonymous users security policy setting.

[Network access: Named Pipes that can be accessed anonymously](network-access-named-pipes-that-can-be-accessed-anonymously.md)

Describes the best practices, location, values, policy management and security considerations for the Network access: Named Pipes that can be accessed anonymously security policy setting.

[Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)

Describes the best practices, location, values, policy management and security considerations for the Network access: Remotely accessible registry paths security policy setting.

[Network access: Remotely accessible registry paths and subpaths](network-access-remotely-accessible-registry-paths-and-subpaths.md)

Describes the best practices, location, values, and security considerations for the Network access: Remotely accessible registry paths and subpaths security policy setting.

[Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)

Describes the best practices, location, values, policy management and security considerations for the Network access: Restrict anonymous access to Named Pipes and Shares security policy setting.

[Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md)

Describes the best practices, location, values, policy management and security considerations for the Network access: Shares that can be accessed anonymously security policy setting.

[Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md)

Describes the best practices, location, values, policy management and security considerations for the Network access: Sharing and security model for local accounts security policy setting.

[Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)

Describes the location, values, policy management, and security considerations for the Network security: Allow Local System to use computer identity for NTLM security policy setting.

[Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md)

Describes the best practices, location, values, and security considerations for the Network security: Allow LocalSystem NULL session fallback security policy setting.

[Network security: Allow PKU2U authentication requests to this computer to use online identities](network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)

Describes the best practices, location, and values for the Network Security: Allow PKU2U authentication requests to this computer to use online identities security policy setting.

[Network security: Configure encryption types allowed for Kerberos Win7 only](network-security-configure-encryption-types-allowed-for-kerberos.md)

Describes the best practices, location, values and security considerations for the Network security: Configure encryption types allowed for Kerberos Win7 only security policy setting.

[Network security: Do not store LAN Manager hash value on next password change](network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)

Describes the best practices, location, values, policy management and security considerations for the Network security: Do not store LAN Manager hash value on next password change security policy setting.

[Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md)

Describes the best practices, location, values, policy management and security considerations for the Network security: Force logoff when logon hours expire security policy setting.

[Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md)

Describes the best practices, location, values, policy management and security considerations for the Network security: LAN Manager authentication level security policy setting.

[Network security: LDAP client signing requirements](network-security-ldap-client-signing-requirements.md)

This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system.

[Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)

Describes the best practices, location, values, policy management and security considerations for the Network security: Minimum session security for NTLM SSP based (including secure RPC) clients security policy setting.

[Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)

Describes the best practices, location, values, policy management and security considerations for the Network security: Minimum session security for NTLM SSP based (including secure RPC) servers security policy setting.

[Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)

Describes the best practices, location, values, management aspects, and security considerations for the Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication security policy setting.

[Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)

Describes the best practices, location, values, management aspects, and security considerations for the Network security: Restrict NTLM: Add server exceptions in this domain security policy setting.

[Network security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md)

Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: Audit incoming NTLM traffic security policy setting.

[Network security: Restrict NTLM: Audit NTLM authentication in this domain](network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md)

Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: Audit NTLM authentication in this domain security policy setting.

[Network security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md)

Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: Incoming NTLM traffic security policy setting.

[Network security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md)

Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: NTLM authentication in this domain security policy setting.

[Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)

Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers security policy setting.

[Recovery console: Allow automatic administrative logon](recovery-console-allow-automatic-administrative-logon.md)

Describes the best practices, location, values, policy management and security considerations for the Recovery console: Allow automatic administrative logon security policy setting.

[Recovery console: Allow floppy copy and access to all drives and folders](recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)

Describes the best practices, location, values, policy management and security considerations for the Recovery console: Allow floppy copy and access to all drives and folders security policy setting.

[Shutdown: Allow system to be shut down without having to log on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)

Describes the best practices, location, values, policy management and security considerations for the Shutdown: Allow system to be shut down without having to log on security policy setting.

[Shutdown: Clear virtual memory pagefile](shutdown-clear-virtual-memory-pagefile.md)

Describes the best practices, location, values, policy management and security considerations for the Shutdown: Clear virtual memory pagefile security policy setting.

[System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)

Describes the best practices, location, values, policy management and security considerations for the System cryptography: Force strong key protection for user keys stored on the computer security policy setting.

[System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)

This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting.

[System objects: Require case insensitivity for non-Windows subsystems](system-objects-require-case-insensitivity-for-non-windows-subsystems.md)

Describes the best practices, location, values, policy management and security considerations for the System objects: Require case insensitivity for non-Windows subsystems security policy setting.

[System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects.md)

Describes the best practices, location, values, policy management and security considerations for the System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) security policy setting.

[System settings: Optional subsystems](system-settings-optional-subsystems.md)

Describes the best practices, location, values, policy management and security considerations for the System settings: Optional subsystems security policy setting.

[System settings: Use certificate rules on Windows executables for Software Restriction Policies](system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)

Describes the best practices, location, values, policy management and security considerations for the System settings: Use certificate rules on Windows executables for Software Restriction Policies security policy setting.

[User Account Control: Admin Approval Mode for the Built-in Administrator account](user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)

Describes the best practices, location, values, policy management and security considerations for the User Account Control: Admin Approval Mode for the Built-in Administrator account security policy setting.

[User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)

Describes the best practices, location, values, and security considerations for the User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop security policy setting.

[User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)

Describes the best practices, location, values, policy management and security considerations for the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode security policy setting.

[User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)

Describes the best practices, location, values, policy management and security considerations for the User Account Control: Behavior of the elevation prompt for standard users security policy setting.

[User Account Control: Detect application installations and prompt for elevation](user-account-control-detect-application-installations-and-prompt-for-elevation.md)

Describes the best practices, location, values, policy management and security considerations for the User Account Control: Detect application installations and prompt for elevation security policy setting.

[User Account Control: Only elevate executables that are signed and validated](user-account-control-only-elevate-executables-that-are-signed-and-validated.md)

Describes the best practices, location, values, policy management and security considerations for the User Account Control: Only elevate executables that are signed and validated security policy setting.

[User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)

Describes the best practices, location, values, policy management and security considerations for the User Account Control: Only elevate UIAccess applications that are installed in secure locations security policy setting.

[User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)

Describes the best practices, location, values, policy management and security considerations for the User Account Control: Run all administrators in Admin Approval Mode security policy setting.

[User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)

Describes the best practices, location, values, policy management and security considerations for the User Account Control: Switch to the secure desktop when prompting for elevation security policy setting.

[User Account Control: Virtualize file and registry write failures to per-user locations](user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)

Describes the best practices, location, values, policy management and security considerations for the User Account Control: Virtualize file and registry write failures to per-user locations security policy setting.

+ +| Topic | Description | +| - | - | +| [Accounts: Administrator account status](accounts-administrator-account-status.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Administrator account status** security policy setting.| +| [Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md) | Describes the best practices, location, values, management, and security considerations for the **Accounts: Block Microsoft accounts** security policy setting.| +| [Accounts: Guest account status](accounts-guest-account-status.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Guest account status** security policy setting.| +| [Accounts: Limit local account use of blank passwords to console logon only](accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Limit local account use of blank passwords to console logon only** security policy setting. | +| [Accounts: Rename administrator account](accounts-rename-administrator-account.md)| This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.| +| [Accounts: Rename guest account](accounts-rename-guest-account.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Rename guest account** security policy setting.| +| [Audit: Audit the access of global system objects](audit-audit-the-access-of-global-system-objects.md) | Describes the best practices, location, values, and security considerations for the **Audit: Audit the access of global system objects** security policy setting.| +| [Audit: Audit the use of Backup and Restore privilege](audit-audit-the-use-of-backup-and-restore-privilege.md) | Describes the best practices, location, values, and security considerations for the **Audit: Audit the use of Backup and Restore privilege** security policy setting.| +| [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](audit-force-audit-policy-subcategory-settings-to-override.md) | Describes the best practices, location, values, and security considerations for the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** security policy setting. | +| [Audit: Shut down system immediately if unable to log security audits](audit-shut-down-system-immediately-if-unable-to-log-security-audits.md)| Describes the best practices, location, values, management practices, and security considerations for the **Audit: Shut down system immediately if unable to log security audits** security policy setting. | +| [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)| Describes the best practices, location, values, and security considerations for the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting. | +| [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)| Describes the best practices, location, values, and security considerations for the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** security policy setting. | +| [Devices: Allow undock without having to log on](devices-allow-undock-without-having-to-log-on.md)| Describes the best practices, location, values, and security considerations for the **Devices: Allow undock without having to log on** security policy setting.| +| [Devices: Allowed to format and eject removable media](devices-allowed-to-format-and-eject-removable-media.md) | Describes the best practices, location, values, and security considerations for the **Devices: Allowed to format and eject removable media** security policy setting.| +| [Devices: Prevent users from installing printer drivers](devices-prevent-users-from-installing-printer-drivers.md) | Describes the best practices, location, values, and security considerations for the **Devices: Prevent users from installing printer drivers** security policy setting.| +| [Devices: Restrict CD-ROM access to locally logged-on user only](devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md) | Describes the best practices, location, values, and security considerations for the **Devices: Restrict CD-ROM access to locally logged-on user only** security policy setting. | +| [Devices: Restrict floppy access to locally logged-on user only](devices-restrict-floppy-access-to-locally-logged-on-user-only.md)| Describes the best practices, location, values, and security considerations for the **Devices: Restrict floppy access to locally logged-on user only** security policy setting. | +| [Domain controller: Allow server operators to schedule tasks](domain-controller-allow-server-operators-to-schedule-tasks.md)| Describes the best practices, location, values, and security considerations for the **Domain controller: Allow server operators to schedule tasks** security policy setting. | +| [Domain controller: LDAP server signing requirements](domain-controller-ldap-server-signing-requirements.md)| Describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server signing requirements** security policy setting. | +| [Domain controller: Refuse machine account password changes](domain-controller-refuse-machine-account-password-changes.md) | Describes the best practices, location, values, and security considerations for the **Domain controller: Refuse machine account password changes** security policy setting.| +| [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) | Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt or sign secure channel data (always)** security policy setting. | +| [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt secure channel data (when possible)** security policy setting. | +| [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Digitally sign secure channel data (when possible)** security policy setting.| +| [Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Disable machine account password changes** security policy setting. +| [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md) |Describes the best practices, location, values, and security considerations for the **Domain member: Maximum machine account password age** security policy setting.| +|[Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Require strong (Windows 2000 or later) session key** security policy setting. | +| [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting. | +| [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display last user name** security policy setting.| +| [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not require CTRL+ALT+DEL** security policy setting.| +| [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md) | Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine account lockout threshold** security policy setting.| +| [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)| Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine inactivity limit** security policy setting.| +| [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) | Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Message text for users attempting to log on** security policy setting. | +| [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)| Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Message title for users attempting to log on** security policy setting. | +| [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)| Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** security policy setting. | +| [Interactive logon: Prompt user to change password before expiration](interactive-logon-prompt-user-to-change-password-before-expiration.md)| Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting. | +| [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)| Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require Domain Controller authentication to unlock workstation** security policy setting. | +| [Interactive logon: Require smart card](interactive-logon-require-smart-card.md) | Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Require smart card** security policy setting.| +| [Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md) | Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting.| +| [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting. | +| [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting. | +| [Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Send unencrypted password to third-party SMB servers** security policy setting. | +| [Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Amount of idle time required before suspending session** security policy setting. | +| [Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)| Describes the best practices, location, values, management, and security considerations for the **Microsoft network server: Attempt S4U2Self to obtain claim information** security policy setting. | +| [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting.| +| [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting. | +| [Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Disconnect clients when logon hours expire** security policy setting. | +| [Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)| Describes the best practices, location, and values, policy management and security considerations for the **Microsoft network server: Server SPN target name validation level** security policy setting. | +| [Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Allow anonymous SID/Name translation** security policy setting.| +| [Network access: Do not allow anonymous enumeration of SAM accounts](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)| Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts** security policy setting. | +| [Network access: Do not allow anonymous enumeration of SAM accounts and shares](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)| Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts and shares** security policy setting. | +| [Network access: Do not allow storage of passwords and credentials for network authentication](network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Do not allow storage of passwords and credentials for network authentication** security policy setting. | +| [Network access: Let Everyone permissions apply to anonymous users](network-access-let-everyone-permissions-apply-to-anonymous-users.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Let Everyone permissions apply to anonymous users** security policy setting. | +| [Network access: Named Pipes that can be accessed anonymously](network-access-named-pipes-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Named Pipes that can be accessed anonymously** security policy setting. | +| [Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Remotely accessible registry paths** security policy setting.| +| [Network access: Remotely accessible registry paths and subpaths](network-access-remotely-accessible-registry-paths-and-subpaths.md)| Describes the best practices, location, values, and security considerations for the **Network access: Remotely accessible registry paths and subpaths** security policy setting. | +| [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting. | +| [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Shares that can be accessed anonymously** security policy setting. | +| [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Sharing and security model for local accounts** security policy setting. | +| [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)| Describes the location, values, policy management, and security considerations for the **Network security: Allow Local System to use computer identity for NTLM** security policy setting. | +| [Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md)| Describes the best practices, location, values, and security considerations for the **Network security: Allow LocalSystem NULL session fallback** security policy setting.| +| [Network security: Allow PKU2U authentication requests to this computer to use online identities](network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)| Describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting. | +| [Network security: Configure encryption types allowed for Kerberos Win7 only](network-security-configure-encryption-types-allowed-for-kerberos.md)| Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos Win7 only** security policy setting. | +| [Network security: Do not store LAN Manager hash value on next password change](network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Do not store LAN Manager hash value on next password change** security policy setting. | +| [Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Force logoff when logon hours expire** security policy setting. | +| [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: LAN Manager authentication level** security policy setting.| +| [Network security: LDAP client signing requirements](network-security-ldap-client-signing-requirements.md) | This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system. | +| [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients** security policy setting. | +| [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** security policy setting. | +| [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication** security policy setting. | +| [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add server exceptions in this domain** security policy setting. | +| [Network security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit incoming NTLM traffic** security policy setting. | +| [Network security: Restrict NTLM: Audit NTLM authentication in this domain](network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** security policy setting. | +| [Network security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Incoming NTLM traffic** security policy setting. | +| [Network security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: NTLM authentication in this domain** security policy setting. | +| [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting. | +| [Recovery console: Allow automatic administrative logon](recovery-console-allow-automatic-administrative-logon.md)| Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting. | +| [Recovery console: Allow floppy copy and access to all drives and folders](recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)| Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow floppy copy and access to all drives and folders** security policy setting. | +| [Shutdown: Allow system to be shut down without having to lg on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)| Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting. | +| [Shutdown: Clear virtual memory pagefile](shutdown-clear-virtual-memory-pagefile.md)| Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Clear virtual memory pagefile** security policy setting.| +| [System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)| Describes the best practices, location, values, policy management and security considerations for the **System cryptography: Force strong key protection for user keys stored on the computer** security policy setting. | +| [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)| This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. | +| [System objects: Require case insensitivity for non-Windows subsystems](system-objects-require-case-insensitivity-for-non-windows-subsystems.md)| Describes the best practices, location, values, policy management and security considerations for the **System objects: Require case insensitivity for non-Windows subsystems** security policy setting. | +| [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects.md)| Describes the best practices, location, values, policy management and security considerations for the **System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)** security policy setting. | +| [System settings: Optional subsystems](system-settings-optional-subsystems.md) | Describes the best practices, location, values, policy management and security considerations for the **System settings: Optional subsystems** security policy setting.| +| [System settings: Use certificate rules on Windows executables for Software Restriction Policies](system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)| Describes the best practices, location, values, policy management and security considerations for the **System settings: Use certificate rules on Windows executables for Software Restriction Policies** security policy setting. | +| [User Account Control: Admin Approval Mode for the Built-in Administrator account](user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Admin Approval Mode for the Built-in Administrator account** security policy setting. | +| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)| Describes the best practices, location, values, and security considerations for the **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** security policy setting. | +| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** security policy setting. | +| [User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for standard users** security policy setting. | +| [User Account Control: Detect application installations and prompt for elevation](user-account-control-detect-application-installations-and-prompt-for-elevation.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Detect application installations and prompt for elevation** security policy setting. | +| [User Account Control: Only elevate executables that are signed and validated](user-account-control-only-elevate-executables-that-are-signed-and-validated.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate executables that are signed and validated** security policy setting. | +| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** security policy setting. | +| [User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting. | +| [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Switch to the secure desktop when prompting for elevation** security policy setting. | +| [User Account Control: Virtualize file and registry write failures to per-user locations](user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Virtualize file and registry write failures to per-user locations** security policy setting. |   ## Related topics -[Security policy settings reference](security-policy-settings-reference.md) -[Security policy settings](security-policy-settings.md) -  -  + +- [Security policy settings reference](security-policy-settings-reference.md) +- [Security policy settings](security-policy-settings.md) diff --git a/windows/keep-secure/security-policy-settings-reference.md b/windows/keep-secure/security-policy-settings-reference.md index 83e2f87051..4023dfc66f 100644 --- a/windows/keep-secure/security-policy-settings-reference.md +++ b/windows/keep-secure/security-policy-settings-reference.md @@ -2,53 +2,32 @@ title: Security policy settings reference (Windows 10) description: This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations. ms.assetid: ef5a4579-15a8-4507-9a43-b7ccddcb0ed1 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Security policy settings reference + **Applies to** - Windows 10 + This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations. + This reference focuses on those settings that are considered security settings. This reference examines only the settings and features in the Windows operating systems that can help organizations secure their enterprises against malicious software threats. Management features and those security features that you cannot configure are not described in this reference. + Each policy setting described contains referential content such as a detailed explanation of the settings, best practices, default settings, differences between operating system versions, policy management considerations, and security considerations that include a discussion of vulnerability, countermeasures, and potential impact of those countermeasures. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Account Policies](account-policies.md)

An overview of account policies in Windows and provides links to policy descriptions.

[Audit Policy](audit-policy.md)

Provides information about basic audit policies that are available in Windows and links to information about each setting.

[Security Options](security-options.md)

Provides an introduction to the settings under Security Options of the local security policies and links to information about each setting.

[Advanced security audit policy settings](secpol-advanced-security-audit-policy-settings.md)

Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.

[User Rights Assignment](user-rights-assignment.md)

Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.

-  + +| Topic | Description | +| - | - | +| [Account Policies](account-policies.md) | An overview of account policies in Windows and provides links to policy descriptions.| +| [Audit Policy](audit-policy.md) | Provides information about basic audit policies that are available in Windows and links to information about each setting.| +| [Security Options](security-options.md) | Provides an introduction to the settings under **Security Options** of the local security policies and links to information about each setting.| +| [Advanced security audit policy settings](secpol-advanced-security-audit-policy-settings.md) | Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.| +| [User Rights Assignment](user-rights-assignment.md) | Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.  |     diff --git a/windows/keep-secure/security-policy-settings.md b/windows/keep-secure/security-policy-settings.md index fb4adf5d9d..f9ea234685 100644 --- a/windows/keep-secure/security-policy-settings.md +++ b/windows/keep-secure/security-policy-settings.md @@ -2,111 +2,191 @@ title: Security policy settings (Windows 10) description: This reference topic describes the common scenarios, architecture, and processes for security settings. ms.assetid: e7ac5204-7f6c-4708-a9f6-6af712ca43b9 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Security policy settings + **Applies to** - Windows 10 + This reference topic describes the common scenarios, architecture, and processes for security settings. + Security policy settings are rules that administrators configure on a computer or multiple devices for the purpose of protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor snap-in allows you to define security configurations as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, or organizational units, and they enable you to manage security settings for multiple devices from any device joined to the domain. Security settings policies are used as part of your overall security implementation to help secure domain controllers, servers, clients, and other resources in your organization. + Security settings can control: + - User authentication to a network or device. - The resources that users are permitted to access. - Whether to record a user’s or group’s actions in the event log. - Membership in a group. + To manage security configurations for multiple devices, you can use one of the following options: + - Edit specific security settings in a GPO. - Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, applied to a local device, or used to analyze security. + For more info about managing security configurations, see [Administer security policy settings](administer-security-policy-settings.md). + The Security Settings extension of the Local Group Policy Editor includes the following types of security policies: + - **Account Policies.** These polices are defined on devices; they affect how user accounts can interact with the computer or domain. Account policies include the following types of policies: + - **Password Policy.** These policies determine settings for passwords, such as enforcement and lifetimes. Password policies are used for domain accounts. - **Account Lockout Policy.** These policies determine the conditions and length of time that an account will be locked out of the system. Account lockout policies are used for domain or local user accounts. - **Kerberos Policy.** These policies are used for domain user accounts; they determine Kerberos-related settings, such as ticket lifetimes and enforcement. + - **Local Policies.** These policies apply to a computer and include the following types of policy settings: + - **Audit Policy.** Specify security settings that control the logging of security events into the Security log on the computer, and specifies what types of security events to log (success, failure, or both). - **Note**   - For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies. + + >**Note:**  For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies.   - **User Rights Assignment.** Specify the users or groups that have logon rights or privileges on a device - **Security Options.** Specify security settings for the computer, such as Administrator and Guest Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; logon prompts; and so on. + - **Windows Firewall with Advanced Security.** Specify settings to protect the device on your network by using a stateful firewall that allows you to determine which network traffic is permitted to pass between your device and the network. - **Network List Manager Policies.** Specify settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices. - **Public Key Policies.** Specify settings to control Encrypting File System, Data Protection, and BitLocker Drive Encryption in addition to certain certificate paths and services settings. - **Software Restriction Policies.** Specify settings to identify software and to control its ability to run on your local device, organizational unit, domain, or site. - **Application Control Policies.** Specify settings to control which users or groups can run particular applications in your organization based on unique identities of files. - **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks through the use of cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address. -- **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under Local Policies. +- **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under +Local Policies. + ## Policy-based security settings management + The Security Settings extension to Group Policy provides an integrated policy-based management infrastructure to help you manage and enforce your security policies. + You can define and apply security settings policies to users, groups, and network servers and clients through Group Policy and Active Directory Domain Services (AD DS). A group of servers with the same functionality can be created (for example, a Microsoft Web (IIS) server), and then Group Policy Objects can be used to apply common security settings to the group. If more servers are added to this group later, many of the common security settings are automatically applied, reducing deployment and administrative labor. + ### Common scenarios for using security settings policies + Security settings policies are used to manage the following aspects of security: accounts policy, local policy, user rights assignment, registry values, file and registry Access Control Lists (ACLs), service startup modes, and more. + As part of your security strategy, you can create GPOs with security settings policies configured specifically for the various roles in your organization, such as domain controllers, file servers, member servers, clients, and so on. + You can create an organizational unit (OU) structure that groups devices according to their roles. Using OUs is the best method for separating specific security requirements for the different roles in your network. This approach also allows you to apply customized security templates to each class of server or computer. After creating the security templates, you create a new GPO for each of the OUs, and then import the security template (.inf file) into the new GPO. -Importing a security template to a GPO ensures that any accounts to which the GPO is applied automatically receive the template’s security settings when the Group Policy settings are refreshed. On a workstation or server, the security settings are refreshed at regular intervals (with a random offset of at most 30 minutes), and, on a domain controller, this process occurs every few minutes if changes have occurred in any of the GPO settings that apply. The settings are also refreshed every 16 hours, whether or not any changes have occurred. -**Note**   -These refresh settings vary between versions of the operating system and can be configured. + +Importing a security template to a GPO ensures that any accounts to which the GPO is applied automatically receive the template’s security settings when the Group Policy settings are refreshed. On a workstation or server, the security settings are refreshed at regular intervals (with a random +offset of at most 30 minutes), and, on a domain controller, this process occurs every few minutes if changes have occurred in any of the GPO settings that apply. The settings are also refreshed every 16 hours, whether or not any changes have occurred. + +>**Note:**  These refresh settings vary between versions of the operating system and can be configured.   By using Group Policy−based security configurations in conjunction with the delegation of administration, you can ensure that specific security settings, rights, and behavior are applied to all servers and computers within an OU. This approach makes it simple to update a number of servers with any additional changes required in the future. + ### Dependencies on other operating system technologies + For devices that are members of a Windows Server 2008 or later domain, security settings policies depend on the following technologies: + - **Active Directory Domain Services (AD DS)** + The Windows-based directory service, AD DS, stores information about objects on a network and makes this information available to administrators and users. By using AD DS, you can view and manage network objects on the network from a single location, and users can access permitted network resources by using a single logon. + - **Group Policy** + The infrastructure within AD DS that enables directory-based configuration management of user and computer settings on devices running Windows Server. By using Group Policy, you can define configurations for groups of users and computers, including policy settings, registry-based policies, software installation, scripts, folder redirection, Remote Installation Services, Internet Explorer maintenance, and security. + - **Domain Name System (DNS)** + A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and IP addresses to domain names. This allows users, computers, and applications to query DNS to specify remote systems by fully qualified domain names rather than by IP addresses. + - **Winlogon** + A part of the Windows operating system that provides interactive logon support. Winlogon is designed around an interactive logon model that consists of three components: the Winlogon executable, a credential provider, and any number of network providers. + - **Setup** + Security configuration interacts with the operating system setup process during a clean installation or upgrade from earlier versions of Windows Server. + - **Security Accounts Manager (SAM)** + A Windows service used during the logon process. SAM maintains user account information, including groups to which a user belongs. + - **Local Security Authority (LSA)** + A protected subsystem that authenticates and logs users onto the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system. + - **Windows Management Instrumentation (WMI)** + A feature of the Microsoft Windows operating system, WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI provides access to information about objects in a managed environment. Through WMI and the WMI application programming interface (API), applications can query for and make changes to static information in the Common Information Model (CIM) repository and dynamic information maintained by the various types of providers. + - **Resultant Set of Policy (RSoP)** + An enhanced Group Policy infrastructure that uses WMI in order to make it easier to plan and debug policy settings. RSoP provides public methods that expose what an extension to Group Policy would do in a what-if situation, and what the extension has done in an actual situation. This allows administrators to easily determine the combination of policy settings that apply to, or will apply to, a user or device. + - **Service Control Manager (SCM)** + Used for configuration of service startup modes and security. + - **Registry** + Used for configuration of registry values and security. + - **File system** + Used for configuration of security. + - **File system conversions** + Security is set when an administrator converts a file system from FAT to NTFS. + - **Microsoft Management Console (MMC)** + The user interface for the Security Settings tool is an extension of the Local Group Policy Editor MMC snap-in. + ### Security settings policies and Group Policy + The Security Settings extension of the Local Group Policy Editor is part of the Security Configuration Manager tool set. The following components are associated with Security Settings: a configuration engine; an analysis engine; a template and database interface layer; setup integration logic; and the secedit.exe command-line tool. The security configuration engine is responsible for handling security configuration editor-related security requests for the system on which it runs. The analysis engine analyzes system security for a given configuration and saves the result. The template and database interface layer handles reading and writing requests from and to the template or database (for internal storage). The Security Settings extension of the Local Group Policy Editor handles Group Policy from a domain-based or local device. The security configuration logic integrates with setup and manages system security for a clean installation or upgrade to a more recent Windows operating system. Security information is stored in templates (.inf files) or in the Secedit.sdb database. + The following diagram shows Security Settings and related features. + **Security Settings Policies and Related Features** + ![components related to security policies](images/secpol-components.gif) + - **Scesrv.dll** + Provides the core security engine functionality. + - **Scecli.dll** + Provides the client-side interfaces to the security configuration engine and provides data to Resultant Set of Policy (RSoP). + - **Wsecedit.dll** + The Security Settings extension of Local Group Policy Editor. scecli.dll is loaded into wsecedit.dll to support the Security Settings user interface. + - **Gpedit.dll** + The Local Group Policy Editor MMC snap-in. + ## Security Settings extension architecture + The Security Settings extension of the Local Group Policy Editor is part of the Security Configuration Manager tools, as shown in the following diagram. + **Security Settings Architecture** + ![architecture of security policy settings](images/secpol-architecture.gif) + The security settings configuration and analysis tools include a security configuration engine, which provides local computer (non-domain member) and Group Policy−based configuration and analysis of security settings policies. The security configuration engine also supports the creation of security policy files. The primary features of the security configuration engine are scecli.dll and scesrv.dll. + The following list describes these primary features of the security configuration engine and other Security Settings−related features. + - **scesrv.dll** + This .dll is hosted in services.exe and runs under local system context. scesrv.dll provides core Security Configuration Manager functionality, such as import, configure, analyze, and policy propagation. + Scesrv.dll performs configuration and analysis of various security-related system parameters by calling corresponding system APIs, including LSA, SAM, and the registry. + Scesrv.dll exposes APIs such as import, export, configure, and analyze. It checks that the request is made over LRPC (Windows XP) and fails the call if it is not. + Communication between parts of the Security Settings extension occurs by using the following methods: + - Component Object Model (COM) calls - Local Remote Procedure Call (LRPC) - Lightweight Directory Access Protocol (LDAP) @@ -114,146 +194,204 @@ The following list describes these primary features of the security configuratio - Server Message Block (SMB) - Win32 APIs - Windows Management Instrumentation (WMI) calls + On domain controllers, scesrv.dll receives notifications of changes made to SAM and the LSA that need to be synchronized across domain controllers. Scesrv.dll incorporates those changes into the Default Domain Controller Policy GPO by using in-process scecli.dll template modification APIs. Scesrv.dll also performs configuration and analysis operations. + - **Scecli.dll** + This is the client-side interface or wrapper to scesrv.dll. scecli.dll is loaded into Wsecedit.dll to support MMC snap-ins. It is used by Setup to configure default system security and security of files, registry keys, and services installed by the Setup API .inf files. + The command-line version of the security configuration and analysis user interfaces, secedit.exe, uses scecli.dll. + Scecli.dll implements the client-side extension for Group Policy. + Scesrv.dll uses scecli.dll to download applicable Group Policy files from SYSVOL in order to apply Group Policy security settings to the local device. + Scecli.dll logs application of security policy into WMI (RSoP). + Scesrv.dll policy filter uses scecli.dll to update Default Domain Controller Policy GPO when changes are made to SAM and LSA. + - **Wsecedit.dll** + The Security Settings extension of the Group Policy Object Editor snap-in. You use this tool to configure security settings in a Group Policy Object for a site, domain, or organizational unit. You can also use Security Settings to import security templates to a GPO. + - **Secedit.sdb** + This is a permanent system database used for policy propagation including a table of persistent settings for rollback purposes. + - **User databases** + A user database is any database other than the system database created by administrators for the purposes of configuration or analysis of security. + - **.Inf Templates** - These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into the system database during policy propagation. + + These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into + the system database during policy propagation. + ## Security settings policy processes and interactions + For a domain-joined device, where Group Policy is administered, security settings are processed in conjunction with Group Policy. Not all settings are configurable. + ### Group Policy processing + When a computer starts and a user logs on, computer policy and user policy are applied according to the following sequence: + 1. The network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) start. 2. An ordered list of Group Policy Objects is obtained for the device. The list might depend on these factors: + - Whether the device is part of a domain and, therefore, subject to Group Policy through Active Directory. - The location of the device in Active Directory. - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done. + 3. Computer policy is applied. These are the settings under Computer Configuration from the gathered list. This is a synchronous process by default and occurs in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while computer policies are processed. 4. Startup scripts run. This is hidden and synchronous by default; each script must complete or time out before the next one starts. The default time-out is 600 seconds. You can use several policy settings to modify this behavior. 5. The user presses CTRL+ALT+DEL to log on. 6. After the user is validated, the user profile loads; it is governed by the policy settings that are in effect. 7. An ordered list of Group Policy Objects is obtained for the user. The list might depend on these factors: + - Whether the user is part of a domain and, therefore, subject to Group Policy through Active Directory. - Whether loopback policy processing is enabled, and if so, the state (Merge or Replace) of the loopback policy setting. - The location of the user in Active Directory. - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done. + 8. User policy is applied. These are the settings under User Configuration from the gathered list. This is synchronous by default and in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while user policies are processed. 9. Logon scripts run. Group Policy−based logon scripts are hidden and asynchronous by default. The user object script runs last. 10. The operating system user interface that is prescribed by Group Policy appears. + ### Group Policy Objects storage + A Group Policy Object (GPO) is a virtual object that is identified by a Globally Unique Identifier (GUID) and stored at the domain level. The policy setting information of a GPO is stored in the following two locations: + - **Group Policy containers in Active Directory.** + The Group Policy container is an Active Directory container that contains GPO properties, such as version information, GPO status, plus a list of other component settings. + - **Group Policy templates in a domain’s system volume folder (SYSVOL).** + The Group Policy template is a file system folder that includes policy data specified by .admx files, security settings, script files, and information about applications that are available for installation. The Group Policy template is located in the SYSVOL folder in the domain\\Policies subfolder. + The **GROUP\_POLICY\_OBJECT** structure provides information about a GPO in a GPO list, including the version number of the GPO, a pointer to a string that indicates the Active Directory portion of the GPO, and a pointer to a string that specifies the path to the file system portion of the GPO. + ### Group Policy processing order + Group Policy settings are processed in the following order: + 1. **Local Group Policy Object.** + Each device running a Windows operating system beginning with Windows XP has exactly one Group Policy Object that is stored locally. + 2. **Site.** + Any Group Policy Objects that have been linked to the site are processed next. Processing is synchronous and in an order that you specify. + 3. **Domain.** + Processing of multiple domain-linked Group Policy Objects is synchronous and in an order you speciy. + 4. **Organizational units.** + Group Policy Objects that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then Group Policy Objects that are linked to its child organizational unit, and so on. Finally, the Group Policy Objects that are linked to the organizational unit that contains the user or device are processed. + At the level of each organizational unit in the Active Directory hierarchy, one, many, or no Group Policy Objects can be linked. If several Group Policy Objects are linked to an organizational unit, their processing is synchronous and in an order that you specify. + This order means that the local Group Policy Object is processed first, and Group Policy Objects that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites the earlier Group Policy Objects. + This is the default processing order and administrators can specify exceptions to this order. A Group Policy Object that is linked to a site, domain, or organizational unit (not a local Group Policy Object) can be set to **Enforced** with respect to that site, domain, or organizational unit, so that none of its policy settings can be overridden. At any site, domain, or organizational unit, you can mark Group Policy inheritance selectively as **Block Inheritance**. Group Policy Object links that are set to **Enforced** are always applied, however, and they cannot be blocked. + ### Security settings policy processing + In the context of Group Policy processing, security settings policy is processed in the following order. + 1. During Group Policy processing, the Group Policy engine determines which security settings policies to apply. 2. If security settings policies exist in a GPO, Group Policy invokes the Security Settings client-side extension. 3. The Security Settings extension downloads the policy from the appropriate location such as a specific domain controller. 4. The Security Settings extension merges all security settings policies according to precedence rules. The processing is according to the Group Policy processing order of local, site, domain, and organizational unit (OU), as described earlier in the “Group Policy processing order” section. If multiple GPOs are in effect for a given device and there are no conflicting policies, then the policies are cumulative and are merged. + This example uses the Active Directory structure shown in the following figure. A given computer is a member of OU2, to which the **GroupMembershipPolGPO** GPO is linked. This computer is also subject to the **UserRightsPolGPO** GPO, which is linked to OU1, higher in the hierarchy. In this case, no conflicting policies exist so the device receives all of the policies contained in both the **UserRightsPolGPO** and the **GroupMembershipPolGPO** GPOs. + **Multiple GPOs and Merging of Security Policy** + ![multiple gpos and merging of security policy](images/secpol-multigpomerge.gif) + 5. The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb. 6. The security settings policies are applied to devices. The following figure illustrates the security settings policy processing. + **Security Settings Policy Processing** + ![process and interactions of security policy settin](images/secpol-processes.gif) + ### Merging of security policies on domain controllers + Password policies, Kerberos, and some security options are only merged from GPOs that are linked at the root level on the domain. This is done to keep those settings synchronized across all domain controllers in the domain. The following security options are merged: + - Network Security: Force logoff when logon hours expire - Accounts: Administrator account status - Accounts: Guest account status - Accounts: Rename administrator account - Accounts: Rename guest account + Another mechanism exists that allows security policy changes made by administrators by using net accounts to be merged into the Default Domain Policy GPO. User rights changes that are made by using Local Security Authority (LSA) APIs are filtered into the Default Domain Controllers Policy GPO. + ### Special considerations for domain controllers + If an application is installed on a primary domain controller (PDC) with operations master role (also known as flexible single master operations or FSMO) and the application makes changes to user rights or password policy, these changes must be communicated to ensure that synchronization across domain controllers occurs. Scesrv.dll receives a notification of any changes made to the security account manager (SAM) and LSA that need to be synchronized across domain controllers and then incorporates the changes into the Default Domain Controller Policy GPO by using scecli.dll template modification APIs. + ### When security settings are applied + After you have edited the security settings policies, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object in the following instances: + - When a device is restarted. - Every 90 minutes on a workstation or server and every 5 minutes on a domain controller. This refresh interval is configurable. - By default, Security policy settings delivered by Group Policy are also applied every 16 hours (960 minutes) even if a GPO has not changed. + ### Persistence of security settings policy + Security settings can persist even if a setting is no longer defined in the policy that originally applied it. + Security settings might persist in the following cases: + - The setting has not been previously defined for the device. - The setting is for a registry security object. - The settings are for a file system security object. -All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is. This behavior is sometimes referred to as “tattooing.” + +All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is. +This behavior is sometimes referred to as “tattooing.” + Registry and file security settings will maintain the values applied through Group Policy until that setting is set to other values. + ### Permissions required for policy to apply + Both Apply Group Policy and Read permissions are required to have the settings from a Group Policy Object apply to users or groups, and computers. + ### Filtering security policy + By default, all GPOs have Read and Apply Group Policy both Allowed for the Authenticated Users group. The Authenticated Users group includes both users and computers. Security settings policies are computer-based. To specify which client computers will or will not have a Group Policy Object applied to them, you can deny them either the Apply Group Policy or Read permission on that Group Policy Object. Changing these permissions allows you to limit the scope of the GPO to a specific set of computers within a site, domain, or OU. -**Note**   -Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it. + +**Note:**  Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it.   ### Migration of GPOs containing security settings + In some situations, you might want to migrate GPOs from one domain environment to another environment. The two most common scenarios are test-to-production migration, and production-to-production migration. The GPO copying process has implications for some types of security settings. + Data for a single GPO is stored in multiple locations and in various formats; some data is contained in Active Directory and other data is stored on the SYSVOL share on the domain controllers. Certain policy data might be valid in one domain but might be invalid in the domain to which the GPO is being copied. For example, Security Identifiers (SIDs) stored in security policy settings are often domain-specific. So copying GPOs is not as simple as taking a folder and copying it from one device to another. + The following security policies can contain security principals and might require some additional work to successfully move them from one domain to another. + - User rights assignment - Restricted groups - Services - File system - Registry - The GPO DACL, if you choose to preserve it during a copy operation + To ensure that data is copied correctly, you can use Group Policy Management Console (GPMC). When migrating a GPO from one domain to another, GPMC ensures that all relevant data is properly copied. GPMC also offers migration tables, which can be used to update domain-specific data to new values as part of the migration process. GPMC hides much of the complexity involved in the migrating GPO operations, and it provides simple and reliable mechanisms for performing operations such as copy and backup of GPOs. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Administer security policy settings](administer-security-policy-settings.md)

This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.

[Configure security policy settings](how-to-configure-security-policy-settings.md)

Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.

[Security policy settings reference](security-policy-settings-reference.md)

This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.

-  -  -  + +| Topic | Description | +| - | - | +| [Administer security policy settings](administer-security-policy-settings.md) | This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.| +| [Configure security policy settings](how-to-configure-security-policy-settings.md) | Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.| +| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.| diff --git a/windows/keep-secure/security-technologies.md b/windows/keep-secure/security-technologies.md index b1beb54dd3..39c9eedbb3 100644 --- a/windows/keep-secure/security-technologies.md +++ b/windows/keep-secure/security-technologies.md @@ -2,64 +2,14 @@ title: Security technologies (Windows 10) description: Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. ms.assetid: BFE2DE22-B0CE-465B-8CF6-28F64464DF08 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Security technologies -<<<<<<< HEAD -Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. -## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[AppLocker](applocker-overview.md)

This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

[BitLocker](bitlocker-overview.md)

This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.

[Encrypted Hard Drive](encrypted-hard-drive.md)

Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.

[Security auditing](security-auditing-overview.md)

Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.

[Security policy settings](security-policy-settings.md)

This reference topic describes the common scenarios, architecture, and processes for security settings.

[Trusted Platform Module](trusted-platform-module-overview.md)

This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.

[User Account Control](user-account-control-overview.md)

User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.

[Windows Defender in Windows 10](windows-defender-in-windows-10.md)

This topic provides an overview of Windows Defender, including a list of system requirements and new features.

-  -======= Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. @@ -75,6 +25,5 @@ Learn more about the different security technologies that are available in Windo | [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)| Windows Defender Advanced Threat Protection (Windows Defender ATP) is an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.| | [Windows Defender in Windows 10](windows-defender-in-windows-10.md)| This topic provides an overview of Windows Defender, including a list of system requirements and new features.| ->>>>>>> master     diff --git a/windows/keep-secure/select-types-of-rules-to-create.md b/windows/keep-secure/select-types-of-rules-to-create.md index 7f3a82de40..00ae11caf5 100644 --- a/windows/keep-secure/select-types-of-rules-to-create.md +++ b/windows/keep-secure/select-types-of-rules-to-create.md @@ -2,77 +2,71 @@ title: Select the types of rules to create (Windows 10) description: This topic lists resources you can use when selecting your application control policy rules by using AppLocker. ms.assetid: 14751169-0ed1-47cc-822c-8c01a7477784 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Select the types of rules to create + **Applies to** - Windows 10 + This topic lists resources you can use when selecting your application control policy rules by using AppLocker. + When determining what types of rules to create for each of your groups, you should also determine what enforcement setting to use for each group. Different rule types are more applicable for some apps, depending on the way that the applications are deployed in a specific business group. + The following topics provide additional information about AppLocker rules that can help you decide what rules to use for your applications: + - [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) - [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md) - [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md) - [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md) - [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md) - [Understanding AppLocker default rules](understanding-applocker-default-rules.md) + ### Select the rule collection + The rules you create will be in one of the following rule collections: + - Executable files: .exe and .com - Windows Installer files: .msi, .msp, and .mst - Scripts: .ps1, .bat, .cmd, .vbs, and .js - Packaged apps and packaged app installers: .appx - DLLs: .dll and .ocx + By default, the rules will allow a file to run based upon user or group privilege. If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps. The DLL rule collection is not enabled by default. + In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is C:\\Program Files\\Woodgrove\\Teller.exe, and this app needs to be included in a rule. In addition, because this rule is part of a list of allowed applications, all the Windows files under C:\\Windows must be included as well. + ### Determine the rule condition + A rule condition is criteria upon which an AppLocker rule is based and can only be one of the rule conditions in the following table. - ----- - - - - - - - - - - - - - - - - - - - - - - - - -
Rule conditionUsage scenarioResources

Publisher

To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released.

For more info about this rule condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md).

Path

Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted).

For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).

File hash

Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is based in part upon the version.

For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md).

+ +| Rule condition | Usage scenario | Resources | +| - | - | - | +| Publisher | To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released.|For more info about this rule condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md). +| Path| Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted).| For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). | +| File hash | Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is based in part upon the version.| For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md). |   In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is signed and is located at C:\\Program Files\\Woodgrove\\Teller.exe. Therefore, the rule can be defined with a publisher condition. If the rule is defined to a specific version and above (for example, Teller.exe version 8.0 and above), then this will allow any updates to this app to occur without interruption of access to the users if the app's name and signed attributes stay the same. + ### Determine how to allow system files to run + Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection. + You can also create a rule for the system files based on the path condition. In the preceding example, for the Bank Tellers group, all Windows files reside under C:\\Windows and can be defined with the path rule condition type. This will permit access to these files whenever updates are applied and the files change. If you require additional application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions: + - Traverse Folder/Execute File - Create Files/Write Data - Create Folders/Append Data + These permissions settings are applied to this folder for application compatibility. However, because any user can create files in this location, allowing apps to be run from this location might conflict with your organization's security policy. + ## Next steps + After you have selected the types of rules to create, record your findings as explained in [Document your AppLocker rules](document-your-applocker-rules.md). + After recording your findings for the AppLocker rules to create, you will need to consider how to enforce the rules. For info about how to do this, see [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md). -  -  diff --git a/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md index 1be3c1bfe6..fb5e5d5cbf 100644 --- a/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Windows Defender ATP service onboarding description: Assign users to the Windows Defender ATP service application in Azure Active Directory to grant access to the portal. keywords: service onboarding, Windows Defender Advanced Threat Protection service onboarding, manage users, search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md index f976f74857..81d0358abb 100644 --- a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Windows Defender Advanced Threat Protection settings description: Use the menu to configure the time zone, suppression rules, and view license information. keywords: Windows Defender ATP settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license, suppression rules search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: DulceMV --- diff --git a/windows/keep-secure/shut-down-the-system.md b/windows/keep-secure/shut-down-the-system.md index fc101c8428..0c4f6b24a7 100644 --- a/windows/keep-secure/shut-down-the-system.md +++ b/windows/keep-secure/shut-down-the-system.md @@ -2,105 +2,101 @@ title: Shut down the system (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Shut down the system security policy setting. ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Shut down the system + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Shut down the system** security policy setting. + ## Reference + This security setting determines if a user who is logged on locally to a device can shut down Windows. + Shutting down domain controllers makes them unavailable to perform functions such as processing logon requests, processing Group Policy settings, and answering Lightweight Directory Access Protocol (LDAP) queries. Shutting down domain controllers that have been assigned operations master roles (also known as flexible single master operations or FSMO roles) can disable key domain functionality; for example, processing logon requests for new passwords, which is performed by the primary domain controller (PDC) emulator master. + The **Shut down the system** user right is required to enable hibernation support, to set the power management settings, and to cancela shutdown. + Constant: SeShutdownPrivilege + ### Possible values + - A user-defined list of accounts - Defaults - Not defined + ### Best practices + 1. Ensure that only Administrators and Backup Operators have the **Shut down the system** user right on member servers, and that only Administrators have the user right on domain controllers. Removing these default groups might limit the abilities of users who are assigned to specific administrative roles in your environment. Ensure that their delegated tasks will not be negatively affected. 2. The ability to shut down domain controllers should be limited to a very small number of trusted administrators. Even though a system shutdown requires the ability to log on to the server, you should be very careful about the accounts and groups that you allow to shut down a domain controller. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators, Backup Operators, Server Operators, and Print Operators on domain controllers, and Administrators and Backup Operators on stand-alone servers. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Administrators

-

Backup Operators

-

Server Operators

-

Print Operators

Stand-Alone Server Default Settings

Administrators

-

Backup Operators

Domain Controller Effective Default Settings

Administrators

-

Backup Operators

-

Server Operators

-

Print Operators

Member Server Effective Default Settings

Administrators

-

Backup Operators

Client Computer Effective Default Settings

Administrators

-

Backup Operators

-

Users

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Administrators
Backup Operators
Server Operators
Print Operators| +| Stand-Alone Server Default Settings | Administrators
Backup Operators| +| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators
Print Operators| +| Member Server Effective Default Settings | Administrators
Backup Operators| +| Client Computer Effective Default Settings | Administrators
Backup Operators
Users|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + This user right does not have the same effect as **Force shutdown from a remote system**. For more information, see [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md). + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The ability to shut down domain controllers should be limited to a very small number of trusted administrators. Although the **Shut down the system** user right requires the ability to log on to the server, you should be very careful about which accounts and groups you allow to shut down a domain controller. + When a domain controller is shut down, it is no longer available to process logon requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. If you shut down domain controllers that possess operations master roles, you can disable key domain functionality, such as processing logon requests for new passwords, which is performed by the PDC master. + For other server roles, especially those where non-administrators have rights to log on to the server (such as RD Session Host servers), it is critical that this user right be removed from users that do not have a legitimate reason to restart the servers. + ### Countermeasure + Ensure that only the Administrators and Backup Operators groups are assigned the **Shut down the system** user right on member servers, and ensure that only the Administrators group is assigned the user right on domain controllers. + ### Potential impact + The impact of removing these default groups from the **Shut down the system** user right could limit the delegated abilities of assigned roles in your environment. You should confirm that delegated activities are not adversely affected. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md index ad159693ce..bdd15d4040 100644 --- a/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md +++ b/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md @@ -2,87 +2,90 @@ title: Shutdown Allow system to be shut down without having to log on (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Allow system to be shut down without having to log on security policy setting. ms.assetid: f3964767-5377-4416-8eb3-e14d553a7315 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Shutdown: Allow system to be shut down without having to log on + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting. + ## Reference + This policy setting determines whether a device can be shut down without having to log on to Windows. If you enable this policy setting, the **Shut Down** option is available on the logon screen in Windows. If you disable this policy setting, the **Shut Down** option is removed from the logon screen. This configuration requires that users are able to log on to the device successfully and that they have the **Shut down the system** user right before they can perform a shutdown. -Users who can access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service condition by walking up to the local console and restarting the server, or shutting down the server and thus rendering unavailable all its applications and services. + +Users who can access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service +condition by walking up to the local console and restarting the server, or shutting down the server and thus rendering unavailable all its applications and services. ### Possible values + - Enabled + The shut down command is available on the logon screen. + - Disabled + The shut down option is removed from the logon screen and users must have the **Shut down the system** user right before they can perform a shutdown. + - Not defined + ### Best practices + 1. On servers, set this policy to **Disabled**. You must log on to servers to shut them down or restart them. 2. On client devices, set this policy to **Enabled** and define the list of those with the right to shut them down or restart them with the User Rights Assignment policy **Shut down the system**. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Group Policy + For info about the User Rights Assignment policy, **Shut down the system**, see [Shut down the system](shut-down-the-system.md). + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users who can access the console locally could shut down the device + Attackers who have access to the local console could restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. + ### Countermeasure + Disable the **Shutdown: Allow system to be shut down without having to log on** setting. + ### Potential impact + You must log on to servers to shut them down or restart them. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md index 042254e9c7..83e27c9e00 100644 --- a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md +++ b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md @@ -2,85 +2,82 @@ title: Shutdown Clear virtual memory pagefile (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Clear virtual memory pagefile security policy setting. ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Shutdown: Clear virtual memory pagefile + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Clear virtual memory pagefile** security policy setting. + ## Reference + This policy setting determines whether the virtual memory paging file is cleared when the device is shut down. Virtual memory support uses a system paging file to swap pages of memory to disk when they are not used. On a running device, this paging file is opened exclusively by the operating system, and it is well protected. However, devices that are configured to allow other operating systems to start should verify that the system paging file is cleared as the device shuts down. This confirmation ensures that sensitive information from process memory that might be placed in the paging file is not available to an unauthorized user who manages to directly access the paging file after shutdown. + Important information that is kept in real memory might be written periodically to the paging file. This helps devices handle multitasking functions. A malicious user who has physical access to a server that has been shut down can view the contents of the paging file. The attacker can move the system volume into a different computer and then analyze the contents of the paging file. This is a time-consuming process, but it can expose data that is cached from RAM to the paging file. A malicious user who has physical access to the server can bypass this countermeasure by simply unplugging the server from its power source. + ### Possible values + - Enabled + The system paging file is cleared when the system shuts down normally. Also, this policy setting forces the computer to clear the hibernation file (hiberfil.sys) when hibernation is disabled on a portable device. + - Disabled - Not defined + ### Best practices + - Set this policy to **Enabled**. This causes Windows to clear the paging file when the system is shut down. Depending on the size of the paging file, this process might take several minutes before the system completely shuts down. This delay in shutting down the server is especially noticeable on servers with large paging files. For a server with 2 gigabytes (GB) of RAM and a 2-GB paging file, this setting can add more than 30 minutes to the shutdown process. For some organizations, this downtime violates their internal service level agreements. Use caution when implementing this countermeasure in your environment. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Important information that is kept in real memory may be written periodically to the paging file to help Windows handle multitasking functions. An attacker who has physical access to a server that has been shut down could view the contents of the paging file. The attacker could move the system volume into a different device and then analyze the contents of the paging file. Although this process is time consuming, it could expose data that is cached from random access memory (RAM) to the paging file. -**Caution**   -An attacker who has physical access to the device could bypass this countermeasure by unplugging the computer from its power source. + +>**Caution:**  An attacker who has physical access to the device could bypass this countermeasure by unplugging the computer from its power source.   ### Countermeasure + Enable the **Shutdown: Clear virtual memory page file** setting. This configuration causes the operating system to clear the paging file when the device is shut down. The amount of time that is required to complete this process depends on the size of the page file. Because the process overwrites the storage area that is used by the page file several times, it could be several minutes before the device completely shuts down. + ### Potential impact + It takes longer to shut down and restart the device, especially on devices with large paging files. For a device with 2 gigabytes (GB) of RAM and a 2-GB paging file, this policy setting could increase the shutdown process by more than 30 minutes. For some organizations this downtime violates their internal service level agreements. Therefore, use caution before you implement this countermeasure in your environment. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/store-passwords-using-reversible-encryption.md b/windows/keep-secure/store-passwords-using-reversible-encryption.md index 1d0ae2465b..667eaec2fc 100644 --- a/windows/keep-secure/store-passwords-using-reversible-encryption.md +++ b/windows/keep-secure/store-passwords-using-reversible-encryption.md @@ -2,80 +2,71 @@ title: Store passwords using reversible encryption (Windows 10) description: Describes the best practices, location, values, and security considerations for the Store passwords using reversible encryption security policy setting. ms.assetid: 57f958c2-f1e9-48bf-871b-0a9b3299e238 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Store passwords using reversible encryption + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting. + ## Reference + The **Store password using reversible encryption** policy setting provides support for applications that use protocols that require the user's password for authentication. Storing encrypted passwords in a way that is reversible means that the encrypted passwords can be decrypted. A knowledgeable attacker who is able to break this encryption can then log on to network resources by using the compromised account. For this reason, never enable **Store password using reversible encryption** for all users in the domain unless application requirements outweigh the need to protect password information. -If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet Information Services (IIS) also requires that you enable this policy setting. + +If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet +Information Services (IIS) also requires that you enable this policy setting. + ### Possible values - Enabled - Disabled - Not defined + ### Best practices + Set the value for **Store password using reversible encryption** to Disabled. If you use CHAP through remote access or IAS, or Digest Authentication in IIS, you must set this value to **Enabled**. This presents a security risk when you apply the setting by using Group Policy on a user-by-user basis because it requires opening the appropriate user account object in Active Directory Users and Computers. -**Note**   -Do not enable this policy setting unless business requirements outweigh the need to protect password information. + +>**Note:**  Do not enable this policy setting unless business requirements outweigh the need to protect password information.   ### Location + **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or Group Policy Object (GPO)Default value

Default domain policy

Disabled

Default domain controller policy

Disabled

Stand-alone server default settings

Disabled

Domain controller effective default settings

Disabled

Member server effective default settings

Disabled

Effective GPO default settings on client computers

Disabled

+ +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| Disabled| +| Default domain controller policy| Disabled| +| Stand-alone server default settings | Disabled| +| Domain controller effective default settings | Disabled| +| Member server effective default settings | Disabled| +| Effective GPO default settings on client computers | Disabled|   ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Enabling this policy setting allows the operating system to store passwords in a format that can weaken your overall security. + ### Countermeasure + Disable the **Store password using reversible encryption** policy setting. + ### Potential impact + If your organization uses CHAP through remote access or IAS, or Digest Authentication in IIS, you must configure this policy setting to Enabled. This presents a security risk when you apply the setting through Group Policy on a user-by-user basis because it requires the appropriate user account object to be opened in Active Directory Users and Computers. + ## Related topics -[Password Policy](password-policy.md) -  -  + +- [Password Policy](password-policy.md) diff --git a/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md index ea019eb343..b6b9fd71e5 100644 --- a/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md @@ -2,7 +2,7 @@ title: Switch PCR banks on TPM 2.0 devices (Windows 10) description: A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. ms.assetid: 743FCCCB-99A9-4636-8F48-9ECB3A3D10DE -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -10,6 +10,7 @@ author: brianlic-msft --- # Switch PCR banks on TPM 2.0 devices + **Applies to** - Windows 10 diff --git a/windows/keep-secure/synchronize-directory-service-data.md b/windows/keep-secure/synchronize-directory-service-data.md index 4554452349..b562f8a178 100644 --- a/windows/keep-secure/synchronize-directory-service-data.md +++ b/windows/keep-secure/synchronize-directory-service-data.md @@ -2,88 +2,89 @@ title: Synchronize directory service data (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Synchronize directory service data security policy setting. ms.assetid: 97b0aaa4-674f-40f4-8974-b4bfb12c232c -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Synchronize directory service data + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Synchronize directory service data** security policy setting. + ## Reference + This policy setting determines which users and groups have authority to synchronize all directory service data, regardless of the protection for objects and properties. This privilege is required to use LDAP directory synchronization (dirsync) services. Domain controllers have this user right inherently because the synchronization process runs in the context of the **System** account on domain controllers. + Constant: SeSyncAgentPrivilege + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + - Ensure that no accounts are assigned the **Synchronize directory service data** user right. Only domain controllers need this privilege, which they inherently have. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is not defined on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

Domain Controller Effective Default Settings

Enabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| Domain Controller Effective Default Settings | Enabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The **Synchronize directory service data** user right affects domain controllers (only domain controllers should be able to synchronize directory service data). Domain controllers have this user right inherently because the synchronization process runs in the context of the **System** account on domain controllers. Attackers who have this user right can view all information that is stored within the directory. They could then use some of that information to facilitate additional attacks or expose sensitive data, such as direct telephone numbers or physical addresses. + ### Countermeasure + Ensure that no accounts are assigned the **Synchronize directory service data** user right. + ### Potential impact + None. Not defined is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md index 811570c873..0862dc11d1 100644 --- a/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md +++ b/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md @@ -2,82 +2,78 @@ title: System cryptography Force strong key protection for user keys stored on the computer (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System cryptography Force strong key protection for user keys stored on the computer security policy setting. ms.assetid: 8cbff267-881e-4bf6-920d-b583a5ff7de0 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # System cryptography: Force strong key protection for user keys stored on the computer + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **System cryptography: Force strong key protection for user keys stored on the computer** security policy setting. + ## Reference + This policy setting determines whether users can use private keys, such as their Secure/Multipurpose Internet Mail Extensions (S/MIME) key, without a password. + Configuring this policy setting so that users must provide a password every time they use a key (in addition to their domain password) makes it more difficult for a malicious user to access locally-stored user keys, even if the attacker takes control of the user's device and determines their logon password. + ### Possible values + - **User input is not required when new keys are stored and used** - **User is prompted when the key is first used** - **User must enter a password each time they use a key** - Not defined + ### Best practices + - Set this policy to **User must enter a password each time they use a key**. Users must enter their password every time they access a key that is stored on their computer. For example, if users use an S/MIME certificate to digitally sign their email, they will be forced to enter the password for that certificate every time they send a signed email message. For some organizations, the overhead that is caused by using this value might be too high, but they should set the value at a minimum to **User is prompted when the key is first used**. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

DC Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings| Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If a user's account is compromised or the user's device is inadvertently left unsecured, the malicious user can use the keys that are stored for the user to access protected resources. + ### Countermeasure + Configure the **System cryptography: Force strong key protection for user keys stored on the computer** setting to **User must enter a password each time they use a key** so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines the logon password. + ### Potential impact + Users must type their password every time they access a key that is stored on their device. For example, if users use an S/MIME certificate to digitally sign their email, they are forced to type the password for that certificate every time they send a signed email message. For some organizations, the overhead that is involved by using this configuration may be too high. At a minimum, this setting should be set to **User is prompted when the key is first used**. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index b762727564..a1a1738dad 100644 --- a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -2,125 +2,112 @@ title: System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing (Windows 10) description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. ms.assetid: 83988865-dc0f-45eb-90d1-ee33495eb045 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing + **Applies to** - Windows 10 + This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. + ## Reference -The Federal Information Processing Standard (FIPS) 140 is a security implementation that is designed for certifying cryptographic software. Windows implements these certified algorithms to meet the requirements and standards for cryptographic modules for use by departments and agencies of the United States federal government. + +The Federal Information Processing Standard (FIPS) 140 is a security implementation that is designed for certifying cryptographic software. Windows implements these certified algorithms to meet the requirements and standards for cryptographic modules for use by departments and agencies of the +United States federal government. + **TLS/SSL** -This policy setting determines whether the TLS/SSL security provider supports only the FIPS-compliant strong cipher suite known as TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA, which means that the provider only supports the TLS protocol as a client computer and as a server, if applicable. It uses only the Triple Data Encryption Standard (3DES) encryption algorithm for the TLS traffic encryption, only the Rivest-Shamir-Adleman (RSA) public key algorithm for the TLS key exchange and authentication, and only the Secure Hash Algorithm version 1 (SHA-1) hashing algorithm for the TLS hashing requirements. + +This policy setting determines whether the TLS/SSL security provider supports only the FIPS-compliant strong cipher suite known as TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA, which means that the provider only supports the TLS protocol as a client computer and as a server, if applicable. It uses only the +Triple Data Encryption Standard (3DES) encryption algorithm for the TLS traffic encryption, only the Rivest-Shamir-Adleman (RSA) public key algorithm for the TLS key exchange and authentication, and only the Secure Hash Algorithm version 1 (SHA-1) hashing algorithm for the TLS hashing requirements. + **Encrypting File System (EFS)** + For the EFS service, this policy setting supports the 3DES and Advanced Encryption Standard (AES) encryption algorithms for encrypting file data supported by the NTFS file system. To encrypt file data, by default EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key in the Windows Server 2003, Windows Vista, and later, and it uses a DESX algorithm in Windows XP. + **Remote Desktop Services (RDS)** + For encrypting Remote Desktop Services network communication, this policy setting supports only the Triple DES encryption algorithm. + **BitLocker** + For BitLocker, this policy setting needs to be enabled before any encryption key is generated. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 and later when this policy is enabled are incompatible with BitLocker on operating systems prior to Windows Server 2012 R2 and Windows 8.1; BitLocker will prevent the creation or use of recovery passwords on these systems, so recovery keys should be used instead. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - For use with TLS, set this policy to **Enabled**. Client devices with this policy setting enabled will be unable to communicate through digitally encrypted or signed protocols with servers that do not support these algorithms. Client devices that are connected to the network and do not support these algorithms cannot use servers that require the algorithms for network communications. If you enable this policy setting, you must also configure Internet Explorer to use TLS. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ### Operating system version differences + When this setting is enabled, the Encrypting File System (EFS) service supports only the Triple DES encryption algorithm for encrypting file data. By default, the Windows Vista and the Windows Server 2003 implementation of EFS uses the Advanced Encryption Standard (AES) with a 256-bit key. The Windows XP implementation uses DESX. + When this setting is enabled, BitLocker generates recovery password or recovery keys applicable to versions listed in the following: - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
Operating systemsApplicability

Windows 10, Windows 8.1, and Windows Server 2012 R2

When created on these operating systems, the recovery password cannot be used on other systems listed in this table.

Windows Server 2012 and Windows 8

When created on these operating systems, the recovery key can be used on other systems listed in this table as well.

Windows Server 2008 R2 and Windows 7

When created on these operating systems, the recovery key can be used on other systems listed in this table as well.

Windows Server 2008 and Windows Vista

When created on these operating systems, the recovery key can be used on other systems listed in this table as well.

+ +| Operating systems | Applicability | +| - | - | +| Windows 10, Windows 8.1, and Windows Server 2012 R2| When created on these operating systems, the recovery password cannot be used on other systems listed in this table.| +| Windows Server 2012 and Windows 8 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.| +| Windows Server 2008 R2 and Windows 7 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.| +| Windows Server 2008 and Windows Vista | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + You can enable this policy setting to ensure that the device uses the most powerful algorithms that are available for digital encryption, hashing, and signing. Use of these algorithms minimize the risk of compromise of digitally encrypted or signed data by an unauthorized user. + ### Countermeasure + Enable the **System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing** setting. + ### Potential impact -Client devices that have this policy setting enabled cannot communicate by means of digitally encrypted or signed protocols with servers that do not support these algorithms. Network clients that do not support these algorithms cannot use servers that require them for network communications. For example, many Apache-based Web servers are not configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool uses the RDP protocol to communicate with servers that run Terminal Services and client computers that are configured for remote control; RDP connections fail if both devices are not configured to use the same encryption algorithms. + +Client devices that have this policy setting enabled cannot communicate by means of digitally encrypted or signed protocols with servers that do not support these algorithms. Network clients that do not support these algorithms cannot use servers that require them for network communications. For example, many Apache-based Web servers are not configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool +uses the RDP protocol to communicate with servers that run Terminal Services and client computers that are configured for remote control; RDP connections fail if both devices are not configured to use the same encryption algorithms. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md index ed8f8e7cdb..1f3af1c21c 100644 --- a/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md +++ b/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md @@ -2,83 +2,83 @@ title: System objects Require case insensitivity for non-Windows subsystems (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System objects Require case insensitivity for non-Windows subsystems security policy setting. ms.assetid: 340d6769-8f33-4067-8470-1458978d1522 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # System objects: Require case insensitivity for non-Windows subsystems + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **System objects: Require case insensitivity for non-Windows subsystems** security policy setting. + ## Reference + This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is not case sensitive; however, the kernel supports case sensitivity for other subsystems, such as Portable Operating System Interface for UNIX (POSIX). Enabling this policy setting enforces case insensitivity for all directory objects, symbolic links, and input/output (I/O) objects, including file objects. Disabling this policy setting does not allow the Win32 subsystem to become case sensitive. + Because Windows is case insensitive but the POSIX subsystem will support case sensitivity, if this policy setting is not enforced, it is possible for a user of that subsystem to create a file with the same name as another file but with a different mix of capital letters. That might confuse users when they try to access these files by using normal Win32 tools, because only one of the files will be available. + ### Possible values + - Enabled + Case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects. + - Disabled + Will not allow the Win32 subsystem to become case sensitive. + - Not defined + ### Best practices + - Set this policy to **Enabled**. All subsystems will be forced to observe case insensitivity. However, this might confuse users who are familiar with one of the UNIX-based operating systems and are used to a case sensitive operating system. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Because Windows is case insensitive but the POSIX subsystem supports case sensitivity, failure to enable this policy setting makes it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of uppercase and lowercase letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files is available. + ### Countermeasure + Enable the **System objects: Require case insensitivity for non-Windows subsystems** setting. + ### Potential impact + All subsystems are forced to observe case insensitivity. This configuration may confuse users who are familiar with any UNIX-based operating systems that are case sensitive. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md index 1aee1c46fa..5be5a462b1 100644 --- a/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md +++ b/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md @@ -2,80 +2,75 @@ title: System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links) security policy setting. ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)** security policy setting. + ## Reference + This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Windows maintains a global list of shared system resources such as MS-DOS device names, mutexes, and semaphores. By using this list, processes can locate and share objects. Each type of object is created with a default DACL that specifies who can access the objects with what permissions. Enabling this policy setting strengthens the default DACL and allows users who are not administrators to read, but not to modify, shared objects that they did not create. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - It is advisable to set this policy to **Enabled**. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\ Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled | +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + This policy setting is enabled by default to protect against a known vulnerability that can be used with hard links or symbolic links. Hard links are actual directory entries in the file system. With hard links, the same data in a file system can be referred to by different file names. Symbolic links are text files that provide a pointer to the file that is interpreted and followed by the operating system as a path to another file or directory. Because symbolic links are a separate file, they can exist independently of the target location. If a symbolic link is deleted, its target location remains unaffected. When this setting is disabled, it is possible for a malicious user to destroy a data file by creating a link that looks like a temporary file that the system automatically creates, such as a sequentially named log file, but it points to the data file that the malicious user wants to eradicate. When the system writes the files with that name, the data is overwritten. Enabling **System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)** prevents an attacker from exploiting programs that create files with predictable names by not allowing them to write to objects that they did not create. + ### Countermeasure + Enable the **System objects: Strengthen default permissions of global system objects (for example, Symbolic Links)** setting. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/system-settings-optional-subsystems.md b/windows/keep-secure/system-settings-optional-subsystems.md index 96633aece6..15ec7c1221 100644 --- a/windows/keep-secure/system-settings-optional-subsystems.md +++ b/windows/keep-secure/system-settings-optional-subsystems.md @@ -2,81 +2,78 @@ title: System settings Optional subsystems (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System settings Optional subsystems security policy setting. ms.assetid: 5cb6519a-4f84-4b45-8072-e2aa8a72fb78 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # System settings: Optional subsystems + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **System settings: Optional subsystems** security policy setting. + ## Reference + This policy setting determines which subsystems support your applications. You can use this security setting to specify as many subsystems as your environment demands. + The subsystem introduces a security risk that is related to processes that can potentially persist across logons. If a user starts a process and then logs out, the next user who logs on to the system might access the process that the previous user started. This is dangerous, because the process started by the first user can retain that user's system user rights; therefore, anything that the second user does using that process is performed with the user rights of the first user. This makes it difficult to trace who creates processes and objects, which is essential for post-security incident forensics. + ### Possible values + - User-defined list of subsystems - Not defined + ### Best practices + - Set this policy setting to a null value. The default value is **POSIX**, so applications that rely on the POSIX subsystem will no longer run. For example, Microsoft Services for UNIX 3.0 installs an updated version of the POSIX subsystem. Reset this policy setting in Group Policy for any servers that use Services for UNIX 3.0. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

POSIX

DC Effective Default Settings

POSIX

Member Server Effective Default Settings

POSIX

Client Computer Effective Default Settings

POSIX

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | POSIX| +| DC Effective Default Settings | POSIX| +| Member Server Effective Default Settings| POSIX| +| Client Computer Effective Default Settings | POSIX|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The POSIX subsystem is an Institute of Electrical and Electronic Engineers (IEEE) standard that defines a set of operating system services. The POSIX subsystem is required if the server supports applications that use that subsystem. + The POSIX subsystem introduces a security risk that relates to processes that can potentially persist across logons. If a user starts a process and then logs out, there is a potential that the next user who logs on to the computer could access the previous user's process. This would allow the second user to take actions on the process by using the privileges of the first user. + ### Countermeasure + Configure the **System settings: Optional subsystems setting** to a null value. The default value is POSIX. + ### Potential impact + Applications that rely on the POSIX subsystem no longer operate. For example, Microsoft Services for UNIX (SFU) installs an updated version of the POSIX subsystem that is required, so you must reconfigure this setting in Group Policy for any servers that use SFU. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md index ce05d099f5..ae25abd015 100644 --- a/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md +++ b/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md @@ -2,80 +2,76 @@ title: System settings Use certificate rules on Windows executables for Software Restriction Policies (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System settings Use certificate rules on Windows executables for Software Restriction Policies security policy setting. ms.assetid: 2380d93b-b553-4e56-a0c0-d1ef740d089c -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # System settings: Use certificate rules on Windows executables for Software Restriction Policies + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **System settings: Use certificate rules on Windows executables for Software Restriction Policies** security policy setting. + ## Reference + This policy setting determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. This security setting enables or disables certificate rules (which are a type of software restriction policy). With a software restriction policy, you can create a certificate rule that allows or disallows Microsoft Authenticode®-signed software to run, based on the digital certificate that is associated with the software. For certificate rules to work in software restriction policies, you must enable this security setting. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices -- Set this policy to **Enabled**. Enabling certificate rules results in software restriction policies checking a certificate revocation list (CRL) to make sure that the software's certificate and signature are valid. When you start signed programs, this setting can decrease system performance. You can disable CRLs by editing the software restriction policies in the desired GPO. In the **Trusted Publishers Properties** dialog box, clear the **Publisher** and **Timestamp** check boxes. + +- Set this policy to **Enabled**. Enabling certificate rules results in software restriction policies checking a certificate revocation list (CRL) to make sure that the software's certificate and signature are valid. When you start signed programs, this setting can decrease system performance. +You can disable CRLs by editing the software restriction policies in the desired GPO. In the **Trusted Publishers Properties** dialog box, clear the **Publisher** and **Timestamp** check boxes. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled | +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Without the use of software restriction policies, users and device might be exposed to unauthorized software that could include malware. + ### Countermeasure + Enable the **System settings: Use certificate rules on Windows executables for Software Restriction Policies** setting. + ### Potential impact + If you enable certificate rules, software restriction policies check a certificate revocation list (CRL) to verify that the software's certificate and signature are valid. This checking process may negatively affect performance when signed programs start. To disable this feature, you can edit the software restriction policies in the appropriate GPO. In the **Trusted Publishers Properties** dialog box, clear the **Publisher** and **Timestamp** check boxes. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/take-ownership-of-files-or-other-objects.md b/windows/keep-secure/take-ownership-of-files-or-other-objects.md index 5274e1f278..24ab3257e2 100644 --- a/windows/keep-secure/take-ownership-of-files-or-other-objects.md +++ b/windows/keep-secure/take-ownership-of-files-or-other-objects.md @@ -2,98 +2,106 @@ title: Take ownership of files or other objects (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Take ownership of files or other objects security policy setting. ms.assetid: cb8595d1-74cc-4176-bb15-d97663eebb2d -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Take ownership of files or other objects + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Take ownership of files or other objects** security policy setting. + ## Reference + This policy setting determines which users can take ownership of any securable object in the device, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads. + Every object has an owner, whether the object resides in an NTFS volume or Active Directory database. The owner controls how permissions are set on the object and to whom permissions are granted. + By default, the owner is the person who or the process which created the object. Owners can always change permissions to objects, even when they are denied all access to the object. + Constant: SeTakeOwnershipPrivilege + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + - Assigning this user right can be a security risk. Because owners of objects have full control of them, only assign this user right to trusted users. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Administrators

Stand-Alone Server Default Settings

Administrators

Domain Controller Effective Default Settings

Administrators

Member Server Effective Default Settings

Administrators

Client Computer Effective Default Settings

Administrators

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Administrators| +| Stand-Alone Server Default Settings | Administrators| +| Domain Controller Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + Ownership can be taken by: + - An administrator. By default, the Administrators group is given the **Take ownership of files or other objects** user right. - Anyone or any group who has the **Take ownership** user right on the object. - A user who has the **Restore files and directories** user right. + Ownership can be transferred in the following ways: + - The current owner can grant the **Take ownership** user right to another user if that user is a member of a group defined in the current owner's access token. The user must take ownership to complete the transfer. - An administrator can take ownership. - A user who has the **Restore files and directories** user right can double-click **Other users and groups** and choose any user or group to assign ownership to. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -Any users with the **Take ownership of files or other objects user right** can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make to that object. Such changes could result in exposure of data, corruption of data, or a denial-of-service condition. + +Any users with the **Take ownership of files or other objects user right** can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make to that object. Such changes could result in exposure of data, corruption of data, or a +denial-of-service condition. + ### Countermeasure + Ensure that only the local Administrators group has the **Take ownership of files or other objects** user right. + ### Potential impact + None. Restricting the **Take ownership of files or other objects** user right to the local Administrators group is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md index 09ccf98b7d..fcc3bf2eac 100644 --- a/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md +++ b/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md @@ -2,28 +2,42 @@ title: Test an AppLocker policy by using Test-AppLockerPolicy (Windows 10) description: This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer. ms.assetid: 048bfa38-6825-4a9a-ab20-776cf79f402a -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Test an AppLocker policy by using Test-AppLockerPolicy + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer. + The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collections will be blocked on your reference computer or the computer on which you maintain policies. Perform the following steps on any computer where the AppLocker policies are applied. + Any user account can be used to complete this procedure. + **To test an AppLocker policy by using Test-AppLockerPolicy** + 1. Export the effective AppLocker policy. To do this, you must use the **Get-AppLockerPolicy** Windows PowerShell cmdlet. + 1. Open a Windows PowerShell command prompt window as an administrator. 2. Use the **Get-AppLockerPolicy** cmdlet to export the effective AppLocker policy to an XML file: + `Get-AppLockerPolicy –Effective –XML > ` + 2. Use the **Get-ChildItem** cmdlet to specify the directory that you want to test, specify the **Test-AppLockerPolicy** cmdlet with the XML file from the previous step to test the policy, and use the **Export-CSV** cmdlet to export the results to a file to be analyzed: + `Get-ChildItem -Filter -Recurse | Convert-Path | Test-AppLockerPolicy –XMLPolicy -User -Filter | Export-CSV ` + The following shows example input for **Test-AppLockerPolicy**: -`PS C:\ Get-AppLockerPolicy –Effective –XML > C:\Effective.xml` -`PS C:\ Get-ChildItem 'C:\Program Files\Microsoft Office\' –filter *.exe –Recurse | Convert-Path | Test-AppLockerPolicy –XMLPolicy C:\Effective.xml –User contoso\zwie –Filter Denied,DeniedByDefault | Export-CSV C:\BlockedFiles.csv` + +```syntax +PS C:\ Get-AppLockerPolicy –Effective –XML > C:\Effective.xml +PS C:\ Get-ChildItem 'C:\Program Files\Microsoft Office\' –filter *.exe –Recurse | Convert-Path | Test-AppLockerPolicy –XMLPolicy C:\Effective.xml –User contoso\zwie –Filter Denied,DeniedByDefault | Export-CSV C:\BlockedFiles.csv +``` + In the example, the effective AppLocker policy is exported to the file C:\\Effective.xml. The **Get-ChildItem** cmdlet is used to recursively gather path names for the .exe files in C:\\Program Files\\Microsoft Office\\. The XMLPolicy parameter specifies that the C:\\Effective.xml file is an XML AppLocker policy file. By specifying the User parameter, you can test the rules for specific users, and the **Export-CSV** cmdlet allows the results to be exported to a comma-separated file. In the example, `-FilterDenied,DeniedByDefault` displays only those files that will be blocked for the user under the policy. -  -  diff --git a/windows/keep-secure/test-and-update-an-applocker-policy.md b/windows/keep-secure/test-and-update-an-applocker-policy.md index 4ae1a87af2..99e46e3022 100644 --- a/windows/keep-secure/test-and-update-an-applocker-policy.md +++ b/windows/keep-secure/test-and-update-an-applocker-policy.md @@ -2,37 +2,61 @@ title: Test and update an AppLocker policy (Windows 10) description: This topic discusses the steps required to test an AppLocker policy prior to deployment. ms.assetid: 7d53cbef-078c-4d20-8b00-e821e33b6ea1 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Test and update an AppLocker policy + **Applies to** - Windows 10 + This topic discusses the steps required to test an AppLocker policy prior to deployment. + You should test each set of rules to ensure that the rules perform as intended. If you use Group Policy to manage AppLocker policies, complete the following steps for each Group Policy Object (GPO) where you have created AppLocker rules. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules for simultaneous testing in all of your test GPOs. + ## Step 1: Enable the Audit only enforcement setting + By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules that you have created are properly configured for your organization. This setting can be enabled on the **Enforcement** tab of the **AppLocker Properties** dialog box. For the procedure to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). + ## Step 2: Configure the Application Identity service to start automatically + Because AppLocker uses the Application Identity service to verify the attributes of a file, you must configure it to start automatically in any one GPO that applies AppLocker rules. For the procedure to do this, see [Configure the Application Identity Service](configure-the-application-identity-service.md). For AppLocker policies that are not managed by a GPO, you must ensure that the service is running on each PC in order for the policies to be applied. + ## Step 3: Test the policy + Test the AppLocker policy to determine if your rule collection needs to be modified. Because you have created AppLocker rules, enabled the Application Identity service, and enabled the **Audit only** enforcement setting, the AppLocker policy should be present on all client PC that are configured to receive your AppLocker policy. + The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference PCs. For the procedure to do this, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). + ## Step 4: Analyze AppLocker events You can either manually analyze AppLocker events or use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to automate the analysis. + **To manually analyze AppLocker events** + You can view the events either in Event Viewer or a text editor and then sort those events to perform an analysis, such as looking for patterns in application usage events, access frequencies, or access by user groups. If you have not configured an event subscription, then you will have to review the logs on a sampling of computers in your organization. For more information about using Event Viewer, see [Monitor application usage with AppLocker](monitor-application-usage-with-applocker.md). + **To analyze AppLocker events by using Get-AppLockerFileInformation** + You can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to analyze AppLocker events from a remote computer. If an app is being blocked and should be allowed, you can use the AppLocker cmdlets to help troubleshoot the problem. + For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** cmdlet to determine which files have been blocked or would have been blocked (if you are using the **Audit only** enforcement mode) and how many times the event has occurred for each file. For the procedure to do this, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md). + After using **Get-AppLockerFileInformation** to determine how many times that a file would have been blocked from running, you should review your rule list to determine whether a new rule should be created for the blocked file or whether an existing rule is too strictly defined. Ensure that you check which GPO is currently preventing the file from running. To determine this, you can use the Group Policy Results Wizard to view rule names. + ## Step 5: Modify the AppLocker policy + After you have identified which rules need to be edited or added to the policy, you can use the Group Policy Management Console to modify the AppLocker rules in the relevant GPOs. For AppLocker policies that are not managed by a GPO, you can use the Local Security Policy snap-in (secpol.msc). For info how to modify an AppLocker policy, see, [Edit an AppLocker policy](edit-an-applocker-policy.md). + ## Step 6: Repeat policy testing, analysis, and policy modification + Repeat the previous steps 3–5 until all the rules perform as intended before applying enforcement. + ## Additional resources + - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).     diff --git a/windows/keep-secure/testing-scenarios-for-edp.md b/windows/keep-secure/testing-scenarios-for-edp.md index 810bb44663..e2187af349 100644 --- a/windows/keep-secure/testing-scenarios-for-edp.md +++ b/windows/keep-secure/testing-scenarios-for-edp.md @@ -2,10 +2,11 @@ title: Testing scenarios for enterprise data protection (EDP) (Windows 10) description: We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company. ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2 -keywords: ["EDP", "Enterprise Data Protection"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/tools-to-use-with-applocker.md b/windows/keep-secure/tools-to-use-with-applocker.md index ed1080877e..5d2d69ff81 100644 --- a/windows/keep-secure/tools-to-use-with-applocker.md +++ b/windows/keep-secure/tools-to-use-with-applocker.md @@ -2,33 +2,52 @@ title: Tools to use with AppLocker (Windows 10) description: This topic for the IT professional describes the tools available to create and administer AppLocker policies. ms.assetid: db2b7cb3-7643-4be5-84eb-46ba551e1ad1 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Tools to use with AppLocker + **Applies to** - Windows 10 + This topic for the IT professional describes the tools available to create and administer AppLocker policies. + The following tools can help you administer the application control policies created by using AppLocker on the local device or by using Group Policy. For info about the basic requirements for using AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md). + - **AppLocker Local Security Policy MMC snap-in** + The AppLocker rules can be maintained by using the Local Security Policy snap-in (secpol.msc) of the Microsoft Management Console (MMC). For procedures to create, modify, and delete AppLocker rules, see [Working with AppLocker rules](working-with-applocker-rules.md). + - **Generate Default Rules tool** + AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md). + - **Automatically Generate AppLocker Rules wizard** + By using the Local Security Policy snap-in, you can automatically generate rules for all files within a folder. The wizard will scan the specified folder and create the condition types that you choose for each file in that folder. For info about how to use this wizard, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md). + - **Group Policy** + You can edit an AppLocker policy by adding, changing, or removing rules by using the Group Policy Management Console (GPMC). + If you want additional features to manage AppLocker policies, such as version control, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. + - **Remote Server Administration Tools (RSAT)** + You can use a device with a supported operating system that has the Remote Server Administration Tools (RSAT) installed to create and maintain AppLocker policies. + - **Event Viewer** + The AppLocker log contains information about applications that are affected by AppLocker rules. For info about using Event Viewer to review the AppLocker logs, see [Using Event Viewer with AppLocker](using-event-viewer-with-applocker.md), and [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). + - **AppLocker PowerShell cmdlets** + The AppLocker Windows PowerShell cmdlets are designed to streamline the administration of AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the Local Security Policy snap-in and the GPMC. For information about the cmdlets, see the [AppLocker PowerShell Command Reference](http://technet.microsoft.com/library/hh847210.aspx). + ## Related topics -[AppLocker technical reference](applocker-technical-reference.md) -  -  + +- [AppLocker technical reference](applocker-technical-reference.md) diff --git a/windows/keep-secure/tpm-fundamentals.md b/windows/keep-secure/tpm-fundamentals.md index 26e6b4403e..6969c89924 100644 --- a/windows/keep-secure/tpm-fundamentals.md +++ b/windows/keep-secure/tpm-fundamentals.md @@ -2,23 +2,34 @@ title: TPM fundamentals (Windows 10) description: This topic for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks. ms.assetid: ac90f5f9-9a15-4e87-b00d-4adcf2ec3000 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # TPM fundamentals + **Applies to** - Windows 10 + This topic for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks. + A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer, and it communicates with the remainder of the system by using a hardware bus. + Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. The private portion of a storage root key or endorsement key that is created in a TPM is never exposed to any other component, software, process, or user. + You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys cannot be migrated, the private portion of the key is never exposed outside the TPM. + Computers that incorporate a TPM can also create a key that has not only been wrapped, but is also tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as “sealing the key to the TPM.” Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met. + With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. Because the TPM uses its own internal firmware and logic circuits to process instructions, it does not rely on the operating system, and it is not exposed to vulnerabilities that might exist in the operating system or application software. + For info about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md). The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more info, see the Trusted Platform Module page on the Trusted Computing Group website: [Trusted Platform Module](http://www.trustedcomputinggroup.org/developers/trusted_platform_module). + The following sections provide an overview of the technologies that support the TPM: + - [TPM-based Virtual Smart Card](#bkmk-vsc) - [Measured Boot with support for attestation](#bkmk-measuredboot) - [Automated provisioning and management of the TPM](#bkmk-autoprov) @@ -32,156 +43,157 @@ The following sections provide an overview of the technologies that support the - [How the TPM mitigates dictionary attacks](#bkmk-howtpmmitigates) - [How do I check the state of my TPM?](#bkmk-checkstate) - [What can I do if my TPM is in reduced functionality mode?](#bkmk-fixrfm) + The following topic describes the TPM Services that can be controlled centrally by using Group Policy settings: [Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md) + ## Automated provisioning and management of the TPM + TPM provisioning can be streamlined to make it easier to deploy systems that are ready for BitLocker and other TPM-dependent features. These enhancements include simplifying the TPM state model to report **Ready**, **Ready with reduced functionality**, or **Not ready**. You can also automatically provision TPMs in the **Ready** state, remote provisioning to remove the requirement for the physical presence of a technician for the initial deployment. In addition, the TPM stack is available in the Windows Preinstallation Environment (Windows PE). + A number of management settings have been added for easier management and configuration of the TPM through Group Policy. The primary new settings include Active Directory-based backup of TPM owner authentication, the level of owner authentication that should be stored locally on the TPM, and the software-based TPM lockout settings for standard users. For more info about backing up owner authentication to Windows Server 2008 R2 AD DS domains, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md). + ## Measured Boot with support for attestation + The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components. Antimalware software can use the log to determine whether components that ran before it are trustworthy versus infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can initiate remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate. + ## TPM-based Virtual Smart Card -The Virtual Smart Card emulates the functionality of traditional smart cards, but Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than requiring the use of a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user. + +The Virtual Smart Card emulates the functionality of traditional smart cards, but Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than requiring the use of a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a +Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user. + ## TPM-based certificate storage + The TPM can be used to protect certificates and RSA keys. The TPM key storage provider (KSP) provides easy, convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP can be used to generate keys when an organization enrolls for certificates, and the KSP is managed by templates in the UI. The TPM can also be used to protect certificates that are imported from an outside source. TPM-based certificates can be used exactly as standard certificates with the added functionality that the certificate can never leave the TPM from which the keys were generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](http://msdn.microsoft.com/library/windows/desktop/aa376210.aspx). + ## TPM Owner Authorization Value -For Windows 8 a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 schemas. Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. If Active Directory backup of the TPM owner authorization value is enabled in a Windows Server 2008 R2 environment without extending the schema, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8. + +For Windows 8 a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. +This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 schemas. Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. If Active Directory backup of the TPM owner authorization value is enabled in a Windows Server 2008 R2 environment without extending the schema, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8. + If your computer is not being joined to a domain the TPM owner authorization value will be stored in the local computer registry. Using BitLocker to encrypt the operating system drive will protect the owner authorization value from being disclosed when the computer is at rest, but there is a risk that a malicious user could obtain the TPM owner authorization value when the computer is unlocked. Therefore, we recommend that in this situation you configure your computer to automatically lock after 30 seconds of inactivity. If automatic locking is not used, then you should consider removing full owner authorization from the computer registry. + **Registry information** + Registry key: HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\TPM DWORD: OSManagedAuthLevel - ---- - - - - - - - - - - - - - - - - - - - - -
Value DataSetting

0

None

2

Delegated

4

Full

+ +| Value Data | Setting | +| - | - | +| 0 | None| +| 2 | Delegated| +| 4 | Full|   -**Note**   -If the operating system managed TPM authentication setting is changed from "Full" to "Delegated" the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS, the new owner authorization value will be automatically backed up to AD DS when it is changed. +>**Note:**  If the operating system managed TPM authentication setting is changed from "Full" to "Delegated" the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS, the new owner authorization value will be automatically backed up to AD DS when it is changed.   ## TPM Cmdlets + If you are using PowerShell to script and manage your computers, you can now manage the TPM using Windows PowerShell as well. To install the TPM cmdlets use the following command: -**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets** + +`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets` For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx) + ## Physical presence interface -The TCG specifications for TPMs require physical presence to perform some TPM administrative functions, such as turning on and turning off the TPM. Physical presence means a person must physically interact with the system and the TPM interface to confirm or reject changes to TPM status. This typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them. Here are some are examples of TPM administrative tasks that require physical presence: + +The TCG specifications for TPMs require physical presence to perform some TPM administrative functions, such as turning on and turning off the TPM. Physical presence means a person must physically interact with the system and the +TPM interface to confirm or reject changes to TPM status. This typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them. Here are some are examples of TPM administrative tasks that require physical presence: + - Activating the TPM - Clearing the existing owner information from the TPM without the owner’s password - Deactivating the TPM - Disabling the TPM temporarily without the owner’s password + ## States of existence in a TPM + For each of these TPM 1.2 states of existence, the TPM can transition into another state (for example, moving from disabled to enabled). The states are not exclusive. + These states of existence do not apply for Trusted Platform Module 2.0 because it cannot be turned off from within the operating system environment. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
StateDescription

Enabled

Most features of the TPM are available.

-

The TPM can be enabled and disabled multiple times within a boot period, if ownership is taken.

Disabled

The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and perform hashing and basic initialization.

-

The TPM can be enabled and disabled multiple times within a start-up period.

Activated

Most features of the TPM are available. The TPM can be activated and deactivated only through physical presence, which requires a restart.

Deactivated

Similar to the disabled state, with the exception that ownership can be taken when the TPM is deactivated and enabled. The TPM can be activated and deactivated only through physical presence, which requires a restart.

Owned

Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.

Unowned

The TPM does not have a storage root key, and it may or may not have an endorsement key.

+ +| State | Description | +| - | - | +| Enabled| Most features of the TPM are available.
The TPM can be enabled and disabled multiple times within a boot period, if ownership is taken.| +| Disabled| The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and perform hashing and basic initialization.
The TPM can be enabled and disabled multiple times within a start-up period. | +| Activated| Most features of the TPM are available. The TPM can be activated and deactivated only through physical presence, which requires a restart.| +| Deactivated| Similar to the disabled state, with the exception that ownership can be taken when the TPM is deactivated and enabled. The TPM can be activated and deactivated only through physical presence, which requires a restart.| +| Owned| Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.| +| Unowned| The TPM does not have a storage root key, and it may or may not have an endorsement key.|   -**Important**   -Applications cannot use the TPM until the state is enabled, activated, and owned. All operations are available only when the TPM is in this state. +>**Important:**  Applications cannot use the TPM until the state is enabled, activated, and owned. All operations are available only when the TPM is in this state.   The state of the TPM exists independently of the computer’s operating system. When the TPM is enabled, activated, and owned, the state of the TPM is preserved if the operating system is reinstalled. + ## Endorsement keys -For a TPM to be usable by a trusted application, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM, and it is never revealed or accessible outside the TPM. If the TPM does not contain an endorsement key, the application might cause the TPM to generate one automatically as part of the setup. + +For a TPM to be usable by a trusted application, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM, and it is never revealed or accessible outside the TPM. If the +TPM does not contain an endorsement key, the application might cause the TPM to generate one automatically as part of the setup. An endorsement key can be created at various points in the TPM’s lifecycle, but it needs to be created only once for the lifetime of the TPM. The existence of an endorsement key is a requirement before TPM ownership can be taken. + ## Key attestation + TPM key attestation allows a certification authority to verify that a private key is actually protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys which have been proven valid can be used to bind the user identity to a device. Moreover, the user certificate with a TPM attested key provides higher security assurance backed up by the non-exportability, anti-hammering, and isolation of keys provided by a TPM. + ## How the TPM mitigates dictionary attacks + When a TPM processes a command, it does so in a protected environment, for example, a dedicated microcontroller on a discrete chip or a special hardware-protected mode on the main CPU. A TPM can be used to create a cryptographic key that is not disclosed outside the TPM, but is able to be used in the TPM after the correct authorization value is provided. + TPMs have dictionary attack logic that is designed to prevent brute force attacks that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys is not technically practical, so TPMs have a global lockout when too many authorization failures occur. + Because many entities can use the TPM, a single authorization success cannot reset the TPM’s dictionary attack logic. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM’s dictionary attack logic. Generally TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM’s lockout logic. + ### TPM 2.0 dictionary attack behavior + TPM 2.0 has well defined dictionary attack logic behavior. This is in contrast to TPM 1.2 for which the dictionary attack logic was set by the manufacturer, and the logic varied widely throughout the industry. -**Warning**   -For the purposes of this topic, Windows 8 Certified Hardware also pertains to Windows 8.1 systems. The following references to “Windows” include these supported Windows versions. + +>**Warning:**  For the purposes of this topic, Windows 8 Certified Hardware also pertains to Windows 8.1 systems. The following references to “Windows” include these supported Windows versions.   For Windows 8 Certified Hardware systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts. + Attempts to use a key with an authorization value for the next two hours would not return success or failure; instead the response indicates that the TPM is locked. After two hours, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next two hours. If a period of 64 hours elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again. + Windows 8 Certification does not require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows does require that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for two hours. + The dictionary attack logic for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators. + In some enterprise situations, the TPM owner authorization value is configured to be stored centrally in Active Directory, and it is not stored on the local system. An administrator can launch the TPM MMC and choose to reset the TPM lockout time. If the TPM owner password is stored locally, it is used to reset the lockout time. If the TPM owner password is not available on the local system, the administrator needs to provide it. If an administrator attempts to reset the TPM lockout state with the wrong TPM owner password, the TPM does not allow another attempt to reset the lockout state for 24 hours. + TPM 2.0 allows some keys to be created without an authorization value associated with them. These keys can be used when the TPM is locked. For example, BitLocker with a default TPM-only configuration is able to use a key in the TPM to start Windows, even when the TPM is locked. + ### Rationale behind the Windows 8.1 and Windows 8 defaults + Windows relies on the TPM 2.0 dictionary attack protection for multiple features. The defaults that are selected for Windows 8 balance trade-offs for different scenarios. For example, when BitLocker is used with a TPM plus PIN configuration, it needs the number of PIN guesses to be limited over time. If the computer is lost, someone could make only 32 PIN guesses immediately, and then only one more guess every two hours. This totals about 4415 guesses per year. This makes a good standard for system administrators to determine how many PIN characters to use for BitLocker deployments. + The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards: + Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM’s dictionary attack is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors. + Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements. + The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait two hours or use some other credential to sign in, such as a user name and password. + ## How do I check the state of my TPM? + You can check the state of the TPM on a PC by running the Trusted Platform Module snap-in (tpm.msc). The **Status** heading tells you the state of your TPM. The TPM can be in one of the following states: **Ready for use**, **Ready for use, with reduced functionality**, and **Not ready for use**. To take advantage of most of the TPM features in Windows 10, the TPM must be **Ready for use**. + ## What can I do if my TPM is in reduced functionality mode? -If your TPM is in reduced functionality mode, some features that rely on the TPM will not function correctly. This is most often caused by doing a clean installation of Windows 10 on a device where Windows 8.1, Windows 8, or Windows 7 had previously been installed on the same hardware. If your TPM is in reduced functionality mode, the Status heading in the Trusted Platform Module snap-in shows **The TPM is ready for use, with reduced functionality**. You can fix this by clearing the TPM. + +If your TPM is in reduced functionality mode, some features that rely on the TPM will not function correctly. This is most often caused by doing a clean installation of Windows 10 on a device where Windows 8.1, Windows 8, or Windows 7 had previously been installed on the same hardware. If your TPM is in reduced functionality mode, the Status heading in the Trusted Platform Module snap-in shows **The TPM is ready for use, with reduced functionality**. +You can fix this by clearing the TPM. + **To clear the TPM** + 1. Open the Trusted Platform Module snap-in (tpm.msc). 2. Click **Clear TPM**, and then click **Restart.** 3. When the PC is restarting, you might be prompted to press a button on the keyboard to clear the TPM. 4. After the PC restarts, your TPM will be automatically prepared for use by Windows 10. -**Note**   -Clearing the TPM causes you to lose all TPM keys and data protected by those keys, such as a virtual smart card. You should not perform this procedure on a device you do not own, such as a work or school PC, without being instructed to do so by your IT administrator. + +>**Note:**  Clearing the TPM causes you to lose all TPM keys and data protected by those keys, such as a virtual smart card. You should not perform this procedure on a device you do not own, such as a work or school PC, without being instructed to do so by your IT administrator.   ## Additional resources -[Trusted Platform Module Technology Overview](trusted-platform-module-overview.md) -[Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md) -[TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx) -[Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients](ad-ds-schema-extensions-to-support-tpm-backup.md) -[TPM WMI providers](http://go.microsoft.com/fwlink/p/?LinkId=93478) -[Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx) -  -  + +- [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md) +- [Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md) +- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx) +- [Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients](ad-ds-schema-extensions-to-support-tpm-backup.md) +- [TPM WMI providers](http://go.microsoft.com/fwlink/p/?LinkId=93478) +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx) diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md index b9e5bc42f5..81b6385faf 100644 --- a/windows/keep-secure/tpm-recommendations.md +++ b/windows/keep-secure/tpm-recommendations.md @@ -2,76 +2,116 @@ title: TPM recommendations (Windows 10) description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10. ms.assetid: E85F11F5-4E6A-43E7-8205-672F77706561 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # TPM recommendations + **Applies to** - Windows 10 - Windows 10 Mobile - Windows Server 2016 Technical Preview - Windows 10 IoT Core (IoT Core) + This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10. + ## Overview + Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. It has a security-related crypto-processor that is designed to carry out cryptographic operations in a variety of devices and form factors. It includes multiple physical security mechanisms to help prevent malicious software from tampering with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can: + 1. Generate, store, use, and protected cryptographic keys, 2. Use TPM technology for platform device authentication by using a unique endorsement key (EK), and 3. Help enhance platform integrity by taking and storing security measurements. + The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system. Traditionally, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. + TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features. + The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). + OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM. + The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not. -**Note**   -Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +>**Note:**  Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.   ## TPM 1.2 vs. 2.0 comparison + From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM. + ## Why TPM 2.0? + TPM 2.0 products and systems have important security advantages over TPM 1.2, including: + - The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm. - For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017. - TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms. + - TPM 2.0 supports SHA-256 as well as ECC, the latter being critical to drive signing and key generation performance. - TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](http://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)). - Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions. + - TPM 2.0 offers a more **consistent experience** across different implementations. + - TPM 1.2 implementations across both discrete and firmware vary in policy settings. This may result in support issues as lockout policies vary. - TPM 2.0 standardized policy requirement helps establish a consistent lockout experience across devices, as such, Windows can offer a better user experience end to end. + - While TPM 1.2 parts were discrete silicon components typically soldered on the motherboard, TPM 2.0 is available both as a **discrete (dTPM)** silicon component and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on the system’s main SoC: + - On Intel chips, it is the Intel Management Engine (ME) or Converged Security Engine (CSE). - For AMD chips, it is the AMD Security Processor - For ARM chips, it is a Trustzone Trusted Application (TA). - In the case of firmware TPM for desktop Windows systems, the chip vendor provides the firmware TPM implementation along with the other chip firmware to OEMs. + ## Discrete or firmware TPM? + Windows uses discrete and firmware TPM in the same way. Windows gains no functional advantage or disadvantage from either option. + From a security standpoint, discrete and firmware share the same characteristics; + - Both use hardware based secure execution. - Both use firmware for portions of the TPM functionality. - Both are equipped with tamper resistance capabilities. - Both have unique security limitations/risks. + For more info, see [fTPM: A Firmware-based TPM 2.0 Implementation](http://research.microsoft.com/apps/pubs/?id=258236). + ## Is there any importance for TPM for consumer? + For end consumers, TPM is behind the scenes but still very relevant for Hello, Passport and in the future, many other key features in Windows 10. It offers the best Passport experience, helps encrypt passwords, secures streaming high quality 4K content and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage. + ## TPM 2.0 Compliance for Windows 10 + ### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) + - As of July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) ## Two implementation options: -• Discrete TPM chip as a separate discrete component -• Firmware TPM solution using Intel PTT (platform trust technology) or AMD + +- Discrete TPM chip as a separate discrete component +- Firmware TPM solution using Intel PTT (platform trust technology) or AMD + ### Windows 10 Mobile + - All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM 2.0 enabled. + ### IoT Core + - TPM is optional on IoT Core. + ### Windows Server 2016 Technical Preview + - TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required. + ## TPM and Windows Features + The following table defines which Windows features require TPM support. Some features are not applicable to Windows 7/8/8.1 and are noted accordingly. + @@ -255,9 +295,11 @@ There are a variety of TPM manufacturers for both discrete and firmware.
  ## OEM Feedback and Status on TPM 2.0 system availability + ### Certified TPM parts + Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. Discrete TPM 2.0 vendors have completion certification. + ### Windows 7 32-bit support + Even though Windows 7 shipped before the TPM 2.0 spec or products existed, Microsoft backported TPM 2.0 support to Windows 7 64-bit and released it in summer 2014 as a downloadable Windows hotfix for UEFI based Windows 7 systems. Microsoft is not currently planning to backport support to Windows 7 32-bit support. -  -  diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 09251bb1f6..7db942d7ba 100644 --- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Troubleshoot Windows Defender ATP onboarding issues description: Troubleshoot issues that might arise during the onboarding of endpoints or to the Windows Defender ATP service. keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, telemetry and diagnostics search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: iaanw --- @@ -38,7 +39,7 @@ If the endpoints aren't reporting correctly, you might need to check that the Wi **Check the onboarding state in Registry**: -1. Click **Start**, type **Run**, and press **Enter** +1. Click **Start**, type **Run**, and press **Enter**. 2. From the **Run** dialog box, type **regedit** and press **Enter**. diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md index 1d15cf5dd7..8340e9dcc0 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Troubleshoot Windows Defender Advanced Threat Protection description: Find solutions and work arounds to known issues such as server errors when trying to access the service. keywords: troubleshoot Windows Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, whitelist, event viewer search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- # Troubleshoot Windows Defender Advanced Threat Protection diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md index 24182d9e16..e60c0f663c 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md +++ b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md @@ -2,30 +2,41 @@ title: Troubleshoot Windows Defender in Windows 10 (Windows 10) description: IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take. ms.assetid: EE488CC1-E340-4D47-B50B-35BD23CB4D70 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +ms.pagetype: security author: jasesso --- + # Troubleshoot Windows Defender in Windows 10 + **Applies to** - Windows 10 + IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take. + ## Windows Defender client event IDs + This section provides the following information about Windows Defender client events: + - The text of the message as it appears in the event - The name of the source of the message - The symbolic name that identifies each message in the programming source code - Additional information about the message + Use the information in this table to help troubleshoot Windows Defender client events; these are located in the **Windows Event Viewer**, under **Windows Logs**. + **To view a Windows Defender client event** + 1. Open **Event Viewer**. 2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**. 3. Double-click on **Operational**. 4. In the details pane, view the list of individual events to find your event. 5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs. + You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx). + @@ -3257,8 +3268,8 @@ article.

Event ID: 1000
+ ## Related topics -[Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) -[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) -  -  + +- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) +- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) diff --git a/windows/keep-secure/trusted-platform-module-overview.md b/windows/keep-secure/trusted-platform-module-overview.md index 02ba8d12dc..e7b6e784ff 100644 --- a/windows/keep-secure/trusted-platform-module-overview.md +++ b/windows/keep-secure/trusted-platform-module-overview.md @@ -2,81 +2,75 @@ title: Trusted Platform Module Technology Overview (Windows 10) description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM. ms.assetid: face8932-b034-4319-86ac-db1163d46538 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Trusted Platform Module Technology Overview + **Applies to** - Windows 10 + This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM. + ## Feature description + Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can: + - Generate, store, and limit the use of cryptographic keys. - Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself. - Help ensure platform integrity by taking and storing security measurements. + The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system. + TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses. + Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, consult the TCG Web site (). + Windows can automatically provision and manage the TPM. Group Policy settings can be configured to control whether the TPM owner authorization value is backed up in Active Directory. Because the TPM state persists across operating system installations, TPM information is stored in a location in Active Directory that is separate from computer objects. Depending on an enterprise’s security goals, Group Policy can be configured to allow or prevent local administrators from resetting the TPM’s dictionary attack logic. Standard users can use the TPM, but Group Policy controls limit how many authorization failures standard users can attempt so that one user is unable to prevent other users or the administrator from using the TPM. TPM technology can also be used as a virtual smart card and for secure certificate storage. With BitLocker Network Unlock, domain-joined computers are not prompted for a BitLocker PIN. + ## Practical applications + Certificates can be installed or created on computers that are using the TPM. After a computer is provisioned, the RSA private key for a certificate is bound to the TPM and cannot be exported. The TPM can also be used as a replacement for smart cards, which reduces the costs associated with creating and disbursing smart cards. + Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process. + Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry. + The TPM has several Group Policy settings that can be used to manage how it is used. These settings can be used to manage the owner authorization value, the blocked TPM commands, the standard user lockout, and the backup of the TPM to AD DS. For more info, see [Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md). + ## New and changed functionality + For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](../whats-new/trusted-platform-module.md). + ## Device health attestation + Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. + Some things that you can check on the device are: + - Is Data Execution Prevention supported and enabled? - Is BitLocker Drive Encryption supported and enabled? - Is SecureBoot supported and enabled? -**Note**  The device must be running Windows 10 and it must support at least TPM 2.0. + +>**Note:**  The device must be running Windows 10 and it must support at least TPM 2.0.   ## Supported versions - ------- - - - - - - - - - - - - - - - - - - - - - - - - - -
TPM versionWindows 10Windows Server 2012 R2, Windows 8.1, and Windows RTWindows Server 2012, Windows 8, and Windows RTWindows Server 2008 R2 and Windows 7

TPM 1.2

X

X

X

X

TPM 2.0

X

X

X

X

-  + +| TPM version | Windows 10 | Windows Server 2012 R2, Windows 8.1, and Windows RT | Windows Server 2012, Windows 8, and Windows RT | Windows Server 2008 R2 and Windows 7 | +| - | - | - | - | - | +| TPM 1.2| X| X| X| X| +| TPM 2.0| X| X| X| X| + ## Additional Resources -[TPM Fundamentals](tpm-fundamentals.md) -[TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) -[TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx) -[AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md) -[Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx) + +- [TPM Fundamentals](tpm-fundamentals.md) +- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) +- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx) +- [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md) +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx)     diff --git a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md index 4b274eecc5..ff626bb1de 100644 --- a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md +++ b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md @@ -2,230 +2,188 @@ title: TPM Group Policy settings (Windows 10) description: This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. ms.assetid: 54ff1c1e-a210-4074-a44e-58fee26e4dbd -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # TPM Group Policy settings + **Applies to** - Windows 10 + This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. + ## + The TPM Services Group Policy settings are located at: + **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\** - -------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SettingWindows 10Windows Server 2012 R2, Windows 8.1 and Windows RTWindows Server 2012, Windows 8 and Windows RTWindows Server 2008 R2 and Windows 7Windows Server 2008 and Windows Vista

[Turn on TPM backup to Active Directory Domain Services](#bkmk-tpmgp-addsbu)

X

X

X

X

X

[Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc)

X

X

X

X

X

[Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb)

X

X

X

X

X

[Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb)

X

X

X

X

X

[Configure the level of TPM owner authorization information available to the operating system](#bkmk-tpmgp-oauthos)

X

X

X

[Standard User Lockout Duration](#bkmk-tpmgp-suld)

X

X

X

[Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt)

X

X

X

[Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt)

X

X

X

+ +| Setting | Windows 10 | Windows Server 2012 R2, Windows 8.1 and Windows RT | Windows Server 2012, Windows 8 and Windows RT | Windows Server 2008 R2 and Windows 7 | Windows Server 2008 and Windows Vista | +| - | - | - | - | - | - | +| [Turn on TPM backup to Active Directory Domain Services](#bkmk-tpmgp-addsbu) | X| X| X| X| X| +| [Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc)| X| X| X| X| X| +| [Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb) | X| X| X| X| X| +| [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb) | X| X| X| X| X| +| [Configure the level of TPM owner authorization information available to the operating system](#bkmk-tpmgp-oauthos)| X| X| X||| +| [Standard User Lockout Duration](#bkmk-tpmgp-suld)| X| X| X||| +| [Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt)| X| X| X||| +| [Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt)| X| X| X||||   ### Turn on TPM backup to Active Directory Domain Services + This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of TPM owner information. -**Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table). + +>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM commands can be run only by the TPM owner. This hash authorizes the TPM to run these commands. -**Important**   -To back up TPM owner information from a computer running Windows 10, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. Windows Server 2012 R2 and Windows Server 2012 include the required schema extensions by default. For more information, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md). + +>**Important:**  To back up TPM owner information from a computer running Windows 10, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. Windows Server 2012 R2 and Windows Server 2012 include the required schema extensions by default. For more information, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).   The TPM cannot be used to provide enhanced security features for BitLocker Drive Encryption and other applications without first setting an owner. To take ownership of the TPM with an owner password, on a local computer at the command prompt, type **tpm.msc** to open the TPM Management Console and select the action to **Initialize TPM**. If the TPM owner information is lost or is not available, limited TPM management is possible by running **tpm.msc**. + If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password. When this policy setting is enabled, a TPM owner password cannot be set or changed unless the computer is connected to the domain and the AD DS backup succeeds. + If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS. + ### Configure the list of blocked TPM commands + This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands that are blocked by Windows. -**Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table). + +>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is **TPM\_OwnerReadInternalPub**, and command number 170 is **TPM\_FieldUpgrade**. To find the command number that is associated with each TPM command, at the command prompt, type **tpm.msc**to open the TPM Management Console and navigate to the **Command Management** section. + If you disable or do not configure this policy setting, only those TPM commands that are specified through the default or local lists can be blocked by Windows. The default list of blocked TPM commands is preconfigured by Windows. + - You can view the default list by typing **tpm.msc** at the command prompt, navigating to the **Command Management** section, and exposing the **On Default Block List** column. - The local list of blocked TPM commands is configured outside of Group Policy by running the TPM Management Console or scripting using the **Win32\_Tpm** interface. + For information how to enforce or ignore the default and local lists of blocked TPM commands, see + - [Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb) - [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb) ### Ignore the default list of blocked TPM commands + This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. -**Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table). + +>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   The default list of blocked TPM commands is preconfigured by Windows. You can view the default list by typing **tpm.msc** at the command prompt to open the TPM Management Console, navigating to the **Command Management** section, and exposing the **On Default Block List** column. Also see the related policy setting, [Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc). + If you enable this policy setting, the Windows operating system will ignore the computer's default list of blocked TPM commands, and it will block only those TPM commands that are specified by Group Policy or the local list. + If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to the commands that are specified by Group Policy and the local list of blocked TPM commands. + ### Ignore the local list of blocked TPM commands + This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands. -**Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table). + +>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   The local list of blocked TPM commands is configured outside of Group Policy by typing **tpm.msc** at the command prompt to open the TPM Management Console, or scripting using the **Win32\_Tpm** interface. (The default list of blocked TPM commands is preconfigured by Windows.) Also see the related policy setting to **Configure the list of blocked TPM commands**. + If you enable this policy setting, the Windows operating system will ignore the computer's local list of blocked TPM commands, and it will block only those TPM commands that are specified by Group Policy or the default list. + If you disable or do not configure this policy setting, Windows will block the TPM commands in the local list, in addition to the commands that are specified in Group Policy and the default list of blocked TPM commands. + ### Configure the level of TPM owner authorization information available to the operating system + This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information that is stored locally, the Windows operating system and TPM-based applications can perform certain actions in the TPM that require TPM owner authorization without requiring the user to enter the TPM owner password. -**Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table). + +>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**. + - **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. - **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. When you use this setting, we recommend using external or remote storage for the full TPM owner authorization value—for example, backing up the value in Active Directory Domain Services (AD DS). - **None**   This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications. -**Note**   -If the operating system managed TPM authentication setting is changed from **Full** to **Delegated**, the full TPM owner authorization value will be regenerated, and any copies of the previously set TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS, the new owner authorization value is automatically backed up to AD DS when it is changed. + +>**Note:**  If the operating system managed TPM authentication setting is changed from **Full** to **Delegated**, the full TPM owner authorization value will be regenerated, and any copies of the previously set TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS, the new owner authorization value is automatically backed up to AD DS when it is changed.   **Registry information** + Registry key: HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\TPM + DWORD: OSManagedAuthLevel + The following table shows the TPM owner authorization values in the registry. - ---- - - - - - - - - - - - - - - - - - - - - -
Value DataSetting

0

None

2

Delegated

4

Full

+ +| Value Data | Setting | +| - | - | +| 0 | None| +| 2 | Delegated| +| 4 | Full|   If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose. -If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry. + +If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not +configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry. + ### Standard User Lockout Duration -This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, a standard user is prevented from sending commands that require authorization to the TPM. -**Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table). + +This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, a standard user is prevented from sending commands that require +authorization to the TPM. + +>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it is global for all users (including administrators) and for Windows features such as BitLocker Drive Encryption. + The number of authorization failures that a TPM allows and how long it stays locked vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time, with fewer authorization failures, depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require that the system is on so enough clock cycles elapse before the TPM exits the lockout mode. + This setting helps administrators prevent the TPM hardware from entering a lockout mode by slowing the speed at which standard users can send commands that require authorization to the TPM. + For each standard user, two thresholds apply. Exceeding either threshold prevents the user from sending a command that requires authorization to the TPM. Use the following policy settings to set the lockout duration: + - [Standard User Individual Lockout Threshold](#bkmk-individual)   This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM. - [Standard User Total Lockout Threshold](#bkmk-total)   This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM. + An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally. + If you do not configure this policy setting, a default value of 480 minutes (8 hours) is used. + ### Standard User Individual Lockout Threshold + This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM. If the number of authorization failures for the user within the duration that is set for the **Standard User Lockout Duration** policy setting equals this value, the standard user is prevented from sending commands that require authorization to the Trusted Platform Module (TPM). -**Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table). + +>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   This setting helps administrators prevent the TPM hardware from entering a lockout mode by slowing the speed at which standard users can send commands that require authorization to the TPM. + An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored. + An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally. + If you do not configure this policy setting, a default value of 4 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure. + ### Standard User Total Lockout Threshold + This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration that is set for the **Standard User Lockout Duration** policy equals this value, all standard users are prevented from sending commands that require authorization to the Trusted Platform Module (TPM). -**Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table). + +>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. + An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored. + For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. + 1. The standard user individual lockout value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. 2. The standard user total lockout threshold value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. -The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it is global for all users (including administrators) and for Windows features such as BitLocker Drive Encryption.. +The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it is global for all users (including administrators) and for Windows features +such as BitLocker Drive Encryption.. + The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. + An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally. + If you do not configure this policy setting, a default value of 9 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure. + ## Additional resources -[Trusted Platform Module Technology Overview](trusted-platform-module-overview.md) -[TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx) -[Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx) -  -  + +- [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md) +- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx) +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx) diff --git a/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md b/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md index 057ed8dad2..96a64490d0 100644 --- a/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md +++ b/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md @@ -2,43 +2,69 @@ title: Types of attacks for volume encryption keys (Windows 10) description: There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) secure boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts. ms.assetid: 405060a9-2009-44fc-9f84-66edad32c6bc -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Types of attacks for volume encryption keys + **Applies to** - Windows 10 + There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) secure boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts. + The next few sections describe each type of attack that could be used to compromise a volume encryption key, whether for BitLocker or a non-Microsoft encryption solution. After an attacker has compromised a volume encryption key, the attacker can read data from your system drive or even install malware while Windows is offline. Each section begins with a graphical overview of the attack’s strengths and weaknesses as well as suggested mitigations. + ### Bootkit and rootkit attacks + Rootkits are a sophisticated and dangerous type of malware that runs in kernel mode, using the same privileges as the operating system. Because rootkits have the same or possibly even more rights than the operating system, they can completely hide themselves from Windows and even an antimalware solution. Often, rootkits are part of an entire suite of malware that can bypass local logins, record passwords, transfer private files, and capture cryptography keys. + Different types of bootkits and rootkits load at different software levels: + - **Kernel level.** Rootkits running at the kernel level have the highest privilege in the operating system. They may be able to inject malicious code or replace portions of the core operating system, including both the kernel and device drivers. - **Application level.** These rootkits are aimed to replace application binaries with malicious code, such as a Trojan, and can even modify the behavior of existing applications. - **Library level.** The purpose of library-level rootkits is to hook, patch, or replace system calls with malicious code that can hide the malware’s presence. - **Hypervisor level.** Hypervisor rootkits target the boot sequence. Their primary purpose is to modify the boot sequence to load themselves as a hypervisor. - **Firmware level.** These rootkits overwrite the PC’s BIOS firmware, giving the malware low-level access and potentially the ability to install or hide malware, even if it’s cleaned or removed from the hard disk. + Regardless of the operating system or encryption method, rootkits have access to confidential data once installed. Application-level rootkits can read any files the user can access, bypassing volume-level encryption. Kernel-, library-, hypervisor-, and firmware-level rootkits have direct access to system files on encrypted volumes and can also retrieve an encryption key from memory. + Windows offers substantial protection from bootkits and rootkits, but it is possible to bypass operating system security when an attacker has physical access to the device and can install the malware to the device while Windows is offline. For example, an attacker might boot a PC from a USB flash drive containing malware that starts before Windows. The malware can replace system files or the PC’s firmware or simply start Windows under its control. + To sufficiently protect a PC from boot and rootkits, devices must use pre-boot authentication or Secure Boot, or the encryption solution must use the device’s Trusted Platform Module (TPM) as a means of monitoring the integrity of the end-to-end boot process. Pre-boot authentication is available for any device, regardless of the hardware, but because it is inconvenient to users, it should be used only to mitigate threats that are applicable to the device. On devices with Secure Boot enabled, you do not need to use pre-boot authentication to protect against boot and rootkit attacks. + Although password protection of the UEFI configuration is important for protecting a device’s configuration and preventing an attacker from disabling Secure Boot, use of a TPM and its Platform Configuration Register (PCR) measurements (PCR7) to ensure that the system’s bootloader (whether a Windows or non-Microsoft encryption solution) is tamper free and the first code to start on the device is critical. An encryption solution that doesn’t use a device’s TPM to protect its components from tampering may be unable to protect itself from bootkit-level infections that could log a user’s password or acquire encryption keys. + For this reason, when BitLocker is configured on devices that include a TPM, the TPM and its PCRs are always used to secure and confirm the integrity of the pre–operating system environment before making encrypted volumes accessible. + Any changes to the UEFI configuration invalidates the PCR7 and require the user to enter the BitLocker recovery key. Because of this feature, it’s not critical to password-protect your UEFI configuration. If an attacker successfully turns off Secure Boot or otherwise changes the UEFI configuration, they will need to enter the BitLocker recovery key, but UEFI password protection is a best practice and is still required for systems not using a TPM (such as non-Microsoft alternatives). + ### Brute-force Sign-in Attacks + Attackers can find any password if you allow them to guess enough times. The process of trying millions of different passwords until you find the right one is known as a *brute-force sign-in attack*. In theory, an attacker could obtain any password by using this method. + Three opportunities for brute-force attacks exist: + - **Against the pre-boot authenticator.** An attacker could attack the device directly by attempting to guess the user’s BitLocker PIN or an equivalent authenticator. The TPM mitigates this approach by invoking an anti-hammering lockout capability that requires the user to wait until the lockout period ends or enter the BitLocker recovery key. - **Against the recovery key.** An attacker could attempt to guess the 48-digit BitLocker recovery key. Even without a lockout period, the key is long enough to make brute-force attacks impractical. Specifically, the BitLocker recovery key has 128 bits of entropy; thus, the average brute-force attack would succeed after 18,446,744,073,709,551,616 guesses. If an attacker could guess 1 million passwords per second, the average brute-force attack would require more than 580,000 years to be successful. - **Against the operating system sign-in authenticator.** An attacker can attempt to guess a valid user name and password. Windows implements a delay between password guesses, slowing down brute-force attacks. In addition, all recent versions of Windows allow administrators to require complex passwords and password lockouts. Similarly, administrators can use Microsoft Exchange ActiveSync policy or Group Policy to configure Windows 8.1 and Windows 8 to automatically restart and require the user to enter the BitLocker 48-digit recovery key after a specified number of invalid password attempts. When these settings are enabled and users follow best practices for complex passwords, brute-force attacks against the operating system sign-in are impractical. + In general, brute-force sign-in attacks are not practical against Windows when administrators enforce complex passwords and account lockouts. + ### Direct Memory Access Attacks + Direct memory access (DMA) allows certain types of hardware devices to communicate directly with a device’s system memory. For example, if you use Thunderbolt to connect another device to your computer, the second device automatically has Read and Write access to the target computer’s memory. + Unfortunately, DMA ports don’t use authentication and access control to protect the contents of the computer’s memory. Whereas Windows can often prevent system components and apps from reading and writing to protected parts of memory, a device can use DMA to read any location in memory, including the location of any encryption keys. -DMA attacks are relatively easy to execute and require little technical skills. Anyone can download a tool from the Internet, such as those made by [Passware](http://www.lostpassword.com/), [ElcomSoft](http://elcomsoft.com/), and others, and then use a DMA attack to read confidential data from a PC’s memory. Because encryption solutions store their encryption keys in memory, they can be accessed by a DMA attack. + +DMA attacks are relatively easy to execute and require little technical skills. Anyone can download a tool from the Internet, such as those made by [Passware](http://www.lostpassword.com/), [ElcomSoft](http://elcomsoft.com/), and +others, and then use a DMA attack to read confidential data from a PC’s memory. Because encryption solutions store their encryption keys in memory, they can be accessed by a DMA attack. + Not all port types are vulnerable to DMA attacks. USB in particular does not allow DMA, but devices that have any of the following port types are vulnerable: + - FireWire - Thunderbolt - ExpressCard @@ -46,37 +72,57 @@ Not all port types are vulnerable to DMA attacks. USB in particular does not all - PCI - PCI-X - PCI Express -To perform a DMA attack, attackers typically connect a second PC that is running a memory-scanning tool (for example, Passware, ElcomSoft) to the FireWire or Thunderbolt port of the target computer. When connected, the software scans the system memory of the target and locates the encryption key. Once acquired, the key can be used to decrypt the drive and read or modify its contents. + +To perform a DMA attack, attackers typically connect a second PC that is running a memory-scanning tool (for example, Passware, ElcomSoft) to the FireWire or Thunderbolt port of the target computer. When connected, the software +scans the system memory of the target and locates the encryption key. Once acquired, the key can be used to decrypt the drive and read or modify its contents. + A much more efficient form of this attack exists in theory: An attacker crafts a custom FireWire or Thunderbolt device that has the DMA attack logic programmed on it. Now, the attacker simply needs to physically connect the device. If the attacker does not have physical access, they could disguise it as a free USB flash drive and distribute it to employees of a target organization. When connected, the attacking device could use a DMA attack to scan the PC’s memory for the encryption key. It could then transmit the key (or any data in the PC’s memory) using the PC’s Internet connection or its own wireless connection. This type of attack would require an extremely high level of sophistication, because it requires that the attacker create a custom device (devices of these types are not readily available in the marketplace at this time). + Today, one of the most common uses for DMA ports on Windows devices is for developer debugging, a task that some developers need to perform and one that few consumers will ever perform. Because USB; DisplayPort; and other, more secure port types satisfy consumers, most new mobile PCs do not include DMA ports. Microsoft’s view is that because of the inherent security risks of DMA ports, they do not belong on mobile devices, and Microsoft has prohibited their inclusion on any InstantGo-certified devices. InstantGo devices offer mobile phone–like power management and instant-on capabilities; at the time of writing, they are primarily found in Windows tablets. + DMA-based expansion slots are another avenue of attack, but these slots generally appear only on desktop PCs that are designed for expansion. Organizations can use physical security to prevent outside attacks against their desktop PCs. In addition, a DMA attack on the expansion slot would require a custom device; as a result, an attacker would most likely insert an interface with a traditional DMA port (for example, FireWire) into the slot to attack the PC. + To mitigate a port-based DMA attack an administrator can configure policy settings to disable FireWire and other device types that have DMA. Also, many PCs allow those devices to be disabled by using firmware settings. Although the need for pre-boot authentication can be eliminated at the device level or through Windows configuration, the BitLocker pre-boot authentication feature is still available when needed. When used, it successfully mitigates all types of DMA port and expansion slot attacks on any type of device. + ### Hyberfil.sys Attacks + The hyberfil.sys file is the Windows hibernation file. It contains a snapshot of system memory that is generated when a device goes into hibernation and includes the encryption key for BitLocker and other encryption technologies. Attackers have claimed that they have successfully extracted encryption keys from the hyberfil.sys file. + Like the DMA port attack discussed in the previous section, tools are available that can scan the hyberfile.sys file and locate the encryption key, including a tool made by [Passware](http://www.lostpassword.com/). Microsoft does not consider Windows to be vulnerable to this type of attack, because Windows stores the hyberfil.sys file within the encrypted system volume. As a result, the file would be accessible only if the attacker had both physical and sign-in access to the PC. When an attacker has sign-in access to the PC, there are few reasons for the attacker to decrypt the drive, because they would already have full access to the data within it. + In practice, the only reason an attack on hyberfil.sys would grant an attacker additional access is if an administrator had changed the default Windows configuration and stored the hyberfil.sys file on an unencrypted drive. By default, Windows 10 is designed to be secure against this type of attack. + ### Memory Remanence Attacks + A memory remanence attack is a side-channel attack that reads the encryption key from memory after restarting a PC. Although a PC’s memory is often considered to be cleared when the PC is restarted, memory chips don’t immediately lose their memory when you disconnect power. Therefore, an attacker who has physical access to the PC’s memory might be able to read data directly from the memory—including the encryption key. + When performing this type of cold boot attack, the attacker accesses the PC’s physical memory and recovers the encryption key within a few seconds or minutes of disconnecting power. This type of attack was demonstrated by researchers at [Princeton University](http://www.youtube.com/watch?v=JDaicPIgn9U). With the encryption key, the attacker would be able to decrypt the drive and access its files. + To acquire the keys, attackers follow this process: + 1. Freeze the PC’s memory. For example, an attacker can freeze the memory to −50°C by spraying it with aerosol air duster spray. 2. Restart the PC. 3. Instead of restarting Windows, boot to another operating system. Typically, this is done by connecting a bootable flash drive or loading a bootable DVD. 4. The bootable media loads the memory remanence attack tools, which the attacker uses to scan the system memory and locate the encryption keys. 5. The attacker uses the encryption keys to access the drive’s data. + If the attacker is unable to boot the device to another operating system (for example, if bootable flash drives have been disabled or Secure Boot is enabled), the attacker can attempt to physically remove the frozen memory from the device and attach it to a different, possibly identical device. Fortunately, this process has proven extremely unreliable, as evidenced by the Defence Research and Development Canada (DRDC) Valcartier group’s analysis (see [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078)). On an increasing portion of modern devices, this type of attack is not even possible, because memory is soldered directly to the motherboard. + Although Princeton’s research proved that this type of attack was possible on devices that have removable memory, device hardware has changed since the research was published in 2008: + - Secure Boot prevents the malicious tools that the Princeton attack depends on from running on the target device. - Windows systems with BIOS or UEFI can be locked down with a password, and booting to a USB drive can be prevented. - If booting to USB is required on the device, it can be limited to starting trusted operating systems by using Secure Boot. - The discharge rates of memory are highly variable among devices, and many devices have memory that is completely immune to memory remanence attacks. - Increased density of memory diminishes their remanence properties and reduces the likelihood that the attack can be successfully executed, even when memory is physically removed and placed in an identical system where the system’s configuration may enable booting to the malicious tools. + Because of these factors, this type of attack is rarely possible on modern devices. Even in cases where the risk factors exist on legacy devices, attackers will find the attack unreliable. For detailed info about the practical uses for forensic memory acquisition and the factors that make a computer vulnerable or resistant to memory remanence attacks, read [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078). + The BitLocker pre-boot authentication feature can successfully mitigate memory remanence attacks on most devices, but you can also mitigate such attacks by protecting the system UEFI or BIOS and prevent the PC from booting from external media (such as a USB flash drive or DVD). The latter option is often a better choice, because it provides sufficient protection without inconveniencing users with pre-boot authentication. + ## See also + - [BitLocker countermeasures](bitlocker-countermeasures.md) - [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md) - [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md) - [BitLocker overview](bitlocker-overview.md) -  -  diff --git a/windows/keep-secure/understand-applocker-enforcement-settings.md b/windows/keep-secure/understand-applocker-enforcement-settings.md index f62646c2e9..a27cfdc9cb 100644 --- a/windows/keep-secure/understand-applocker-enforcement-settings.md +++ b/windows/keep-secure/understand-applocker-enforcement-settings.md @@ -2,45 +2,28 @@ title: Understand AppLocker enforcement settings (Windows 10) description: This topic describes the AppLocker enforcement settings for rule collections. ms.assetid: 48773007-a343-40bf-8961-b3ff0a450d7e -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understand AppLocker enforcement settings + **Applies to** - Windows 10 + This topic describes the AppLocker enforcement settings for rule collections. + Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. For more info about rule collections, see [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md). By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. The following table details the three AppLocker rule enforcement settings in Group Policy for each rule collection. - ---- - - - - - - - - - - - - - - - - - - - - -
Enforcement settingDescription

Not configured

By default, enforcement is not configured in a rule collection. If rules are present in the corresponding rule collection, they are enforced. If rule enforcement is configured in a higher-level linked Group Policy object (GPO), that enforcement value overrides the Not configured value.

Enforce rules

Rules are enforced for the rule collection, and all rule events are audited.

Audit only

Rule events are audited only. Use this value when planning and testing AppLocker rules.

+ +| Enforcement setting | Description | +| - | - | +| Not configured | By default, enforcement is not configured in a rule collection. If rules are present in the corresponding rule collection, they are enforced. If rule enforcement is configured in a higher-level linked Group Policy object (GPO), that enforcement value overrides the **Not configured** value.| +| Enforce rules | Rules are enforced for the rule collection, and all rule events are audited.| +| Audit only | Rule events are audited only. Use this value when planning and testing AppLocker rules.|   For the AppLocker policy to be enforced on a device, the Application Identity service must be running. For more info about the Application Identity service, see [Configure the Application Identity service](configure-the-application-identity-service.md). + When AppLocker policies from various GPOs are merged, the enforcement modes are merged by using the standard Group Policy order of inheritance, which is local, domain, site, and organizational unit (OU). The Group Policy setting that was last written or applied by order of inheritance is used for the enforcement mode, and all rules from linked GPOs are applied. -  -  diff --git a/windows/keep-secure/understand-applocker-policy-design-decisions.md b/windows/keep-secure/understand-applocker-policy-design-decisions.md index ea6833ec44..4c7731bcfc 100644 --- a/windows/keep-secure/understand-applocker-policy-design-decisions.md +++ b/windows/keep-secure/understand-applocker-policy-design-decisions.md @@ -2,123 +2,86 @@ title: Understand AppLocker policy design decisions (Windows 10) description: This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. ms.assetid: 3475def8-949a-4b51-b480-dc88b5c1e6e6 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understand AppLocker policy design decisions + **Applies to** - Windows 10 + This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. + When you begin the design and planning process, you should consider the ramifications of your design choices. The resulting decisions will affect your policy deployment scheme and subsequent application control policy maintenance. + You should consider using AppLocker as part of your organization's application control policies if all the following are true: + - You have deployed or plan to deploy the supported versions of Windows in your organization. For specific operating system version requirements, see [Requirements to Use AppLocker](requirements-to-use-applocker.md). - You need improved control over the access to your organization's applications and the data your users access. - The number of applications in your organization is known and manageable. - You have resources to test policies against the organization's requirements. - You have resources to involve Help Desk or to build a self-help process for end-user application access issues. - The group's requirements for productivity, manageability, and security can be controlled by restrictive policies. + The following questions are not in priority or sequential order. They should be considered when you deploy application control policies (as appropriate for your targeted environment). + ### Which apps do you need to control in your organization? + You might need to control a limited number of apps because they access sensitive data, or you might have to exclude all applications except those that are sanctioned for business purposes. There might be certain business groups that require strict control, and others that promote independent application usage. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Possible answersDesign considerations

Control all apps

AppLocker policies control applications by creating an allowed list of applications by file type. Exceptions are also possible. AppLocker policies can only be applied to applications installed on computers running one of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).

Control specific apps

When you create AppLocker rules, a list of allowed apps are created. All apps on that list will be allowed to run (except those on the exception list). Apps that are not on the list will be prevented from running. AppLocker policies can only be applied to apps installed on computers running any of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).

Control only Classic Windows applications, only Universal Windows apps, or both

AppLocker policies control apps by creating an allowed list of apps by file type. Because Universal Windows apps are categorized under the Publisher condition, Classic Windows applications and Universal Windows apps can be controlled together. AppLocker policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Windows Store, but Classic Windows applications can be controlled with AppLocker on all supported versions of Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps.

-

For a comparison of Classic Windows applications and Universal Windows apps, see [Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions](#bkmk-compareclassicmetro) in this topic.

Control apps by business group and user

AppLocker policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). Individual AppLocker rules can be applied to individual users or to groups of users.

Control apps by computer, not user

AppLocker is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you will have to identify users, their computers, and their app access requirements.

Understand app usage, but there is no need to control any apps yet

AppLocker policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the AppLocker event log to create AppLocker policies.

+ +| Possible answers | Design considerations| +| - | - | +| Control all apps | AppLocker policies control applications by creating an allowed list of applications by file type. Exceptions are also possible. AppLocker policies can only be applied to applications installed on computers running one of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).| +| Control specific apps | When you create AppLocker rules, a list of allowed apps are created. All apps on that list will be allowed to run (except those on the exception list). Apps that are not on the list will be prevented from running. AppLocker policies can only be applied to apps installed on computers running any of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).| +|Control only Classic Windows applications, only Universal Windows apps, or both| AppLocker policies control apps by creating an allowed list of apps by file type. Because Universal Windows apps are categorized under the Publisher condition, Classic Windows applications and Universal Windows apps can be controlled together. AppLocker policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Windows Store, but Classic Windows applications can be controlled with AppLocker on all supported versions of Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps.
For a comparison of Classic Windows applications and Universal Windows apps, see [Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions](#bkmk-compareclassicmetro) in this topic.| +| Control apps by business group and user | AppLocker policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). Individual AppLocker rules can be applied to individual users or to groups of users.| +| Control apps by computer, not user | AppLocker is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you will have to identify users, their computers, and their app access requirements.| +|Understand app usage, but there is no need to control any apps yet | AppLocker policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the AppLocker event log to create AppLocker policies.|   -**Important**   -The following list contains files or types of files that cannot be managed by AppLocker: +>**Important:**  The following list contains files or types of files that cannot be managed by AppLocker: + - AppLocker does not protect against running 16-bit DOS binaries in a NT Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or higher when there is already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it is a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the Executable rule collection for NTVDM.exe. + - You cannot use AppLocker to prevent code from running outside the Win32 subsystem. In particular, this applies to the (POSIX) subsystem in Windows NT. If it is a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem. + - AppLocker can only control VBScript, JScript, .bat files, .cmd files and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To use AppLocker to control interpreted code, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision that is returned by AppLocker. Not all host processes call into AppLocker. Therefore, AppLocker cannot control every kind of interpreted code, for example Microsoft Office macros. - **Important**   - You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded. + + >**Important:**  You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded.   - AppLocker rules allow or prevent an app from launching. AppLocker does not control the behavior of apps after they are launched. Applications could contain flags that are passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll file to be loaded. In practice, an app that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must follow a process that best suits your needs to thoroughly vet each app before allowing them to run using AppLocker rules. + For more info, see [Security considerations for AppLocker](security-considerations-for-applocker.md).   ### Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions + AppLocker policies for Universal Windows apps can only be applied to apps that are installed on computers running Windows operating systems that support Windows Store apps. However, Classic Windows applications can be controlled in Windows Server 2008 R2 and Windows 7, in addition to those computers that support Universal Windows apps. The rules for Classic Windows applications and Universal Windows apps can be enforced together. The differences you should consider for Universal Windows apps are: + - All Universal Windows apps can be installed by a standard user, whereas a number of Classic Windows applications require administrative credentials to install. So in an environment where most of the users are standard users, you might not need numerous exe rules, but you might want more explicit policies for packaged apps. - Classic Windows applications can be written to change the system state if they run with administrative credentials. Most Universal Windows apps cannot change the system state because they run with limited permissions. When you design your AppLocker policies, it is important to understand whether an app that you are allowing can make system-wide changes. - Universal Windows apps can be acquired through the Store, or they can be side-loaded by using Windows PowerShell cmdlets. If you use Windows PowerShell cmdlets, a special Enterprise license is required to acquire Universal Windows apps. Classic Windows applications can be acquired through traditional means, such as through software vendors or retail distribution. + AppLocker controls Universal Windows apps and Classic Windows applications by using different rule collections. You have the choice to control Universal Windows apps, Classic Windows applications, or both. + For more info, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md). + ### How do you currently control app usage in your organization? + Most organizations have evolved app control policies and methods over time. With heightened security concerns and an emphasis on tighter IT control over desktop use, your organization might decide to consolidate app control practices or design a comprehensive application control scheme. AppLocker includes improvements over SRP in the architecture and management of application control policies. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Possible answersDesign considerations

Security polices (locally set or through Group Policy)

Using AppLocker requires increased effort in planning to create correct policies, but this results in a simpler distribution method.

Non-Microsoft app control software

Using AppLocker requires a complete app control policy evaluation and implementation.

Managed usage by group or OU

Using AppLocker requires a complete app control policy evaluation and implementation.

Authorization Manager or other role-based access technologies

Using AppLocker requires a complete app control policy evaluation and implementation.

Other

Using AppLocker requires a complete app control policy evaluation and implementation.

+ +| Possible answers | Design considerations | +| - | - | +| Security polices (locally set or through Group Policy) | Using AppLocker requires increased effort in planning to create correct policies, but this results in a simpler distribution method.| +| Non-Microsoft app control software | Using AppLocker requires a complete app control policy evaluation and implementation.| +| Managed usage by group or OU | Using AppLocker requires a complete app control policy evaluation and implementation.| +| Authorization Manager or other role-based access technologies | Using AppLocker requires a complete app control policy evaluation and implementation.| +| Other | Using AppLocker requires a complete app control policy evaluation and implementation.|   ### Which Windows desktop and server operating systems are running in your organization? + If your organization supports multiple Windows operating systems, app control policy planning becomes more complex. Your initial design decisions should consider the security and management priorities of applications that are installed on each version of the operating system. @@ -172,259 +135,94 @@ If your organization supports multiple Windows operating systems, app control po
  ### Are there specific groups in your organization that need customized application control policies? + Most business groups or departments have specific security requirements that pertain to data access and the applications used to access that data. You should consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization. - ---- - - - - - - - - - - - - - - - - -
Possible answersDesign considerations

Yes

-

For each group, you need to create a list that includes their application control requirements. Although this may increase the planning time, it will most likely result in a more effective deployment.

-

If your GPO structure is not currently configured so that you can apply different policies to specific groups, you can alternatively apply AppLocker rules in a GPO to specific user groups.

No

AppLocker policies can be applied globally to applications that are installed on PCs running the supported versions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.

+ +| Possible answers | Design considerations | +| - | - | +| Yes | For each group, you need to create a list that includes their application control requirements. Although this may increase the planning time, it will most likely result in a more effective deployment.
If your GPO structure is not currently configured so that you can apply different policies to specific groups, you can alternatively apply AppLocker rules in a GPO to specific user groups.| +| No | AppLocker policies can be applied globally to applications that are installed on PCs running the supported versions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.|   ### Does your IT department have resources to analyze application usage, and to design and manage the policies? + The time and resources that are available to you to perform the research and analysis can affect the detail of your plan and processes for continuing policy management and maintenance. - ---- - - - - - - - - - - - - - - - - -
Possible answersDesign considerations

Yes

Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as simply constructed as possible.

No

Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment.

+ +| Possible answers | Design considerations | +| - | - | +| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as simply constructed as possible.| +| No | Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. |   ### Does your organization have Help Desk support? + Preventing your users from accessing known, deployed, or personal applications will initially cause an increase in end-user support. It will be necessary to address the various support issues in your organization so security policies are followed and business workflow is not hampered. - ---- - - - - - - - - - - - - - - - - -
Possible answersDesign considerations

Yes

Involve the support department early in the planning phase because your users may inadvertently be blocked from using their applications, or they may seek exceptions to use specific applications.

No

Invest time in developing online support processes and documentation before deployment.

+ +| Possible answers | Design considerations | +| - | - | +| Yes | Involve the support department early in the planning phase because your users may inadvertently be blocked from using their applications, or they may seek exceptions to use specific applications. | +| No | Invest time in developing online support processes and documentation before deployment. | +   ### Do you know what applications require restrictive policies? Any successful application control policy implementation is based on your knowledge and understanding of app usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the apps that access that data. - ---- - - - - - - - - - - - - - - - - -
Possible answersDesign considerations

Yes

You should determine the application control priorities for a business group and then attempt to design the simplest scheme for their application control policies.

No

You will have to perform an audit and requirements gathering project to discover the application usage. AppLocker provides the means to deploy policies in Audit only mode, and tools to view the event logs.

+ +| Possible answers | Design considerations | +| - | - | +| Yes | You should determine the application control priorities for a business group and then attempt to design the simplest scheme for their application control policies. | +| No | You will have to perform an audit and requirements gathering project to discover the application usage. AppLocker provides the means to deploy policies in **Audit only** mode, and tools to view the event logs.|   ### How do you deploy or sanction applications (upgraded or new) in your organization? + Implementing a successful application control policy is based on your knowledge and understanding of application usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the applications that access that data. Understanding the upgrade and deployment policy will help shape the construction of the application control policies. - ---- - - - - - - - - - - - - - - - - - - - - -
Possible answersDesign considerations

Ad hoc

You need to gather requirements from each group. Some groups might want unrestricted access or installation, while other groups might want strict controls.

Strict written policy or guidelines to follow

You need to develop AppLocker rules that reflect those policies, and then test and maintain the rules.

No process in place

You need to determine if you have the resources to develop an application control policy, and for which groups.

+ +| Possible answers | Design considerations | +| - | - | +| Ad hoc | You need to gather requirements from each group. Some groups might want unrestricted access or installation, while other groups might want strict controls.| +| Strict written policy or guidelines to follow | You need to develop AppLocker rules that reflect those policies, and then test and maintain the rules. | +| No process in place | You need to determine if you have the resources to develop an application control policy, and for which groups. | +   ### Does your organization already have SRP deployed? + Although SRP and AppLocker have the same goal, AppLocker is a major revision of SRP. - ---- - - - - - - - - - - - - - - - - -
Possible answersDesign considerations

Yes

You cannot use AppLocker to manage SRP settings, but you can use SRP to manage application control policies on computers running on any of the supported operating systems listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). In addition, if AppLocker and SRP settings are configured in the same GPO, only the AppLocker settings will be enforced on computers running those supported operating systems.

-
-Note   -

If you are using the Basic User security level as assigned in SRP, those permissions are not supported on computers running the supported operating systems.

-
-
-  -

No

Policies that are configured for AppLocker can only be applied to computers running the supported operating systems, but SRP is also available on those operating systems.

+ +| Possible answers | Design considerations | +| - | - | +| Yes | You cannot use AppLocker to manage SRP settings, but you can use SRP to manage application control policies on computers running on any of the supported operating systems listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). In addition, if AppLocker and SRP settings are configured in the same GPO, only the AppLocker settings will be enforced on computers running those supported operating systems.

**Note:** If you are using the Basic User security level as assigned in SRP, those permissions are not supported on computers running the supported operating systems.| +| No | Policies that are configured for AppLocker can only be applied to computers running the supported operating systems, but SRP is also available on those operating systems. |   ### What are your organization's priorities when implementing application control policies? + Some organizations will benefit from application control policies as shown by an increase in productivity or conformance, while others will be hindered in performing their duties. Prioritize these aspects for each group to allow you to evaluate the effectiveness of AppLocker. - ---- - - - - - - - - - - - - - - - - - - - - -
Possible answersDesign considerations

Productivity: The organization assures that tools work and required applications can be installed.

To meet innovation and productivity goals, some groups require the ability to install and run a variety of software from different sources, including software that they developed. Therefore, if innovation and productivity is a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress.

Management: The organization is aware of and controls the apps it supports.

In some business groups, application usage can be managed from a central point of control. AppLocker policies can be built into a GPO for that purpose. This shifts the burden of app access to the IT department, but it also has the benefit of controlling the number of apps that can be run and controlling the versions of those apps

Security: The organization must protect data in part by ensuring that only approved apps are used.

AppLocker can help protect data by allowing a defined set of users access to apps that access the data. If security is the top priority, the application control policies will be the most restrictive.

+ +| Possible answers | Design considerations | +| - | - | +| Productivity: The organization assures that tools work and required applications can be installed. | To meet innovation and productivity goals, some groups require the ability to install and run a variety of software from different sources, including software that they developed. Therefore, if innovation and productivity is a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress. | +| Management: The organization is aware of and controls the apps it supports. | In some business groups, application usage can be managed from a central point of control. AppLocker policies can be built into a GPO for that purpose. This shifts the burden of app access to the IT department, but it also has the benefit of controlling the number of apps that can be run and controlling the versions of those apps| +| Security: The organization must protect data in part by ensuring that only approved apps are used. | AppLocker can help protect data by allowing a defined set of users access to apps that access the data. If security is the top priority, the application control policies will be the most restrictive.|   ### How are apps currently accessed in your organization? + AppLocker is very effective for organizations that have application restriction requirements if they have environments with a simple topography and application control policy goals that are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers that are connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the desktop computers with a relatively small number of applications to manage, or when the applications are manageable with a small number of rules. - ---- - - - - - - - - - - - - - - - - -
Possible answersDesign considerations

Users run without administrative rights.

-

Apps are installed by using an installation deployment technology.

AppLocker can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using AppLocker to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information.

-
-Note   -

AppLocker can also be effective in helping create standardized desktops in organizations where users run as administrators. However, it is important to note that users with administrative credentials can add new rules to the local AppLocker policy.

-
-
-  -

Users must be able to install applications as needed.

-

Users currently have administrator access, and it would be difficult to change this.

Enforcing AppLocker rules is not suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using AppLocker or to implement the Audit only enforcement setting through AppLocker.

+ +| Possible answers | Design considerations | +| - | - | +| Users run without administrative rights. | Apps are installed by using an installation deployment technology.| +| AppLocker can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using AppLocker to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information.
**Note: **AppLocker can also be effective in helping create standardized desktops in organizations where users run as administrators. However, it is important to note that users with administrative credentials can add new rules to the local AppLocker policy.| Users must be able to install applications as needed. +| Users currently have administrator access, and it would be difficult to change this.|Enforcing AppLocker rules is not suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using AppLocker or to implement the **Audit only** enforcement setting through AppLocker.|   ### Is the structure in Active Directory Domain Services based on the organization's hierarchy? -Designing application control policies based on an organizational structure that is already built into Active Directory Domain Services (AD DS) is easier than converting the existing structure to an organizational structure. Because the effectiveness of application control policies is dependent on the ability to update policies, consider what organizational work needs to be accomplished before deployment begins. - ---- - - - - - - - - - - - - - - - - -
Possible answersDesign considerations

Yes

AppLocker rules can be developed and implemented through Group Policy, based on your AD DS structure.

No

The IT department must create a scheme to identify how application control policies can be applied to the correct user or computer.

+ +Designing application control policies based on an organizational structure that is already built into Active Directory Domain Services (AD DS) is easier than converting the existing structure to an organizational structure. +Because the effectiveness of application control policies is dependent on the ability to update policies, consider what organizational work needs to be accomplished before deployment begins. + +| Possible answers | Design considerations | +| - | - | +| Yes | AppLocker rules can be developed and implemented through Group Policy, based on your AD DS structure.| +| No | The IT department must create a scheme to identify how application control policies can be applied to the correct user or computer.|   ## Record your findings + The next step in the process is to record and analyze your answers to the preceding questions. If AppLocker is the right solution for your goals, tyou can set your application control policy objectives and plan your AppLocker rules. This process culminates in creating your planning document. + - For info about setting your policy goals, see [Determine your application control objectives](determine-your-application-control-objectives.md). - For info about creating your planning document, see [Create your AppLocker planning document](create-your-applocker-planning-document.md). -  -  diff --git a/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index c4438ba57b..fd1d01d9fb 100644 --- a/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -2,34 +2,43 @@ title: Understand AppLocker rules and enforcement setting inheritance in Group Policy (Windows 10) description: This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. ms.assetid: c1c5a3d3-540a-4698-83b5-0dab5d27d871 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understand AppLocker rules and enforcement setting inheritance in Group Policy + **Applies to** - Windows 10 + This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. + Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into the following collections: executable files, Windows Installer files, scripts, packaged apps and packaged app installers, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy. + Group Policy merges AppLocker policy in two ways: + - **Rules.** Group Policy does not overwrite or replace rules that are already present in a linked Group Policy Object (GPO). For example, if the current GPO has 12 rules and a linked GPO has 50 rules, 62 rules are applied to all computers that receive the AppLocker policy. - **Important**   - When determining whether a file is permitted to run, AppLocker processes rules in the following order: + >**Important:**  When determining whether a file is permitted to run, AppLocker processes rules in the following order: + 1. **Explicit deny.** An administrator created a rule to deny a file. 2. **Explicit allow.** An administrator created a rule to allow a file. 3. **Implicit deny.** This is also called the default deny because all files that are not affected by an allow rule are automatically blocked.   - **Enforcement settings.** The last write to the policy is applied. For example, if a higher-level GPO has the enforcement setting configured to **Enforce rules** and the closest GPO has the setting configured to **Audit only**, **Audit only** is enforced. If enforcement is not configured on the closest GPO, the setting from the closest linked GPO will be enforced. Because a computer's effective policy includes rules from each linked GPO, duplicate rules or conflicting rules could be enforced on a user's computer. Therefore, you should carefully plan your deployment to ensure that only rules that are necessary are present in a GPO. + The following figure demonstrates how AppLocker rule enforcement is applied through linked GPOs. + ![applocker rule enforcement inheritance chart](images/applocker-plan-inheritance.gif) + In the preceding illustration, note that all GPOs linked to Contoso are applied in order as configured. The rules that are not configured are also applied. For example, the result of the Contoso and Human Resources GPOs is 33 rules enforced, as shown in the client HR-Term1. The Human Resources GPO contains 10 non-configured rules. When the rule collection is configured for **Audit only**, no rules are enforced. + When constructing the Group Policy architecture for applying AppLocker policies, it is important to remember: + - Rule collections that are not configured will be enforced. - Group Policy does not overwrite or replace rules that are already present in a linked GPO. - AppLocker processes the explicit deny rule configuration before the allow rule configuration. - For rule enforcement, the last write to the GPO is applied. -  -  diff --git a/windows/keep-secure/understand-the-applocker-policy-deployment-process.md b/windows/keep-secure/understand-the-applocker-policy-deployment-process.md index 225dc8c0c2..a2ec48ffe5 100644 --- a/windows/keep-secure/understand-the-applocker-policy-deployment-process.md +++ b/windows/keep-secure/understand-the-applocker-policy-deployment-process.md @@ -2,21 +2,30 @@ title: Understand the AppLocker policy deployment process (Windows 10) description: This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. ms.assetid: 4cfd95c1-fbd3-41fa-8efc-d23c1ea6fb16 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understand the AppLocker policy deployment process + **Applies to** - Windows 10 + This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. + To successfully deploy AppLocker policies, you need to identify your application control objectives and construct the policies for those objectives. The key to the process is taking an accurate inventory of your organization's applications, which requires investigation of all the targeted business groups. With an accurate inventory, you can create rules and set enforcement criteria that will allow the organization to use the required applications and allow the IT department to manage a controlled set of applications. + The following diagram shows the main points in the design, planning, and deployment process for AppLocker. + ![applocker quick reference guide](images/applocker-plandeploy-quickreference.gif) + ## Resources to support the deployment process + The following topics contain information about designing, planning, deploying, and maintaining AppLocker policies: + - For info about the AppLocker policy design and planning requirements and process, see [AppLocker Design Guide](applocker-policies-design-guide.md). - For info about the AppLocker policy deployment requirements and process, see [AppLocker deployment guide](applocker-policies-deployment-guide.md). - For info about AppLocker policy maintenance and monitoring, see [Administer AppLocker](administer-applocker.md). diff --git a/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md index 30f5de5bcc..b383087281 100644 --- a/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -2,52 +2,38 @@ title: Understanding AppLocker allow and deny actions on rules (Windows 10) description: This topic explains the differences between allow and deny actions on AppLocker rules. ms.assetid: ea0370fa-2086-46b5-a0a4-4a7ead8cbed9 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understanding AppLocker allow and deny actions on rules + **Applies to** - Windows 10 + This topic explains the differences between allow and deny actions on AppLocker rules. + ## Allow action versus deny action on rules + Unlike Software Restriction Policies (SRP), each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection are allowed to run. This configuration makes it easier to determine what will occur when an AppLocker rule is applied. + You can also create rules that use the deny action. When applying rules, AppLocker first checks whether any explicit deny actions are specified in the rule list. If you have denied a file from running in a rule collection, the deny action will take precedence over any allow action, regardless of which Group Policy Object (GPO) the rule was originally applied in. Because AppLocker functions as an allowed list by default, if no rule explicitly allows or denies a file from running, AppLocker's default deny action will block the file. + ### Deny rule considerations + Although you can use AppLocker to create a rule to allow all files to run and then use rules to deny specific files, this configuration is not recommended. The deny action is generally less secure than the allow action because a malicious user could modify the file to invalidate the rule. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path. The following table details security concerns for different rule conditions with deny actions. - ---- - - - - - - - - - - - - - - - - - - - - -
Rule conditionSecurity concern with deny action

Publisher

A user could modify the properties of a file (for example, re-signing the file with a different certificate).

File hash

A user could modify the hash for a file.

Path

A user could move the denied file to a different location and run it from there.

+ +| Rule condition | Security concern with deny action | +| - | - | +| Publisher | A user could modify the properties of a file (for example, re-signing the file with a different certificate).| +| File hash | A user could modify the hash for a file.| +| Path | A user could move the denied file to a different location and run it from there.|   -**Important**   -If you choose to use the deny action on rules, you must ensure that you first create rules that allow the Windows system files to run. AppLocker enforces rules for allowed applications by default, so after one or more rules have been created for a rule collection (affecting the Windows system files), only the apps that are listed as being allowed will be permitted to run. Therefore, creating a single rule in a rule collection to deny a malicious file from running will also deny all other files on the computer from running. +>**Important:**  If you choose to use the deny action on rules, you must ensure that you first create rules that allow the Windows system files to run. AppLocker enforces rules for allowed applications by default, so after one or more rules have been created for a rule collection (affecting the Windows system files), only the apps that are listed as being allowed will be permitted to run. Therefore, creating a single rule in a rule collection to deny a malicious file from running will also deny all other files on the computer from running.   ## Related topics -[How AppLocker works](how-applocker-works-techref.md) -  -  + +- [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/keep-secure/understanding-applocker-default-rules.md b/windows/keep-secure/understanding-applocker-default-rules.md index cf10480b26..b0aa99f22e 100644 --- a/windows/keep-secure/understanding-applocker-default-rules.md +++ b/windows/keep-secure/understanding-applocker-default-rules.md @@ -2,62 +2,45 @@ title: Understanding AppLocker default rules (Windows 10) description: This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied. ms.assetid: bdb03d71-05b7-41fb-96e3-a289ce1866e1 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understanding AppLocker default rules + **Applies to** - Windows 10 + This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied. + AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. -**Important**   -You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. + +>**Important:**  You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run.   -If you require additional app security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions: +If you require additional app security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. +The Windows folder contains a Temp subfolder to which the Users group is given the following permissions: + - Traverse Folder/Execute File - Create Files/Write Data - Create Folders/Append Data + These permissions settings are applied to this folder for app compatibility. However, because any user can create files in this location, allowing applications to be run from this location might conflict with your organization's security policy. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Executable rules in AppLocker](executable-rules-in-applocker.md)

This topic describes the file formats and available default rules for the executable rule collection.

[Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md)

This topic describes the file formats and available default rules for the Windows Installer rule collection.

[Script rules in AppLocker](script-rules-in-applocker.md)

This topic describes the file formats and available default rules for the script rule collection.

[DLL rules in AppLocker](dll-rules-in-applocker.md)

This topic describes the file formats and available default rules for the DLL rule collection.

[Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md)

This topic explains the AppLocker rule collection for packaged app installers and packaged apps.

+ +| Topic | Description | +| - | - | +| [Executable rules in AppLocker](executable-rules-in-applocker.md) | This topic describes the file formats and available default rules for the executable rule collection. | +| [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md) | This topic describes the file formats and available default rules for the Windows Installer rule collection.| +| [Script rules in AppLocker](script-rules-in-applocker.md) | This topic describes the file formats and available default rules for the script rule collection.| +| [DLL rules in AppLocker](dll-rules-in-applocker.md) | This topic describes the file formats and available default rules for the DLL rule collection.| +| [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md) | This topic explains the AppLocker rule collection for packaged app installers and packaged apps.|   ## Related topics -[How AppLocker works](how-applocker-works-techref.md) + +- [How AppLocker works](how-applocker-works-techref.md)     diff --git a/windows/keep-secure/understanding-applocker-rule-behavior.md b/windows/keep-secure/understanding-applocker-rule-behavior.md index b065509210..ac18934b5f 100644 --- a/windows/keep-secure/understanding-applocker-rule-behavior.md +++ b/windows/keep-secure/understanding-applocker-rule-behavior.md @@ -2,24 +2,29 @@ title: Understanding AppLocker rule behavior (Windows 10) description: This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker. ms.assetid: 3e2738a3-8041-4095-8a84-45c1894c97d0 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understanding AppLocker rule behavior + **Applies to** - Windows 10 + This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker. + If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For example, if you create an executable rule that allows .exe files in *%SystemDrive%\\FilePath* to run, only executable files located in that path are allowed to run. + A rule can be configured to use either an allow or deny action: + - **Allow**. You can specify which files are allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. - **Deny**. You can specify which files are not allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. -**Important**   -You can use a combination of allow actions and deny actions. However, we recommend using allow actions with exceptions because deny actions override allow actions in all cases. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path. + +>**Important:**  You can use a combination of allow actions and deny actions. However, we recommend using allow actions with exceptions because deny actions override allow actions in all cases. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path.   ## Related topics -[How AppLocker works](how-applocker-works-techref.md) -  -  + +- [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/keep-secure/understanding-applocker-rule-collections.md b/windows/keep-secure/understanding-applocker-rule-collections.md index 950a47ebfe..b8adef234c 100644 --- a/windows/keep-secure/understanding-applocker-rule-collections.md +++ b/windows/keep-secure/understanding-applocker-rule-collections.md @@ -2,28 +2,34 @@ title: Understanding AppLocker rule collections (Windows 10) description: This topic explains the five different types of AppLocker rules used to enforce AppLocker policies. ms.assetid: 03c05466-4fb3-4880-8d3c-0f6f59fc5579 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understanding AppLocker rule collections + **Applies to** - Windows 10 + This topic explains the five different types of AppLocker rules used to enforce AppLocker policies. + An AppLocker rule collection is a set of rules that apply to one of five types: + - Executable files: .exe and .com - Windows Installer files: .msi, mst, and .msp - Scripts: .ps1, .bat, .cmd, .vbs, and .js - DLLs: .dll and .ocx - Packaged apps and packaged app installers: .appx + If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps. -**Important**   -Each app can load several DLLs, and AppLocker must check each DLL before it is allowed to run. Therefore, creating DLL rules might cause performance problems on some computers. Denying some DLLs from running can also create app compatibility problems. As a result, the DLL rule collection is not enabled by default. + +>**Important:**  Each app can load several DLLs, and AppLocker must check each DLL before it is allowed to run. Therefore, creating DLL rules might cause performance problems on some computers. Denying some DLLs from running can also create app compatibility problems. As a result, the DLL rule collection is not enabled by default.   For info about how to enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md). + ## Related topics -[How AppLocker works](how-applocker-works-techref.md) -  -  + +- [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/keep-secure/understanding-applocker-rule-condition-types.md b/windows/keep-secure/understanding-applocker-rule-condition-types.md index e6b6e8505a..f00afa16e1 100644 --- a/windows/keep-secure/understanding-applocker-rule-condition-types.md +++ b/windows/keep-secure/understanding-applocker-rule-condition-types.md @@ -2,39 +2,55 @@ title: Understanding AppLocker rule condition types (Windows 10) description: This topic for the IT professional describes the three types of AppLocker rule conditions. ms.assetid: c21af67f-60a1-4f7d-952c-a6f769c74729 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understanding AppLocker rule condition types + **Applies to** - Windows 10 + This topic for the IT professional describes the three types of AppLocker rule conditions. + Rule conditions are criteria that the AppLocker rule is based on. Primary conditions are required to create an AppLocker rule. The three primary rule conditions are publisher, path, and file hash. + **Publisher** + To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released. For more info about this rule condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md). + **Path** + Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted). For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). + **File hash** + Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is unique to that the version of the file. For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md). + ### Considerations + Selecting the appropriate condition for each rule depends on the overall application control policy goals of the organization, the AppLocker rule maintenance goals, and the condition of the existing (or planned) application deployment. The following questions can help you decide which rule condition to use. + 1. Is the file digitally signed by a software publisher? + If the file is signed by a software publisher, we recommend that you create rules with publisher conditions. You may still create file hash and path conditions for signed files. However, if the file is not digitally signed by a software publisher, you can: + - Sign the file by using an internal certificate. - Create a rule by using a file hash condition. - Create a rule by using a path condition. - **Note**   - To determine how many applications on a reference computer are digitally signed, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet for a directory of files. For example, `Get-AppLockerFileInformation –Directory C:\Windows\ -FileType EXE -recurse` displays the properties for all .exe and .com files within the Windows directory. + + >**Note:**  To determine how many applications on a reference computer are digitally signed, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet for a directory of files. For example, + `Get-AppLockerFileInformation –Directory C:\Windows\ -FileType EXE -recurse` displays the properties for all .exe and .com files within the Windows directory.   2. What rule condition type does your organization prefer? + If your organization is already using Software Restriction Policies (SRP) to restrict what files users can run, rules using file hash or path conditions are probably already in place. - **Note**   - For a list of supported operating system versions and editions to which SRP and AppLocker rules can be applied, see [Requirements to use AppLocker](requirements-to-use-applocker.md). + + >**Note:**  For a list of supported operating system versions and editions to which SRP and AppLocker rules can be applied, see [Requirements to use AppLocker](requirements-to-use-applocker.md).   ## Related topics -[How AppLocker works](how-applocker-works-techref.md) -  -  + +- [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/keep-secure/understanding-applocker-rule-exceptions.md b/windows/keep-secure/understanding-applocker-rule-exceptions.md index 0a89f17cc7..4cedcfd784 100644 --- a/windows/keep-secure/understanding-applocker-rule-exceptions.md +++ b/windows/keep-secure/understanding-applocker-rule-exceptions.md @@ -2,19 +2,24 @@ title: Understanding AppLocker rule exceptions (Windows 10) description: This topic describes the result of applying AppLocker rule exceptions to rule collections. ms.assetid: e6bb349f-ee60-4c8d-91cd-6442f2d0eb9c -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understanding AppLocker rule exceptions + **Applies to** - Windows 10 + This topic describes the result of applying AppLocker rule exceptions to rule collections. + You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. + For example, the rule "Allow Everyone to run Windows except Registry Editor" allows everyone in the organization to run Windows but does not allow anyone to run Registry Editor. The effect of this rule would prevent users such as help desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Helpdesk user group: "Allow Helpdesk to run Registry Editor." If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Helpdesk user group to run Registry Editor. + ## Related topics -[How AppLocker works](how-applocker-works-techref.md) -  -  + +- [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md index 1be8c8cc55..89a2b1a770 100644 --- a/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md +++ b/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md @@ -2,38 +2,28 @@ title: Understanding the file hash rule condition in AppLocker (Windows 10) description: This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied. ms.assetid: 4c6d9af4-2b1a-40f4-8758-1a6f9f147756 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understanding the file hash rule condition in AppLocker + **Applies to** - Windows 10 + This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied. + File hash rules use a system-computed cryptographic hash of the identified file. For files that are not digitally signed, file hash rules are more secure than path rules. The following table describes the advantages and disadvantages of the file hash condition. - ---- - - - - - - - - - - - - -
File hash condition advantagesFile hash condition disadvantages

Because each file has a unique hash, a file hash condition applies to only one file.

Each time that the file is updated (such as a security update or upgrade), the file's hash will change. As a result, you must manually update file hash rules.

+ +| File hash condition advantages | File hash condition disadvantages | +| - | - | +| Because each file has a unique hash, a file hash condition applies to only one file. | Each time that the file is updated (such as a security update or upgrade), the file's hash will change. As a result, you must manually update file hash rules.|   For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). + ## Related topics -[How AppLocker works](how-applocker-works-techref.md) -  -  + +- [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md b/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md index 2adb70d6c6..4d4e950a6c 100644 --- a/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md @@ -2,18 +2,24 @@ title: Understanding the path rule condition in AppLocker (Windows 10) description: This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied. ms.assetid: 3fa54ded-4466-4f72-bea4-2612031cad43 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understanding the path rule condition in AppLocker + **Applies to** - Windows 10 + This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied. + The path condition identifies an application by its location in the file system of the computer or on the network. + When creating a rule that uses a deny action, path conditions are less secure than publisher and file hash conditions for preventing access to a file because a user could easily copy the file to a different location than the location specified in the rule. Because path rules specify locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file under that location will be allowed to run, including within users' profiles. The following table describes the advantages and disadvantages of the path condition. + @@ -40,57 +46,22 @@ When creating a rule that uses a deny action, path conditions are less secure th
  AppLocker does not enforce rules that specify paths with short names. You should always specify the full path to a file or folder when creating path rules so that the rule will be properly enforced. + The asterisk (\*) wildcard character can be used within **Path** field. The asterisk (\*) character used by itself represents any path. When combined with any string value, the rule is limited to the path of the file and all the files under that path. For example, %ProgramFiles%\\Internet Explorer\\\* indicates that all files and subfolders within the Internet Explorer folder will be affected by the rule. + AppLocker uses path variables for well-known directories in Windows. Path variables are not environment variables. The AppLocker engine can only interpret AppLocker path variables. The following table details these path variables. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows directory or driveAppLocker path variableWindows environment variable

Windows

%WINDIR%

%SystemRoot%

System32

%SYSTEM32%

%SystemDirectory%

Windows installation directory

%OSDRIVE%

%SystemDrive%

Program Files

%PROGRAMFILES%

%ProgramFiles% and %ProgramFiles(x86)%

Removable media (for example, CD or DVD)

%REMOVABLE%

Removable storage device (for example, USB flash drive)

%HOT%

+ +| Windows directory or drive | AppLocker path variable | Windows environment variable | +| - | - | - | +| Windows | %WINDIR% | %SystemRoot% | +| System32 | %SYSTEM32%| %SystemDirectory%| +| Windows installation directory | %OSDRIVE%|%SystemDrive%| +| Program Files | %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)%| +| Removable media (for example, CD or DVD) | %REMOVABLE%| | +| Removable storage device (for example, USB flash drive)| %HOT%|||   For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). + ## Related topics -[How AppLocker works](how-applocker-works-techref.md) -  -  + +- [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md b/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md index 053ee2e59c..5e0bca2ee0 100644 --- a/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md +++ b/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md @@ -2,18 +2,24 @@ title: Understanding the publisher rule condition in AppLocker (Windows 10) description: This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied. ms.assetid: df61ed8f-a97e-4644-9d0a-2169f18c1c4f -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understanding the publisher rule condition in AppLocker + **Applies to** - Windows 10 + This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied. + Publisher conditions can be made only for files that are digitally signed; this condition identifies an app based on its digital signature and extended attributes. The digital signature contains information about the company that created the app (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the app is part of and the version number of the app. The publisher may be a software development company, such as Microsoft, or the Information Technology department of your organization. -Publisher conditions are easier to maintain than file hash conditions and are generally more secure than path conditions. Rules that are specified to the version level might have to be updated when a new version of the file is released. The following table describes the advantages and disadvantages of the publisher condition. +Publisher conditions are easier to maintain than file hash conditions and are generally more secure than path conditions. Rules that are specified to the version level might have to be updated when a new version of the file is released. The following table describes the advantages and disadvantages +of the publisher condition. + @@ -42,70 +48,42 @@ Publisher conditions are easier to maintain than file hash conditions and are ge
  Wildcard characters can be used as values in the publisher rule fields according to the following specifications: + - **Publisher** + The asterisk (\*) character used by itself represents any publisher. When combined with any string value, the rule is limited to the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk is not treated as a wildcard character if used with other characters in this field. For example, using the characters "M\*" limits the publisher name to only a publisher with the name "M\*." Using the characters "\*x\*" limits the publisher name only to the name “\*x\*”. A question mark (?) is not a valid wildcard character in this field. + - **Product name** + The asterisk (\*) character used by itself represents any product name. When combined with any string value, the rule is limited to the product of the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk is not treated as a wildcard character if used with other characters in this field. A question mark (?) is not a valid wildcard character in this field. + - **File name** + Either the asterisk (\*) or question mark (?) characters used by themselves represent any and all file names. When combined with any string value, the string is matched with any file name containing that string. + - **File version** + The asterisk (\*) character used by itself represents any file version. If you want to limit the file version to a specific version or as a starting point, you can state the file version and then use the following options to apply limits: + - **Exactly**. The rule applies only to this version of the app - **And above**. The rule applies to this version and all later versions. - **And Below**. The rule applies to this version and all earlier versions. + The following table describes how a publisher condition is applied. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionThe publisher condition allows or denies…

All signed files

All files that are signed by a publisher.

Publisher only

All files that are signed by the named publisher.

Publisher and product name

All files for the specified product that are signed by the named publisher.

Publisher, product name, and file name

Any version of the named file for the named product that is signed by the publisher.

Publisher, product name, file name, and file version

Exactly

-

The specified version of the named file for the named product that is signed by the publisher.

Publisher, product name, file name, and file version

And above

-

The specified version of the named file and any new releases for the product that are signed by the publisher.

Publisher, product name, file name, and file version

And below

-

The specified version of the named file and any older versions for the product that are signed by the publisher.

Custom

You can edit the Publisher, Product name, File name, and Version fields to create a custom rule.

+ +| Option | The publisher condition allows or denies…| +| - | - | +| **All signed files** | All files that are signed by a publisher.| +| **Publisher only** | All files that are signed by the named publisher.| +| **Publisher and product name** | All files for the specified product that are signed by the named publisher.| +| **Publisher, product name, and file name** | Any version of the named file for the named product that is signed by the publisher.| +| **Publisher, product name, file name, and file version** | **Exactly**
The specified version of the named file for the named product that is signed by the publisher.| +| **Publisher, product name, file name, and file version** | **And above**
The specified version of the named file and any new releases for the product that are signed by the publisher.| +| **Publisher, product name, file name, and file version**| **And below**
The specified version of the named file and any older versions for the product that are signed by the publisher.| +| **Custom** | You can edit the **Publisher**, **Product name**, **File name**, and **Version** fields to create a custom rule.|   For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). + ## Related topics -[How AppLocker works](how-applocker-works-techref.md) -  -  + +- [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md index 4b888e3d71..90336b381a 100644 --- a/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md +++ b/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md @@ -2,35 +2,46 @@ title: Use a reference device to create and maintain AppLocker policies (Windows 10) description: This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. ms.assetid: 10c3597f-f44c-4c8e-8fe5-105d4ac016a6 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Use a reference device to create and maintain AppLocker policies + **Applies to** - Windows 10 + This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. + ## Background and prerequisites + An AppLocker reference device is a baseline device you can use to configure policies and can subsequently be used to maintain AppLocker policies. For the procedure to configure a reference device, see [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md). + An AppLocker reference device that is used to create and maintain AppLocker policies should contain the corresponding apps for each organizational unit (OU) to mimic your production environment. -**Important**   -The reference device must be running one of the supported editions of Windows. For information about operating system requirements for AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md). + +>**Important:**  The reference device must be running one of the supported editions of Windows. For information about operating system requirements for AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md).   You can perform AppLocker policy testing on the reference device by using the **Audit only** enforcement setting or Windows PowerShell cmdlets. You can also use the reference device as part of a testing configuration that includes policies that are created by using Software Restriction Policies. + ## Step 1: Automatically generate rules on the reference device + With AppLocker, you can automatically generate rules for all files within a folder. AppLocker scans the specified folder and creates the condition types that you choose for each file in that folder. For the procedure to do this, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md). -**Note**   -If you run this wizard to create your first rules for a Group Policy Object (GPO), after you complete the wizard, you will be prompted to create the default rules, which allow critical system files to run. You can edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after you replace them with your custom rules. + +>**Note:**  If you run this wizard to create your first rules for a Group Policy Object (GPO), after you complete the wizard, you will be prompted to create the default rules, which allow critical system files to run. You can edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after you replace them with your custom rules.   ## Step 2: Create the default rules on the reference device + AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You must run the default rules for each rule collection. For info about default rules and considerations for using them, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md). For the procedure to create default rules, see [Create AppLocker default rules](create-applocker-default-rules.md). -**Important**   -You can use the default rules as a template when you create your own rules. This allows files within the Windows directory to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules. + +>**Important:**  You can use the default rules as a template when you create your own rules. This allows files within the Windows directory to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules.   ## Step 3: Modify rules and the rule collection on the reference device + If AppLocker policies are currently running in your production environment, export the policies from the corresponding GPOs and save them to the reference device. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). If no AppLocker policies have been deployed, create the rules and develop the policies by using the following procedures: + - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) - [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) - [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) @@ -39,25 +50,34 @@ If AppLocker policies are currently running in your production environment, expo - [Delete an AppLocker rule](delete-an-applocker-rule.md) - [Enable the DLL rule collection](enable-the-dll-rule-collection.md) - [Enforce AppLocker rules](enforce-applocker-rules.md) + ## Step 4: Test and update AppLocker policy on the reference device + You should test each set of rules to ensure that they perform as intended. The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference device. Perform the steps on each reference device that you used to define the AppLocker policy. Ensure that the reference device is joined to the domain and that it is receiving the AppLocker policy from the appropriate GPO. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules to simultaneously test all of your test GPOs. Use the following procedures to complete this step: + - [Test an AppLocker Policy with Test-AppLockerPolicy](http://technet.microsoft.com/library/ee791772(WS.10).aspx) - [Discover the Effect of an AppLocker Policy](http://technet.microsoft.com/library/ee791823(WS.10).aspx) -**Caution**   -If you have set the enforcement setting on the rule collection to **Enforce rules** or you have not configured the rule collection, the policy will be implemented when the GPO is updated in the next step. If you have set the enforcement setting on the rule collection to **Audit only**, application access events are written to the AppLocker log, and the policy will not take effect. + +>**Caution:**  If you have set the enforcement setting on the rule collection to **Enforce rules** or you have not configured the rule collection, the policy will be implemented when the GPO is updated in the next step. If you have set the enforcement setting on the rule collection to **Audit only**, application access events are written to the AppLocker log, and the policy will not take effect.   ## Step 5: Export and import the policy into production + When the AppLocker policy has been tested successfully, it can be imported into the GPO (or imported into individual computers that are not managed by Group Policy) and checked for its intended effectiveness. To do this, perform the following procedures: + - [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) - [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) or - [Discover the Effect of an AppLocker Policy](http://technet.microsoft.com/library/ee791823(WS.10).aspx) + If the AppLocker policy enforcement setting is **Audit only** and you are satisfied that the policy is fulfilling your intent, you can change it to **Enforce rules**. For info about how to change the enforcement setting, see [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md). + ## Step 6: Monitor the effect of the policy in production + If additional refinements or updates are necessary after a policy is deployed, use the appropriate following procedures to monitor and update the policy: + - [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) - [Edit an AppLocker policy](edit-an-applocker-policy.md) - [Refresh an AppLocker policy](refresh-an-applocker-policy.md) + ## See also -[Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) -  -  + +- [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) diff --git a/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md index 01e857dfe3..17fe40b6a1 100644 --- a/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -2,18 +2,26 @@ title: Use AppLocker and Software Restriction Policies in the same domain (Windows 10) description: This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. ms.assetid: 2b7e0cec-df62-49d6-a2b7-6b8e30180943 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Use AppLocker and Software Restriction Policies in the same domain + **Applies to** - Windows 10 + This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. + ## Using AppLocker and Software Restriction Policies in the same domain -AppLocker is supported on systems running Windows 7 and above. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running Windows Server 2008 R2, Windows 7 and later. It is recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, Windows 7 and later, the SRP policies are ignored. + +AppLocker is supported on systems running Windows 7 and above. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running +Windows Server 2008 R2, Windows 7 and later. It is recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, +Windows 7 and later, the SRP policies are ignored. + The following table compares the features and functions of Software Restriction Policies (SRP) and AppLocker. diff --git a/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md b/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md index 4ccedff7ca..d7cd5120c4 100644 --- a/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md +++ b/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md @@ -2,30 +2,51 @@ title: Use the AppLocker Windows PowerShell cmdlets (Windows 10) description: This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. ms.assetid: 374e029c-5c0a-44ab-a57a-2a9dd17dc57d -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Use the AppLocker Windows PowerShell cmdlets + **Applies to** - Windows 10 + This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. + ## AppLocker Windows PowerShell cmdlets -The five AppLocker cmdlets are designed to streamline the administration of an AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the Microsoft Management Console (MMC) snap-in extension to the Local Security Policy snap-in and Group Policy Management Console. -To edit or update a Group Policy Object (GPO) by using the AppLocker cmdlets, you must have Edit Setting permission. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. To perform tasks by using the Local Security policy snap-in, you must be a member of the local **Administrators** group, or equivalent, on the computer. + +The five AppLocker cmdlets are designed to streamline the administration of an AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the +Microsoft Management Console (MMC) snap-in extension to the Local Security Policy snap-in and Group Policy Management Console. + +To edit or update a Group Policy Object (GPO) by using the AppLocker cmdlets, you must have Edit Setting permission. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. To perform tasks by using the +Local Security policy snap-in, you must be a member of the local **Administrators** group, or equivalent, on the computer. + ### Retrieve application information -The [Get-AppLockerFileInformation](http://technet.microsoft.com/library/hh847209.aspx) cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information. + +The [Get-AppLockerFileInformation](http://technet.microsoft.com/library/hh847209.aspx) cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. + +File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information. + ### Set AppLocker policy + The [Set-AppLockerPolicy](http://technet.microsoft.com/library/hh847212.aspx) cmdlet sets the specified GPO to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default. + ### Retrieve an AppLocker policy + The [Get-AppLockerPolicy](http://technet.microsoft.com/library/hh847214.aspx) cmdlet gets the AppLocker policy from the local GPO, from a specified GPO, or from the effective AppLocker policy on the device. The output of the AppLocker policy is an AppLockerPolicy object or an XML-formatted string. + ### Generate rules for a given user or group -The [New-AppLockerPolicy](http://technet.microsoft.com/library/hh847211.aspx) cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use **Get-AppLockerFileInformation** to create the list of file information. + +The [New-AppLockerPolicy](http://technet.microsoft.com/library/hh847211.aspx) cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use **Get-AppLockerFileInformation** to create the +list of file information. + ### Test the AppLocker Policy against a file set + The [Test-AppLockerPolicy](http://technet.microsoft.com/library/hh847213.aspx) cmdlet uses the specified AppLocker policy to test whether a specified list of files are allowed to run or not on the local device for a specific user. + ## Additional resources + - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). -  -  diff --git a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md index dd0fc24f67..717abdaec8 100644 --- a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Use the Windows Defender Advanced Threat Protection portal description: Learn about the features on Windows Defender ATP portal, including how alerts work, and suggestions on how to investigate possible breaches and attacks. keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md b/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md index cc7a0adbb4..846f249f82 100644 --- a/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md +++ b/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md @@ -2,22 +2,33 @@ title: Use Windows Event Forwarding to help with intrusion detection (Windows 10) description: Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. ms.assetid: 733263E5-7FD1-45D2-914A-184B9E3E6A3F -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: tedhardyMSFT --- + # Use Windows Event Forwarding to help with intrusion detection + **Applies to** - Windows 10 + Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. + Windows Event Forwarding (WEF) reads any operational or administrative event log on a device in your organization and forwards the events you choose to a Windows Event Collector (WEC) server. -To accomplish this, there are two different of subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The Suspect subscription collects additional events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations. + +To accomplish this, there are two different of subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The +Suspect subscription collects additional events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations. + This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices with online analytical capability, such as Security Event Manager (SEM), while also sending events to a MapReduce system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the Suspect subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they are largely used for host forensic analysis. + An SEM’s strength lies in being able to inspect, correlate events, and generate alerts for known patterns manner and alert security staff at machine speed. + A MapReduce system has a longer retention time (years versus months for an SEM), larger ingress ability (hundreds of terabytes per day), and the ability to perform more complex operations on the data like statistical and trend analysis, pattern clustering analysis, or apply Machine Learning algorithms. + Here's an approximate scaling guide for WEF events: + | Events/second range | Data store | |---------------------|----------------------------| | 0 - 5,000 | SQL or SEM | @@ -25,54 +36,91 @@ Here's an approximate scaling guide for WEF events: | 50,000+ | Hadoop/HDInsight/Data Lake |   Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This is because WEF is a passive system with regards to the event log. It cannot change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling additional event channels and expanding the size of event log files has not resulted in noticeable performance differences. + For the minimum recommended audit policy and registry system ACL settings, see [Appendix A - Minimum recommended minimum audit policy](#bkmk-appendixa) and [Appendix B - Recommended minimum registry system ACL policy](#bkmk-appendixb). -**Note**   -These are only minimum values need to meet what the WEF subscription selects. + +>**Note:**  These are only minimum values need to meet what the WEF subscription selects.   From a WEF subscription management perspective, the event queries provided should be used in two separate subscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the targeted subscription, this access would be determined by an algorithm or an analysts’ direction. All devices should have access to the Baseline subscription. + This means you would create two base subscriptions: + - **Baseline WEF subscription**. Events collected from all hosts, this includes some role-specific events, which will only be emitted by those machines. - **Targeted WEF subscription**. Events collected from a limited set of hosts due to unusual activity and/or heightened awareness for those systems. + Each using the respective event query below. Note that for the Targeted subscription enabling the “read existing events” option should be set to true to allow collection of existing events from systems. By default, WEF subscriptions will only forward events generated after the WEF subscription was received by the client. + In [Appendix E – Annotated Baseline Subscription Event Query](#bkmk-appendixe) and [Appendix F – Annotated Suspect Subscription Event Query](#bkmk-appendixf), the event query XML is included when creating WEF subscriptions. These are annotated for query purpose and clarity. Individual <Query> element can be removed or edited without affecting the rest of the query. + ### Common WEF questions + This section addresses common questions from IT pros and customers. + ### Will the user notice if their machine is enabled for WEF or if WEF encounters an error? + The short answer is: No. + The longer answer is: The **Eventlog-forwardingPlugin/Operational** event channel logs the success, warning, and error events related to WEF subscriptions present on the device. Unless the user opens Event Viewer and navigates to that channel, they will not notice WEF either through resource consumption or Graphical User Interface pop-ups. Even if there is an issue with the WEF subscription, there is no user interaction or performance degradation. All success, warning, and failure events are logged to this operational event channel. + ### Is WEF Push or Pull? + A WEF subscription can be configured to be push or pull, but not both. The simplest, most flexible IT deployment with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the subscription on the WEC server is pre-configured with the names of the WEF Client devices from which events are to be selected. Those clients also have to be configured ahead of time to allow the credentials used in the subscription to access their event logs remotely (normally by adding the credential to the **Event Log Readers** built-in local security group.) A useful scenario: closely monitoring a specific set of machines. + ### Will WEF work over VPN or RAS? + WEF handles VPN, RAS, and DirectAccess scenarios well and will reconnect and send any accumulated backlog of events when the connection to the WEF Collector is re-established. + ### How is client progress tracked? -The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source for each WEF subscription. When an event source re-connects to a WEC server, the last bookmark position is sent to the device to use as a starting point to resume forwarding events. If a WEF client has no events to send, the WEF client will connect periodically to send a Heartbeat to the WEC server to indicate it is active. This heartbeat value can be individually configured for each subscription. + +The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source for each WEF subscription. When an event source re-connects to a WEC server, the last bookmark position is sent to the device to use as a starting point to resume forwarding events. If a +WEF client has no events to send, the WEF client will connect periodically to send a Heartbeat to the WEC server to indicate it is active. This heartbeat value can be individually configured for each subscription. + ### Will WEF work in an IPv4, IPv6, or mixed IPv4/IPv6 environment? + Yes. WEF is transport agnostic and will work over IPv4 or IPv6. + ### Are WEF events encrypted? I see an HTTP/HTTPS option! + In a domain setting, the connection used to transmit WEF events is encrypted using Kerberos, by default (with NTLM as a fallback option, which can be disabled by using a GPO). Only the WEF collector can decrypt the connection. Additionally, the connection between WEF client and WEC server is mutually authenticated regardless of authentication type (Kerberos or NTLM.) There are GPO options to force Authentication to use Kerberos Only. + This authentication and encryption is performed regardless if HTTP or HTTPS is selected. + The HTTPS option is available if certificate based authentication is used, in cases where the Kerberos based mutual authentication is not an option. The SSL certificate and provisioned client certificates are used to provide mutual authentication. + ### Do WEF Clients have a separate buffer for events? + The WEF client machines local event log is the buffer for WEF for when the connection to the WEC server is lost. To increase the “buffer size”, increase the maximum file size of the specific event log file where events are being selected. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc). + When the event log overwrites existing events (resulting in data loss if the device is not connected to the Event Collector), there is no notification sent to the WEF collector that events are lost from the client. Neither is there an indicator that there was a gap encountered in the event stream. + ### What format is used for forwarded events? -WEF has two modes for forwarded events. The default is “Rendered Text” which includes the textual description of the event as you would see it in Event Viewer. This means that the event size is effectively doubled or tripled depending on the size of the rendered description. The alternative mode is “Events” (also sometimes referred to as “Binary” format) – which is just the event XML itself sent in binary XML format (as it would be written to the evtx file.) This is very compact and can more than double the event volume a single WEC server can accommodate. + +WEF has two modes for forwarded events. The default is “Rendered Text” which includes the textual description of the event as you would see it in Event Viewer. This means that the event size is effectively doubled or tripled depending on the size of the rendered description. The alternative mode is +“Events” (also sometimes referred to as “Binary” format) – which is just the event XML itself sent in binary XML format (as it would be written to the evtx file.) This is very compact and can more than double the event volume a single WEC server can accommodate. + A subscription “testSubscription” can be configured to use the Events format through the WECUTIL utility: + ``` syntax @rem required to set the DeliveryMaxItems or DeliveryMaxLatencyTime Wecutil ss “testSubscription” /cf:Events ``` + ### How frequently are WEF events delivered? + Event delivery options are part of the WEF subscription configuration parameters – There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called “Custom” is available but cannot be selected or configured through the WEF UI by using Event Ciewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector. + This table outlines the built-in delivery options: -| Event delivery optimization options | Description | -|-------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Normal | This option ensures reliable delivery of events and does not attempt to conserve bandwidth. It is the appropriate choice unless you need tighter control over bandwidth usage or need forwarded events delivered as quickly as possible. It uses pull delivery mode, batches 5 items at a time and sets a batch timeout of 15 minutes. | -| Minimize bandwidth | This option ensures that the use of network bandwidth for event delivery is strictly controlled. It is an appropriate choice if you want to limit the frequency of network connections made to deliver events. It uses push delivery mode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours. | -| Minimize latency | This option ensures that events are delivered with minimal delay. It is an appropriate choice if you are collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30 seconds. | + +| Event delivery optimization options | Description | +| - | - | +| Normal | This option ensures reliable delivery of events and does not attempt to conserve bandwidth. It is the appropriate choice unless you need tighter control over bandwidth usage or need forwarded events delivered as quickly as possible. It uses pull delivery mode, batches 5 items at a time and sets a batch timeout of 15 minutes. | +| Minimize bandwidth | This option ensures that the use of network bandwidth for event delivery is strictly controlled. It is an appropriate choice if you want to limit the frequency of network connections made to deliver events. It uses push delivery mode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours. | +| Minimize latency | This option ensures that events are delivered with minimal delay. It is an appropriate choice if you are collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30 seconds. |   For more info about delivery options, see [Configure Advanced Subscription Settings](http://technet.microsoft.com/library/cc749167.aspx). + The primary difference is in the latency which events are sent from the client. If none of the built-in options meet your requirements you can set Custom event delivery options for a given subscription from an elevated command prompt: + ``` syntax @rem required to set the DeliveryMaxItems or DeliveryMaxLatencyTime Wecutil ss “SubscriptionNameGoesHere” /cm:Custom @@ -82,122 +130,209 @@ Wecutil ss “SubscriptionNameGoesHere” /dmi:1 Wecutil ss “SubscriptionNameGoesHere” /dmlt:10 ``` ### How do I control which devices have access to a WEF Subscription? + For source initiated subscriptions: Each WEF subscription on a WEC server has its own ACL for machine accounts or security groups containing machine accounts (not user accounts) that are explicitly allowed to participate in that subscription or are explicitly denied access. This ACL applies to only a single WEF subscription (since there can be multiple WEF subscriptions on a given WEC server), other WEF Subscriptions have their own separate ACL. + For collector initiated subscriptions: The subscription contains the list of machines from which the WEC server is to collect events. This list is managed at the WEC server, and the credentials used for the subscription must have access to read event logs from the WEF Clients – the credentials can be either the machine account or a domain account. + ### Can a client communicate to multiple WEF Event Collectors? + Yes. If you desire a High-Availability environment, simply configure multiple WEC servers with the same subscription configuration and publish both WEC Server URIs to WEF clients. WEF Clients will forward events simultaneously to the configured subscriptions on the WEC servers, if they have the appropriate access. + ### What are the WEC server’s limitations? + There are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on commodity hardware is “10k x 10k” – meaning, no more than 10,000 concurrently active WEF Clients per WEC server and no more than 10,000 events/second average event volume. + - **Disk I/O**. The WEC server does not process or validate the received event, but rather buffers the received event and then logs it to a local event log file (EVTX file). The speed of logging to the EVTX file is limited by the disk write speed. Isolating the EVTX file to its own array or using high speed disks can increase the number of events per second that a single WEC server can receive. - **Network Connections**. While a WEF source does not maintain a permanent, persistent connection to the WEC server, it does not immediately disconnect after sending its events. This means that the number of WEF sources that can simultaneously connect to the WEC server is limited to the open TCP ports available on the WEC server. - **Registry size**. For each unique device that connects to a WEF subscription, there is a registry key (corresponding to the FQDN of the WEF Client) created to store bookmark and source heartbeat information. If this is not pruned to remove inactive clients this set of registry keys can grow to an unmanageable size over time. + - When a subscription has >1000 WEF sources connect to it over its operational lifetime, also known as lifetime WEF sources, Event Viewer can become unresponsive for a few minutes when selecting the **Subscriptions** node in the left-navigation, but will function normally afterwards. - At >50,000 lifetime WEF sources, Event Viewer is no longer an option and wecutil.exe (included with Windows) must be used to configure and manage subscriptions. - At >100,000 lifetime WEF sources, the registry will not be readable and the WEC server will likely have to be rebuilt. + ## Subscription information + Below lists all of the items that each subscription collects, the actual subscription XML is available in an Appendix. These are separated out into Baseline and Targeted. The intent is to subscribe all hosts to Baseline, and then enroll (and remove) hosts on an as needed basis to the Targeted subscription. + ### Baseline subscription + While this appears to be the largest subscription, it really is the lowest volume on a per-device basis. (Exceptions should be allowed for unusual devices – a device performing complex developer related tasks can be expected to create an unusually high volume of process create and AppLocker events.) This subscription does not require special configuration on client devices to enable event channels or modify channel permissions. + The subscription is essentially a collection of query statements applied to the Event Log. This means that it is modular in nature and a given query statement can be removed or changed without impacting other query statement in the subscription. Additionally, suppress statements which filter out specific events, only apply within that query statement and are not to the entire subscription. + ### Baseline subscription requirements + To gain the most value out of the baseline subscription we recommend to have the following requirements set on the device to ensure that the clients are already generating the required events to be forwarded off the system. + - Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info, see [Appendix A – Minimum Recommended minimum Audit Policy](#bkmk-appendixa). This ensures that the security event log is generating the required events. - Apply at least an Audit-Only AppLocker policy to devices. + - If you are already whitelisting or blacklisting events by using AppLocker, then this requirement is met. - AppLocker events contain extremely useful information, such as file hash and digital signature information for executables and scripts. + - Enable disabled event channels and set the minimum size for modern event files. - Currently, there is no GPO template for enabling or setting the maximum size for the modern event files. This must be done by using a GPO. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc). + The annotated event query can be found in the following. For more info, see [Appendix F – Annotated Baseline Subscription Event Query](#bkmk-appendixf). + - Anti-malware events from Microsoft Antimalware or Windows Defender. This can be configured for any given anti-malware product easily if it writes to the Windows event log. - Security event log Process Create events. - AppLocker Process Create events (EXE, script, packaged App installation and execution). - Registry modification events. For more info, see [Appendix B – Recommended minimum Registry System ACL Policy](#bkmk-appendixb). - OS startup and shutdown + - Startup event include operating system version, service pack level, QFE version, and boot mode. + - Service install + - Includes what the name of the service, the image path, and who installed the service. + - Certificate Authority audit events + - This is only applicable on systems with the Certificate Authority role installed. - Logs certificate requests and responses. + - User profile events + - Use of a temporary profile or unable to create a user profile may indicate an intruder is interactively logging into a device but not wanting to leave a persistent profile behind. + - Service start failure + - Failure codes are localized, so you have to check the message DLL for values. + - Network share access events + - Filter out IPC$ and /NetLogon file shares, which are expected and noisy. + - System shutdown initiate requests + - Find out what initiated the restart of a device. + - User initiated interactive logoff event - Remote Desktop Services session connect, reconnect, or disconnect. - EMET events, if EMET is installed. - Event forwarding plugin events + - For monitoring WEF subscription operations, particularly Partial Success events. This is useful for diagnosing deployment issues. + - Network share create and delete + - Enables detection of unauthorized share creation. - **Note**  All shares are re-created when the device starts. + >**Note:**  All shares are re-created when the device starts.   - Logon sessions + - Logon success for interactive (local and Remote Interactive/Remote Desktop) - Logon success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on. - Logon success for batch sessions - Logon session close, which are logoff events for non-network sessions. + - Windows Error Reporting (Application crash events only) + - This can help detect early signs of intruder not familiar with enterprise environment using targeted malware. + - Event log service events + - Errors, start events, and stop events for the Windows Event Log service. + - Event log cleared (including the Security Event Log) + - This could indicate an intruder that are covering their tracks. + - Special privileges assigned to new logon + - This indicates that at the time of logon a user is either an Administrator or has the sufficient access to make themselves Administrator. + - Outbound Remote Desktop Services session attempts + - Visibility into potential beachhead for intruder + - System time changed - SMB Client (mapped drive connections) - Account credential validation + - Local accounts or domain accounts on domain controllers + - A user was added or removed from the local Administrators security group. - Crypto API private key accessed + - Associated with signing objects using the locally stored private key. + - Task Scheduler task creation and delete + - Task Scheduler allows intruders to run code at specified times as LocalSystem. + - Logon with explicit credentials + - Detect credential use changes by intruders to access additional resources. + - Smartcard card holder verification events + - This detects when a smartcard is being used. + ### Suspect subscription + This adds some possible intruder-related activity to help analyst further refine their determinations about the state of the device. + - Logon session creation for network sessions + - Enables time-series analysis of network graphs. + - RADIUS and VPN events + - Useful if you use a Microsoft IAS RADIUS/VPN implementation. It shows user-> IP address assignment with remote IP address connecting to the enterprise. + - Crypto API X509 object and build chain events + - Detects known bad certificate, CA, or sub-CA - Detects unusual process use of CAPI + - Groups assigned to local logon + - Gives visibility to groups which enable account wide access - Allows better planning for remediation efforts - Excludes well known, built-in system accounts. + - Logon session exit + - Specific for network logon sessions. + - Client DNS lookup events + - Returns what process performed a DNS query and the results returned from the DNS server. + - Process exit + - Enables checking for processes terminating unexpectedly. + - Local credential validation or logon with explicit credentials + - Generated when the local SAM is authoritative for the account credentials being authenticated. - Noisy on domain controllers - On client devices this is only generated when local accounts log on. + - Registry modification audit events + - Only when a registry value is being created, modified, or deleted. + - Wireless 802.1x authentication + - Detect wireless connection with a peer MAC address + - Windows PowerShell logging + - Covers Windows PowerShell 2.0 and later and includes the Windows PowerShell 5.0 logging improvements for in-memory attacks using Windows PowerShell. - Includes Windows PowerShell remoting logging + - User Mode Driver Framework “Driver Loaded” event + - Can possibly detect a USB device loading multiple device drivers. For example, a USB\_STOR device loading the keyboard or network driver. + ## Appendix A - Minimum recommended minimum audit policy + If your organizational audit policy enables additional auditing to meet its needs, that is fine. The policy below is the minimum audit policy settings needed to enable events collected by both baseline and targeted subscriptions. + | Category | Subcategory | Audit settings | |--------------------|---------------------------------|---------------------| | Account Logon | Credential Validation | Success and Failure | @@ -232,28 +367,46 @@ If your organizational audit policy enables additional auditing to meet its need | System | System Integrity | Success and Failure |   ## Appendix B - Recommended minimum registry system ACL policy + The Run and RunOnce keys are useful for intruders and malware persistence. It allows code to be run (or run only once then removed, respectively) when a user logs into the system. + This can easily be extended to other Auto-Execution Start Points keys in the registry. + Use the following figures to see how you can configure those registry keys. -![default acl for run key](images/runkey.png)![default acl for runonce key](images/runoncekey.png) + +![default acl for run key](images/runkey.png) + +![default acl for runonce key](images/runoncekey.png) + ## Appendix C - Event channel settings (enable and channel access) methods + Some channels are disabled by default and have to be enabled. Others, such as Microsoft-Windows-CAPI2/Operational must have the channel access modified to allow the Event Log Readers built-in security group to read from it. + The recommended and most effective way to do this is to configure the baseline GPO to run a scheduled task to configure the event channels (enable, set maximum size, and adjust channel access.) This will take effect at the next GPO refresh cycle and has minimal impact on the client device. + The following GPO snippet performs the following: + - Enables the **Microsoft-Windows-Capi2/Operational** event channel. - Sets the maximum file size for **Microsoft-Windows-Capi2/Operational** to 100MB. - Sets the maximum file size for **Microsoft-Windows-AppLocker/EXE and DLL** to 100MB. - Sets the maximum channel access for **Microsoft-Windows-Capi2/Operational** to include the built-in Event Log Readers security group. - Enables the **Microsoft-Windows-DriverFrameworks-UserMode/Operational** event channel. - Sets the maximum file size for **Microsoft-Windows-DriverFrameworks-UserMode/Operational** to 50MB. + ![configure event channels](images/capi-gpo.png) + ## Appendix D - Minimum GPO for WEF Client configuration + Here are the minimum steps for WEF to operate: + 1. Configure the collector URI(s). 2. Start the WinRM service. 3. Add the Network Service account to the built-in Event Log Readers security group. This allows reading from secured event channel, such as the security event channel. + ![configure the wef client](images/wef-client-config.png) + ## Appendix E – Annotated baseline subscription event query + ``` syntax @@ -416,8 +569,11 @@ Here are the minimum steps for WEF to operate: ``` + ## Appendix F – Annotated Suspect Subscription Event Query + ``` syntax + @@ -486,10 +642,10 @@ Here are the minimum steps for WEF to operate: ``` ## Appendix G - Online resources + You can get more info with the following links: -- [Event Selection](http://msdn.microsoft.com/library/aa385231(VS.85).aspx) -- [Event Queries and Event XML](http://msdn.microsoft.com/library/bb399427(VS.90).aspx) -- [Event Query Schema](http://msdn.microsoft.com/library/aa385760(VS.85).aspx) + +- [Event Selection](http://msdn.microsoft.com/library/aa385231.aspx) +- [Event Queries and Event XML](http://msdn.microsoft.com/library/bb399427.aspx) +- [Event Query Schema](http://msdn.microsoft.com/library/aa385760.aspx) - [Windows Event Collector](http://msdn.microsoft.com/library/windows/desktop/bb427443.aspx) -  -  diff --git a/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md index 9f31ef56eb..7b203c0bcd 100644 --- a/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md +++ b/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md @@ -2,87 +2,83 @@ title: User Account Control Admin Approval Mode for the Built-in Administrator account (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Admin Approval Mode for the Built-in Administrator account security policy setting. ms.assetid: d465fc27-1cd2-498b-9cf6-7ad2276e5998 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Admin Approval Mode for the Built-in Administrator account **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Admin Approval Mode for the Built-in Administrator account** security policy setting. + ## Reference + This policy setting determines the behavior of Admin Approval Mode for the built-in administrator account. When the Admin Approval Mode is enabled, the local administrator account functions like a standard user account, but it has the ability to elevate privileges without logging on by using a different account. In this mode, any operation that requires elevation of privilege displays a prompt that allows the administrator to permit or deny the elevation of privilege. If Admin Approval Mode is not enabled, the built-in Administrator account logs on in Windows XP Mode, and it runs all applications by default with full administrative privileges. By default, this setting is set to **Disabled**. -**Note**   -If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled. + +>**Note:**  If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled.   ### Possible values + - Enabled + The built-in administrator account logs on in Admin Approval Mode so that any operation that requires elevation of privilege displays a prompt that provides the administrator the option to permit or deny the elevation of privilege. + - Disabled + The built-in administrator account logs on in Windows XP Mode, and it runs all applications by default with full administrative privileges. + ### Best practices + - Do not enable the built-in administrator account on the client computer, but use the standard user account and User Account Control (UAC). + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. -
---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + One of the risks of the User Account Control (UAC) feature is that it is intended to mitigate malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for malicious programs is to discover the password of the administrator account because that user account was created for all installations of the Windows. To address this risk, the built-in administrator account is disabled in computers running at least Windows Vista. In computers running at least Windows Server 2008, the administrator account is enabled, and the password must be changed the first time the Administrator logs on. In a default installation of a computer running at least Windows Vista, accounts with administrative control over the computer are initially set up in one of two ways: + - If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. - If the computer is joined to a domain, no local administrator accounts are created. The enterprise or domain administrator must log on to the computer and create a local administrator account if one is warranted. + ### Countermeasure + Enable the **User Account Control: Admin Approval Mode for the Built-in Administrator account** setting if you have the built-in Administrator account enabled. + ### Potential impact + Users who log on by using the local administrator account are prompted for consent whenever a program requests an elevation in privilege. ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md index 3215dba248..e80369cae9 100644 --- a/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md +++ b/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md @@ -2,104 +2,118 @@ title: User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop (Windows 10) description: Describes the best practices, location, values, and security considerations for the User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop security policy setting. ms.assetid: fce20472-3c93-449d-b520-13c4c74a9892 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** security policy setting. + ## Reference + This security setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts that are used by a standard user. -**Note**   -This setting does not change the behavior of the UAC elevation prompt for administrators. + +>**Note:**  This setting does not change the behavior of the UAC elevation prompt for administrators.   **Background** + User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI does not interfere with or change the behavior of messages between applications at the same privilege (or integrity) level. + Microsoft UI Automation is the current model to support accessibility requirements in the Windows operating systems. Applications that are designed to support an accessible user experience control the behavior of other Windows applications on behalf of the user. When all applications on the automation client computer and server are running as a standard user (that is, at a medium integrity level), the UIPI restrictions do not interfere with the Microsoft UI automation model. + However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation cannot drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess. -If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy checks before starting an application with UIAccess privilege. + +If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy +checks before starting an application with UIAccess privilege. + 1. The application must have a digital signature that can be verified by using a digital certificate that is associated with the Trusted Root Certification Authorities store on the local computer. 2. The application must be installed in a local folder that is writeable only by administrators, such as the Program Files directory. The allowed directories for UI automation applications are: + 1. %ProgramFiles% and its subdirectories. 2. %WinDir% and its subdirectories, except a few subdirectories that are excluded because standard users have write access. + **Resulting behavior** + When this setting is enabled, UIAccess programs (including Windows Remote Assistance) can automatically disable the secure desktop for elevation prompts. Unless you have also disabled elevation prompts, the prompts appear on the interactive user's desktop instead of on the secure desktop. The prompts also appear on the remote administrator's view of the desktop during a Windows Remote Assistance session, and the remote administrator can provide the appropriate credentials for elevation. + If you disable this setting, the secure desktop can only be disabled by the user of the interactive desktop or by disabling the [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md) setting, which by default is enabled. + ### Possible values + - Enabled + UIA programs can automatically disable the secure desktop for elevation prompts, and unless you have also disabled elevation prompts, the prompts appear on the interactive user's desktop instead of on the secure desktop. Prompts will also appear on the remote administrator's view of the desktop during a Windows Remote Assistance session, and the remote administrator can provide the appropriate credentials for elevation. + - Disabled + The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting. + ### Best practices + - Best practices are dependent on your security policies and your remote operational requirements. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +Server type or GPO| Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ### Policy interactions + If you plan to enable this setting, you should also review the effect of the [User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md) setting. If it is configured as **Automatically deny elevation requests**, elevation requests are not presented to the user. If you disable this setting, the secure desktop can only be disabled by the user of the interactive desktop or by disabling the [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md) setting, which by default is enabled. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + UIA programs are designed to interact with Windows and application programs on behalf of a user. This setting allows UIA programs to bypass the secure desktop to increase usability in certain cases, but it allows elevation requests to appear on the regular interactive desktop instead of on the secure desktop. This increases the risk that a malicious program could intercept data that is being transferred between the UI and the application. Because UIA programs must be able to respond to prompts regarding security issues, such as the UAC elevation prompt, UIA programs must be highly trusted. To be considered trusted, a UIA program must be digitally signed. By default, UIA programs can be run only from the following protected paths: + - ..\\Program Files\\ (and subfolders) - ..\\Program Files (x86)\\ (and subfolders, in 64-bit versions of Windows only) - ..\\Windows\\System32\\ + The requirement to be in a protected path can be disabled by the [User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md) setting. Although this setting applies to any UIA program, it is used primarily in certain Windows Remote Assistance scenarios. + ### Countermeasure + Disable the **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** setting. + ### Potential impact + If a user requests remote assistance from an administrator and the remote assistance session is established, elevation prompts appear on the interactive user's secure desktop and the administrator's remote session is paused. To avoid pausing the remote administrator’s session during elevation requests, the user can select the "Allow IT Expert to respond to User Account Control prompts" check box when setting up the remote assistance session. However, selecting this check box requires that the interactive user respond to an elevation prompt on the secure desktop. If the interactive user is a standard user, the user does not have the required credentials to allow elevation. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md index 2f01c9ecc5..97af8126a3 100644 --- a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md +++ b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md @@ -2,94 +2,99 @@ title: User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode security policy setting. ms.assetid: 46a3c3a2-1d2e-4a6f-b5e6-29f9592f535d -ms.pagetype: security -ms.prod: W10 +ms.prod: ws10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** security policy setting. + ## Reference + This policy setting determines the behavior of the elevation prompt for accounts that have administrative credentials. + ### Possible values + - **Elevate without prompting** + Assumes that the administrator will permit an operation that requires elevation, and additional consent or credentials are not required. - **Note**   - Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure. + >**Note:**  Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure.   - **Prompt for credentials on the secure desktop** + When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. + - **Prompt for consent on the secure desktop** + When an operation requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege. + - **Prompt for credential**s + An operation that requires elevation of privilege prompts the administrator to type the user name and password. If the administrator enters valid credentials, the operation continues with the applicable privilege. + - **Prompt for consent** + An operation that requires elevation of privilege prompts the administrator to select **Permit** or **Deny**. If the administrator selects **Permit**, the operation continues with the administrator's highest available privilege. + - **Prompt for consent for non-Windows binaries** + This is the default. When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege. + ### Best practices + - Selecting the option **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values -The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Prompt for consent for non-Windows binaries

DC Effective Default Settings

Prompt for consent for non-Windows binaries

Member Server Effective Default Settings

Prompt for consent for non-Windows binaries

Client Computer Effective Default Settings

Prompt for consent for non-Windows binaries

+ + +| Server type or GPO Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Prompt for consent for non-Windows binaries| +| DC Effective Default Settings | Prompt for consent for non-Windows binaries| +| Member Server Effective Default Settings | Prompt for consent for non-Windows binaries| +| Client Computer Effective Default Settings | Prompt for consent for non-Windows binaries|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + One of the risks that the UAC feature tries to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations, and it permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so. + ### Countermeasure + Configure the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** setting to **Prompt for consent**. + ### Potential impact + Administrators should be made aware that they will be prompted for consent when all binaries attempt to run. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md index 727d8b7ba1..7ca4ce4329 100644 --- a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md +++ b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md @@ -2,86 +2,88 @@ title: User Account Control Behavior of the elevation prompt for standard users (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Behavior of the elevation prompt for standard users security policy setting. ms.assetid: 1eae7def-8f6c-43b6-9474-23911fdc01ba -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Behavior of the elevation prompt for standard users + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for standard users** security policy setting. + ## Reference + This policy setting determines the behavior of the elevation prompt for standard users. + ### Possible values + - **Automatically deny elevation requests** + This option returns an “Access denied” error message to standard users when they try to perform an operation that requires elevation of privilege. Most organizations that run desktops as standard users configure this policy to reduce Help Desk calls. + - **Prompt for credentials on the secure desktop** + This is the default. When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + - **Prompt for credentials** + An operation that requires elevation of privilege prompts the user to type an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + ### Best practices + 1. Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to log on with an administrative account to run programs that require elevation of privilege. 2. As a security best practice, standard users should not have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, set **Prompt for credentials** so that the users do not choose to always log on with their administrator accounts, and they shift their behavior to use the standard user account. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Prompt for credentials on the secure desktop

DC Effective Default Settings

Prompt for credentials on the secure desktop

Member Server Effective Default Settings

Prompt for credentials on the secure desktop

Client Computer Effective Default Settings

Prompt for credentials on the secure desktop

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Prompt for credentials on the secure desktop| +| DC Effective Default Settings | Prompt for credentials on the secure desktop| +| Member Server Effective Default Settings | Prompt for credentials on the secure desktop| +| Client Computer Effective Default Settings | Prompt for credentials on the secure desktop|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + One of the risks that the UAC feature tries to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations, and it requires that the user supply administrative credentials for the program to run. + ### Countermeasure + Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to log on with an administrative account to run programs that require elevation of privilege. As a security best practice, standard users should not have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, we recommend setting **Prompt for credentials** so that the users do not choose to always log on with their administrator accounts, and they shift their behavior to use the standard user account. + ### Potential impact + Users must provide administrative passwords to run programs with elevated privileges. This could cause an increased load on IT staff while the programs that are affected are identified and standard operating procedures are modified to support least privilege operations. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md index 067ec3619c..0c372cd6ee 100644 --- a/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md +++ b/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md @@ -2,83 +2,81 @@ title: User Account Control Detect application installations and prompt for elevation (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Detect application installations and prompt for elevation security policy setting. ms.assetid: 3f8cb170-ba77-4c9f-abb3-c3ed1ef264fc -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Detect application installations and prompt for elevation + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Detect application installations and prompt for elevation** security policy setting. + ## Reference + This policy setting determines the behavior of application installation detection for the entire system. Some software might attempt to install itself after being given permission to run. The user may give permission for the program to run because the program is trusted. Then the user is prompted to install an unknown component. This security policy provides another way to identify and stop these attempted software installations before they can do damage. + ### Possible values + - **Enabled** + Application installation packages that require an elevation of privilege to install are detected and the user is prompted for administrative credentials. + - **Disabled** + Application installation packages that require an elevation of privilege to install are not detected and the user is not prompted for administrative credentials. + ### Best practices + 1. Installer detection is unnecessary when enterprises run standard user desktops that capitalize on delegated installation technologies like Group Policy Software Install (GPSI) or Configuration Manager. Therefore you can set this security policy to **Disabled**. 2. Enable the **User Account Control: Detect application installations and prompt for elevation** setting so standard users must provide administrative credentials before software is installed. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Some malicious software might attempt to install itself after being given permission to run, for example, malicious software with a trusted application shell. The user may give permission for the program to run because the program is trusted. Then the user is prompted to install an unknown component. This policy provides another way to trap the software before it can do damage. + ### Countermeasure + Enable the **User Account Control: Detect application installations and prompt for elevation** setting. + ### Potential impact + Users must provide administrative passwords to install programs. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md index 8da09ab38e..e2e57dd1bd 100644 --- a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md @@ -1,9 +1,11 @@ --- title: User Account Control Group Policy and registry key settings (Windows 10) description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC. -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security +author: brianlic-msft --- # User Account Control Group Policy and registry key settings diff --git a/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md index 7c3f3ccfae..76edee3e01 100644 --- a/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md +++ b/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md @@ -2,87 +2,89 @@ title: User Account Control Only elevate executables that are signed and validated (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Only elevate executables that are signed and validated security policy setting. ms.assetid: 64950a95-6985-4db6-9905-1db18557352d -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Only elevate executables that are signed and validated + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate executables that are signed and validated** security policy setting. + ## Reference + This policy setting enforces public key infrastructure (PKI) signature checks on any interactive application that requests elevation of privilege. You can control the apps that are allowed to run through the population of certificates in the local computer's Trusted Publishers store. + A trusted publisher is a certificate issuer that the computer’s user has chosen to trust and that has certificate details that have been added to the store of trusted publishers. + Windows maintains certificates in certificate stores. These stores can be represented by containers in the file system or the registry, or they can be implemented as physical stores such as smart cards. Certificate stores are associated with the computer object or they are owned by a distinct user who has a security context and profile on that computer. In addition, services can have certificate stores. A certificate store will often contain numerous certificates, possibly issued from a number of different certification authorities (CAs). When certificate path discovery is initiated, Windows attempts to locate the issuing CA for the certificates, and it builds a certificate path to the trusted root certificate. Intermediate certificates are included as part of the application protocol or are picked up from Group Policy or through URLs that are specified in the Authority Information Access (AIA) extension. When the path is built, each certificate in the path is verified for validity with respect to various parameters, such as name, time, signature, revocation status, and other constraints. + ### Possible values + - **Enabled** + Enforces the PKI certificate chain validation of a given executable file before it is permitted to run. + - **Disabled** + Does not enforce PKI certificate chain validation before a given executable file is permitted to run. + ### Best practices + - Best practices are dependent on your security and performance goals. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Intellectual property, personally identifiable information, and other confidential data are normally manipulated by applications on the computer, and elevated credentials are required to access the information. Users and administrators inherently trust applications that are used with these information sources, and they provide their credentials. If one of these applications is replaced by a rogue application that appears identical to the trusted application, the confidential data could be compromised and the user's administrative credentials would also be compromised. + ### Countermeasure + Enable the **User Account Control: Only elevate executables that are signed and validated**. + ### Potential impact + Enabling this setting requires that you have a PKI infrastructure and that your enterprise administrators have populated the Trusted Publishers store with the certificates for the allowed applications. Some older applications are not signed, and they cannot be used in an environment that is hardened with this setting. You should carefully test your applications in a preproduction environment before implementing this setting. Control over the applications that are installed on the desktops and the hardware that joins your domain should provide similar protection from the vulnerability that is addressed by this setting. Additionally, the level of protection that is provided by this setting is not an assurance that all rogue applications will be found. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md index b79b29a94b..be21f041f5 100644 --- a/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md +++ b/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md @@ -2,103 +2,111 @@ title: User Account Control Only elevate UIAccess applications that are installed in secure locations (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Only elevate UIAccess applications that are installed in secure locations security policy setting. ms.assetid: 4333409e-a5be-4f2f-8808-618f53abd22c -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Only elevate UIAccess applications that are installed in secure locations + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** security policy setting. + ## Reference + This policy setting enforces the requirement that apps that request running with a UIAccess integrity level (by means of a marking of UIAccess=true in their app manifest), must reside in a secure location on the file system. Relatively secure locations are limited to the following directories: + - \\Program Files\\ including subdirectories - \\Windows\\system32\\ - \\Program Files (x86)\\ including subdirectories for 64-bit versions of Windows -**Note**   -Windows enforces a PKI signature check on any interactive application that requests running with a UIAccess integrity level, regardless of the state of this security setting. + +>**Note:**  Windows enforces a PKI signature check on any interactive application that requests running with a UIAccess integrity level, regardless of the state of this security setting.   **Background** + User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI does not interfere with or change the behavior of messages between applications at the same privilege (or integrity) level. + Microsoft UI Automation is the current model to support accessibility requirements in the Windows operating systems. Applications that are designed to support an accessible user experience control the behavior of other Windows applications on behalf of the user. When all applications on the automation client computer and server are running as a standard user (that is, at a medium integrity level), the UIPI restrictions do not interfere with the Microsoft UI automation model. + However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation cannot drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess. + If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy checks before starting an application with UIAccess privilege. + 1. The application must have a digital signature that can be verified by using a digital certificate that is associated with the Trusted Root Certification Authorities store on the local device 2. The application must be installed in a local folder that is writeable only by administrators, such as the Program Files directory. The allowed directories for UI automation applications are: + 1. %ProgramFiles% and its subdirectories. 2. %WinDir% and its subdirectories, except a few subdirectories that are excluded because standard users have write access. + ### Possible values + - **Enabled** + An application can start with UIAccess integrity only if it resides in a secure location in the file system. + - **Disabled** + An application can start with UIAccess integrity even if it does not reside in a secure location in the file system. + ### Best practices + - Set this policy to **Enabled** to permit applications that are located in one of the designated secure directories to run with UIAccess integrity. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they aresaved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + UIAccess integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. When this setting is enabled, an application that has the UIAccess flag set to true in its manifest can interchange information with applications that are running at a higher privilege level, such as logon prompts and privilege elevation prompts. This ability is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms, but it is not required by most applications. A process that is started with UIAccess rights has the following abilities: + - Set the foreground window. - Drive any application window by using the SendInput function. - Use read input for all integrity levels by using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. - Set journal hooks. - Use AttachThreadInput to attach a thread to a higher integrity input queue. + ### Countermeasure + Enable the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** setting. + ### Potential impact + If the application that requests UIAccess meets the UIAccess setting requirements, computers running at least the Windows Vista operating system start the application with the ability to bypass most of the UIPI restrictions. If the application does not meet the security restrictions, the application is started without UIAccess rights, and it can interact only with applications at the same or lower privilege level. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-account-control-overview.md b/windows/keep-secure/user-account-control-overview.md index f2eb1a4824..32edfe0160 100644 --- a/windows/keep-secure/user-account-control-overview.md +++ b/windows/keep-secure/user-account-control-overview.md @@ -2,24 +2,35 @@ title: User Account Control (Windows 10) description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: operate ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control + **Applies to** - Windows 10 - Windows Server 2016 Technical Preview + User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. + UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way. + Other apps, especially those that were not specifically designed with security settings in mind, often require additional permissions to run successfully. These types of apps are referred to as legacy apps. Additionally, actions such as installing new software and making configuration changes to the Windows Firewall, require more permissions than what is available to a standard user account. + When an app needs to run with more than standard user rights, UAC can restore additional user groups to the token. This enables the user to have explicit control of apps that are making system level changes to their computer or device. + ## Practical applications + Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process. + ## New and changed functionality + To find out what's new in UAC for Windows 10, see [User Account Control](../whats-new/user-account-control.md). + ## In this section | Topic | Description | | - | - | diff --git a/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md index 0c53ba8b97..61664f5a6e 100644 --- a/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md +++ b/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md @@ -2,86 +2,85 @@ title: User Account Control Run all administrators in Admin Approval Mode (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Run all administrators in Admin Approval Mode security policy setting. ms.assetid: b838c561-7bfc-41ef-a7a5-55857259c7bf -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Run all administrators in Admin Approval Mode + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting. + ## Reference + This policy setting determines the behavior of all User Account Control (UAC) policies for the entire system. This is the setting that turns UAC on or off. + ### Possible values + - **Enabled** + Admin Approval Mode and all other UAC policies are dependent on this option being enabled. Changing this setting requires restarting the system. + - **Disabled** + Admin Approval Mode and all related UAC policies are disabled. - **Note**   - If this security setting is configured to **Disabled**, the Security Center notifies the user that the overall security of the operating system has been reduced. + + >**Note:**  If this security setting is configured to **Disabled**, the Security Center notifies the user that the overall security of the operating system has been reduced.   ### Best practices + - Enable this policy to allow all other UAC features and policies to function. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + A restart of the computer is required before this policy will be effective when changes to this policy are saved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + This is the setting that turns UAC on or off. If this setting is disabled, UAC is not used, and any security benefits and risk mitigations that are dependent on UAC are not present on the computer. + ### Countermeasure + Enable the **User Account Control: Run all users, including administrators, as standard users** setting. + ### Potential impact + Users and administrators must learn to work with UAC prompts and adjust their work habits to use least privilege operations. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-account-control-security-policy-settings.md b/windows/keep-secure/user-account-control-security-policy-settings.md index d1a286bf5e..45bf5fb129 100644 --- a/windows/keep-secure/user-account-control-security-policy-settings.md +++ b/windows/keep-secure/user-account-control-security-policy-settings.md @@ -2,66 +2,95 @@ title: User Account Control security policy settings (Windows 10) description: You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98 -ms.pagetype: security -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control security policy settings + **Applies to** - Windows 10 + You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. + ## User Account Control: Admin Approval Mode for the Built-in Administrator account + This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. + - **Enabled** The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. - **Disabled** (Default) The built-in Administrator account runs all applications with full administrative privilege. + ## User Account Control: Allow UIAccess application to prompt for elevation without using the secure desktop + This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. + - **Enabled** UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. - **Disabled** (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. + ## User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode + This policy setting controls the behavior of the elevation prompt for administrators. + - **Elevate without prompting** Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. - **Note**  Use this option only in the most constrained environments. + + >**Note:**  Use this option only in the most constrained environments.   - **Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. - **Prompt for consent on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - **Prompt for credentials** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - **Prompt for consent** When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - **Prompt for consent for non-Windows binaries** (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. + ## User Account Control: Behavior of the elevation prompt for standard users + This policy setting controls the behavior of the elevation prompt for standard users. + - **Prompt for credentials** (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - **Automatically deny elevation requests** When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. - **Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + ## User Account Control: Detect application installations and prompt for elevation + This policy setting controls the behavior of application installation detection for the computer. + - **Enabled** (Default) When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - - **Disabled** App installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or System Center Configuration Manager should disable this policy setting. In this case, installer detection is unnecessary. + ## User Account Control: Only elevate executable files that are signed and validated + This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. + - **Enabled** Enforces the certificate certification path validation for a given executable file before it is permitted to run. - **Disabled** (Default) Does not enforce the certificate certification path validation before a given executable file is permitted to run. + ## User Account Control: Only elevate UIAccess applications that are installed in secure locations + This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\\Program Files\\, including subfolders - …\\Windows\\system32\\ - …\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows -**Note**   -Windows enforces a digital signature check on any interactive app that requests to run with a UIAccess integrity level regardless of the state of this security setting. + +>**Note:**  Windows enforces a digital signature check on any interactive app that requests to run with a UIAccess integrity level regardless of the state of this security setting.   - **Enabled** (Default) If an app resides in a secure location in the file system, it runs only with UIAccess integrity. - **Disabled** An app runs with UIAccess integrity even if it does not reside in a secure location in the file system. + ## User Account Control: Turn on Admin Approval Mode + This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. + - **Enabled** (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. - **Disabled** Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. + ## User Account Control: Switch to the secure desktop when prompting for elevation + This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. + - **Enabled** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. - **Disabled** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. ## User Account Control: Virtualize file and registry write failures to per-user locations + This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software. + - **Enabled** (Default) App write failures are redirected at run time to defined user locations for both the file system and registry. - **Disabled** Apps that write data to protected locations fail. -  -  diff --git a/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md index 9475c83eba..85c36101a5 100644 --- a/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md +++ b/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md @@ -2,85 +2,88 @@ title: User Account Control Switch to the secure desktop when prompting for elevation (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Switch to the secure desktop when prompting for elevation security policy setting. ms.assetid: 77a067db-c70d-4b02-9861-027503311b8b -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Switch to the secure desktop when prompting for elevation + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Switch to the secure desktop when prompting for elevation** security policy setting. + ## Reference + This policy setting determines whether the elevation request prompts on the interactive user desktop or on the secure desktop. + The secure desktop presents the logon UI and restricts functionality and access to the system until the logon requirements are satisfied. + The secure desktop’s primary difference from the user desktop is that only trusted processes running as SYSTEM are allowed to run here (that is, nothing is running at the user’s privilege level). The path to get to the secure desktop from the user desktop must also be trusted through the entire chain. + ### Possible values + - **Enabled** + All elevation requests by default go to the secure desktop. + - **Disabled** + All elevation requests go to the interactive user desktop. + ### Best practices -- Enable the **User Account Control: Switch to the secure desktop when prompting for elevation setting**. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system processes. + +- Enable the **User Account Control: Switch to the secure desktop when prompting for elevation setting**. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system +processes. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Elevation prompt dialog boxes can be spoofed, causing users to disclose their passwords to malicious software. Mouse cursors can be spoofed by hiding the real cursor and replacing it with an offset so the cursor is actually pointing to the **Allow** button. + ### Countermeasure + Enable the **User Account Control: Switch to the secure desktop when prompting for elevation setting**. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system processes. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md index ffb892226b..8501495c6b 100644 --- a/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md +++ b/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md @@ -2,85 +2,86 @@ title: User Account Control Virtualize file and registry write failures to per-user locations (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Virtualize file and registry write failures to per-user locations security policy setting. ms.assetid: a7b47420-cc41-4b1c-b03e-f67a05221261 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Virtualize file and registry write failures to per-user locations + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Virtualize file and registry write failures to per-user locations** security policy setting. + ## Reference + This policy setting enables or disables the redirection of the write failures of earlier applications to defined locations in the registry and the file system. This feature mitigates applications that historically ran as administrator and wrote runtime application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKEY\_LOCAL\_MACHINE\\Software\\. + This feature can be disabled for applications on devices running at least Windows Vista because it is unnecessary. + ### Possible values + - **Enabled** + Setting this value facilitates the runtime redirection of application write failures to defined user locations for the file system and the registry. + - **Disabled** + Applications that write data to protected locations fail. + ### Best practices + 1. If you run applications that are not Windows Vista-compliant, enable this security policy to prevent the possibility that these older applications could write data to unsecure locations. 2. If you only run at least Windows Vista–compliant applications, this feature is unnecessary so you can disable this policy. + ### Location + \\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value| +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Earlier applications might not write data to secure locations. + ### Countermeasure + Enable the **User Account Control: Virtualize file and registry write failures to per-user locations** setting. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-rights-assignment.md b/windows/keep-secure/user-rights-assignment.md index 3e96944b76..59979d3158 100644 --- a/windows/keep-secure/user-rights-assignment.md +++ b/windows/keep-secure/user-rights-assignment.md @@ -2,212 +2,75 @@ title: User Rights Assignment (Windows 10) description: Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. ms.assetid: 99340252-60be-4c79-b0a5-56fbe1a9b0c5 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Rights Assignment + **Applies to** - Windows 10 + Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the **User Rights Assignment** item. -Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment**, or on the local device by using the Local Group Policy Editor (gpedit.msc). + +Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under +**Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment**, or on the local device by using the Local Group Policy Editor (gpedit.msc). + For information about setting security policies, see [Configure security policy settings](how-to-configure-security-policy-settings.md). + The following table links to each security policy setting and provides the constant name for each. Setting descriptions contain reference information, best practices for configuring the policy setting, default values, differences between operating system versions, and considerations for policy management and security. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Group Policy SettingConstant Name

[Access Credential Manager as a trusted caller](access-credential-manager-as-a-trusted-caller.md)

SeTrustedCredManAccessPrivilege

[Access this computer from the network](access-this-computer-from-the-network.md)

SeNetworkLogonRight

[Act as part of the operating system](act-as-part-of-the-operating-system.md)

SeTcbPrivilege

[Add workstations to domain](add-workstations-to-domain.md)

SeMachineAccountPrivilege

[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md)

SeIncreaseQuotaPrivilege

[Allow log on locally](allow-log-on-locally.md)

SeInteractiveLogonRight

[Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md)

SeRemoteInteractiveLogonRight

[Back up files and directories](back-up-files-and-directories.md)

SeBackupPrivilege

[Bypass traverse checking](bypass-traverse-checking.md)

SeChangeNotifyPrivilege

[Change the system time](change-the-system-time.md)

SeSystemtimePrivilege

[Change the time zone](change-the-time-zone.md)

SeTimeZonePrivilege

[Create a pagefile](create-a-pagefile.md)

SeCreatePagefilePrivilege

[Create a token object](create-a-token-object.md)

SeCreateTokenPrivilege

[Create global objects](create-global-objects.md)

SeCreateGlobalPrivilege

[Create permanent shared objects](create-permanent-shared-objects.md)

SeCreatePermanentPrivilege

[Create symbolic links](create-symbolic-links.md)

SeCreateSymbolicLinkPrivilege

[Debug programs](debug-programs.md)

SeDebugPrivilege

[Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md)

SeDenyNetworkLogonRight

[Deny log on as a batch job](deny-log-on-as-a-batch-job.md)

SeDenyBatchLogonRight

[Deny log on as a service](deny-log-on-as-a-service.md)

SeDenyServiceLogonRight

[Deny log on locally](deny-log-on-locally.md)

SeDenyInteractiveLogonRight

[Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)

SeDenyRemoteInteractiveLogonRight

[Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)

SeEnableDelegationPrivilege

[Force shutdown from a remote system](force-shutdown-from-a-remote-system.md)

SeRemoteShutdownPrivilege

[Generate security audits](generate-security-audits.md)

SeAuditPrivilege

[Impersonate a client after authentication](impersonate-a-client-after-authentication.md)

SeImpersonatePrivilege

[Increase a process working set](increase-a-process-working-set.md)

SeIncreaseWorkingSetPrivilege

[Increase scheduling priority](increase-scheduling-priority.md)

SeIncreaseBasePriorityPrivilege

[Load and unload device drivers](load-and-unload-device-drivers.md)

SeLoadDriverPrivilege

[Lock pages in memory](lock-pages-in-memory.md)

SeLockMemoryPrivilege

[Log on as a batch job](log-on-as-a-batch-job.md)

SeBatchLogonRight

[Log on as a service](log-on-as-a-service.md)

SeServiceLogonRight

[Manage auditing and security log](manage-auditing-and-security-log.md)

SeSecurityPrivilege

[Modify an object label](modify-an-object-label.md)

SeRelabelPrivilege

[Modify firmware environment values](modify-firmware-environment-values.md)

SeSystemEnvironmentPrivilege

[Perform volume maintenance tasks](perform-volume-maintenance-tasks.md)

SeManageVolumePrivilege

[Profile single process](profile-single-process.md)

SeProfileSingleProcessPrivilege

[Profile system performance](profile-system-performance.md)

SeSystemProfilePrivilege

[Remove computer from docking station](remove-computer-from-docking-station.md)

SeUndockPrivilege

[Replace a process level token](replace-a-process-level-token.md)

SeAssignPrimaryTokenPrivilege

[Restore files and directories](restore-files-and-directories.md)

SeRestorePrivilege

[Shut down the system](shut-down-the-system.md)

SeShutdownPrivilege

[Synchronize directory service data](synchronize-directory-service-data.md)

SeSyncAgentPrivilege

[Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md)

SeTakeOwnershipPrivilege

+ +| Group Policy Setting | Constant Name | +| - | - | +| [Access Credential Manager as a trusted caller](access-credential-manager-as-a-trusted-caller.md) | SeTrustedCredManAccessPrivilege| +| [Access this computer from the network](access-this-computer-from-the-network.md) | SeNetworkLogonRight| +| [Act as part of the operating system](act-as-part-of-the-operating-system.md) | SeTcbPrivilege| +| [Add workstations to domain](add-workstations-to-domain.md) | SeMachineAccountPrivilege| +| [Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md) | SeIncreaseQuotaPrivilege| +| [Allow log on locally](allow-log-on-locally.md) | SeInteractiveLogonRight| +| [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md)| SeRemoteInteractiveLogonRight| +| [Back up files and directories](back-up-files-and-directories.md) | SeBackupPrivilege| +| [Bypass traverse checking](bypass-traverse-checking.md) | SeChangeNotifyPrivilege| +| [Change the system time](change-the-system-time.md) | SeSystemtimePrivilege| +| [Change the time zone](change-the-time-zone.md) | SeTimeZonePrivilege| +| [Create a pagefile](create-a-pagefile.md) | SeCreatePagefilePrivilege| +| [Create a token object](create-a-token-object.md) | SeCreateTokenPrivilege| +| [Create global objects](create-global-objects.md) | SeCreateGlobalPrivilege| +| [Create permanent shared objects](create-permanent-shared-objects.md) | SeCreatePermanentPrivilege| +| [Create symbolic links](create-symbolic-links.md) | SeCreateSymbolicLinkPrivilege| +| [Debug programs](debug-programs.md) | SeDebugPrivilege| +| [Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md)| SeDenyNetworkLogonRight | +| [Deny log on as a batch job](deny-log-on-as-a-batch-job.md) | SeDenyBatchLogonRight| +| [Deny log on as a service](deny-log-on-as-a-service.md) | SeDenyServiceLogonRight | +| [Deny log on locally](deny-log-on-locally.md) | SeDenyInteractiveLogonRight| +| [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)| SeDenyRemoteInteractiveLogonRight| +| [Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)| SeEnableDelegationPrivilege| +| [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md) | SeRemoteShutdownPrivilege| +| [Generate security audits](generate-security-audits.md) | SeAuditPrivilege| +| [Impersonate a client after authentication](impersonate-a-client-after-authentication.md)| SeImpersonatePrivilege| +| [Increase a process working set](increase-a-process-working-set.md) | SeIncreaseWorkingSetPrivilege| +| [Increase scheduling priority](increase-scheduling-priority.md) | SeIncreaseBasePriorityPrivilege| +| [Load and unload device drivers](load-and-unload-device-drivers.md) | SeLoadDriverPrivilege| +| [Lock pages in memory](lock-pages-in-memory.md) | SeLockMemoryPrivilege| +| [Log on as a batch job](log-on-as-a-batch-job.md) | SeBatchLogonRight| +| [Log on as a service](log-on-as-a-service.md) | SeServiceLogonRight| +| [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege| +| [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege| +| [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege| +| [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege| +| [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege| +| [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege| +| [Remove computer from docking station](remove-computer-from-docking-station.md) | SeUndockPrivilege| +| [Replace a process level token](replace-a-process-level-token.md) | SeAssignPrimaryTokenPrivilege| +| [Restore files and directories](restore-files-and-directories.md) | SeRestorePrivilege | +| [Shut down the system](shut-down-the-system.md) | SeShutdownPrivilege| +| [Synchronize directory service data](synchronize-directory-service-data.md)| SeSyncAgentPrivilege| +| [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md) | SeTakeOwnershipPrivilege|   ## Related topics -[Security policy settings reference](security-policy-settings-reference.md) -  -  + +- [Security policy settings reference](security-policy-settings-reference.md) diff --git a/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md index fe7a396637..a26cffe188 100644 --- a/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md +++ b/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md @@ -2,71 +2,41 @@ title: Using advanced security auditing options to monitor dynamic access control objects (Windows 10) description: This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012. ms.assetid: 0d2c28ea-bdaf-47fd-bca2-a07dce5fed37 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Using advanced security auditing options to monitor dynamic access control objects + **Applies to** - Windows 10 + This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012. + These procedures can be deployed with the advanced security auditing capabilities described in [Deploy Security Auditing with Central Audit Policies (Demonstration Steps)](http://technet.microsoft.com/library/hh831542.aspx). + ## In this guide + Domain administrators can create and deploy expression-based security audit policies by using file classification information (resource attributes), user claims, and device claims to target specific users and resources to monitor potentially significant activities on one or more computers. These policies can be deployed centrally by using Group Policy, or directly on a computer, in a folder, or in individual files. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md)

This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. Central access policies are created on a domain controller and then applied to file servers through Group Policy management.

[Monitor the use of removable storage devices](monitor-the-use-of-removable-storage-devices.md)

This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects.

[Monitor resource attribute definitions](monitor-resource-attribute-definitions.md)

This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.

[Monitor central access policy and rule definitions](monitor-central-access-policy-and-rule-definitions.md)

This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.

[Monitor user and device claims during sign-in](monitor-user-and-device-claims-during-sign-in.md)

This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects.

[Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md)

This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects.

[Monitor the central access policies associated with files and folders](monitor-the-central-access-policies-associated-with-files-and-folders.md)

This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects.

[Monitor claim types](monitor-claim-types.md)

This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.

+ +| Topic | Description | +| - | - | +| [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md) | This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. Central access policies are created on a domain controller and then applied to file servers through Group Policy management. | +| [Monitor the use of removable storage devices](monitor-the-use-of-removable-storage-devices.md) | This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects. | +| [Monitor resource attribute definitions](monitor-resource-attribute-definitions.md)| This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.| +| [Monitor central access policy and rule definitions](monitor-central-access-policy-and-rule-definitions.md) | This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. | +| [Monitor user and device claims during sign-in](monitor-user-and-device-claims-during-sign-in.md)| This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects. | +| [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md)| This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects. | +| [Monitor the central access policies associated with files and folders](monitor-the-central-access-policies-associated-with-files-and-folders.md)| This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects. | +| [Monitor claim types](monitor-claim-types.md) | This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.|   -**Important**   -This procedure can be configured on computers running any of the supported Windows operating systems. The other monitoring procedures can be configured only as part of a functioning dynamic access control deployment. +>**Important:**  This procedure can be configured on computers running any of the supported Windows operating systems. The other monitoring procedures can be configured only as part of a functioning dynamic access control deployment.   ## Related topics -[Security auditing](security-auditing-overview.md) -  -  + +- [Security auditing](security-auditing-overview.md) diff --git a/windows/keep-secure/using-event-viewer-with-applocker.md b/windows/keep-secure/using-event-viewer-with-applocker.md index 304915e207..1b1b80e64f 100644 --- a/windows/keep-secure/using-event-viewer-with-applocker.md +++ b/windows/keep-secure/using-event-viewer-with-applocker.md @@ -2,145 +2,61 @@ title: Using Event Viewer with AppLocker (Windows 10) description: This topic lists AppLocker events and describes how to use Event Viewer with AppLocker. ms.assetid: 109abb10-78b1-4c29-a576-e5a17dfeb916 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Using Event Viewer with AppLocker + **Applies to** - Windows 10 + This topic lists AppLocker events and describes how to use Event Viewer with AppLocker. + The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains detailed info about: + - Which file is affected and the path of that file - Which packaged app is affected and the package identifier of the app - Whether the file or packaged app is allowed or blocked - The rule type (path, file hash, or publisher) - The rule name - The security identifier (SID) for the user or group identified in the rule + Review the entries in the Event Viewer to determine if any applications are not included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example: %SystemDrive%). + For info about what to look for in the AppLocker event logs, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). + **To review the AppLocker log in Event Viewer** + 1. Open Event Viewer. 2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, click **AppLocker**. + The following table contains information about the events that you can use to determine which apps are affected by AppLocker rules. - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDLevelEvent messageDescription

8000

Error

Application Identity Policy conversion failed. Status <%1>

Indicates that the policy was not applied correctly to the computer. The status message is provided for troubleshooting purposes.

8001

Information

The AppLocker policy was applied successfully to this computer.

Indicates that the AppLocker policy was successfully applied to the computer.

8002

Information

<File name> was allowed to run.

Specifies that the .exe or .dll file is allowed by an AppLocker rule.

8003

Warning

<File name> was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Applied only when the Audit only enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the Enforce rules enforcement mode were enabled.

8004

Error

<File name> was not allowed to run.

Access to <file name> is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.

8005

Information

<File name> was allowed to run.

Specifies that the script or .msi file is allowed by an AppLocker rule.

8006

Warning

<File name> was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Applied only when the Audit only enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the Enforce rules enforcement mode were enabled.

8007

Error

<File name> was not allowed to run.

Access to <file name> is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.

8007

Error

AppLocker disabled on the SKU.

Added in Windows Server 2012 and Windows 8.

8020

Information

Packaged app allowed.

Added in Windows Server 2012 and Windows 8.

8021

Information

Packaged app audited.

Added in Windows Server 2012 and Windows 8.

8022

Information

Packaged app disabled.

Added in Windows Server 2012 and Windows 8.

8023

Information

Packaged app installation allowed.

Added in Windows Server 2012 and Windows 8.

8024

Information

Packaged app installation audited.

Added in Windows Server 2012 and Windows 8.

8025

Warning

Packaged app installation disabled.

Added in Windows Server 2012 and Windows 8.

8027

Warning

No Packaged app rule configured.

Added in Windows Server 2012 and Windows 8.

+ +| Event ID | Level | Event message | Description | +| - | - | - | - | +| 8000 | Error| Application Identity Policy conversion failed. Status *<%1> *| Indicates that the policy was not applied correctly to the computer. The status message is provided for troubleshooting purposes.| +| 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.| +| 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| +| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules ** enforcement mode were enabled. | +| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name> * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.| +| 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| +| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules ** enforcement mode were enabled. | +| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name> * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.| +| 8007| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.| +| 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.| +| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.| +| 8022| Information| Packaged app disabled.| Added in Windows Server 2012 and Windows 8.| +| 8023 | Information| Packaged app installation allowed.| Added in Windows Server 2012 and Windows 8.| +| 8024 | Information| Packaged app installation audited.| Added in Windows Server 2012 and Windows 8.| +| 8025 | Warning| Packaged app installation disabled.| Added in Windows Server 2012 and Windows 8.| +| 8027 | Warning| No Packaged app rule configured.| Added in Windows Server 2012 and Windows 8.|   ## Related topics -[Tools to use with AppLocker](tools-to-use-with-applocker.md) + +- [Tools to use with AppLocker](tools-to-use-with-applocker.md)     diff --git a/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md b/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md index e07957331b..8a427064fb 100644 --- a/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md +++ b/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md @@ -2,76 +2,60 @@ title: Use Software Restriction Policies and AppLocker policies (Windows 10) description: This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. ms.assetid: c3366be7-e632-4add-bd10-9df088f74c6d -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Use Software Restriction Policies and AppLocker policies + **Applies to** - Windows 10 + This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. + ## Understand the difference between SRP and AppLocker + You might want to deploy application control policies in Windows operating systems earlier than Windows Server 2008 R2 or Windows 7. You can use AppLocker policies only on the supported versions and editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). However, you can use SRP on those supported editions of Windows plus Windows Server 2003 and Windows XP. To compare features and functions in SRP and AppLocker so that you can determine when to use each technology to meet your application control objectives, see [Determine your application control objectives](determine-your-application-control-objectives.md). + ## Use SRP and AppLocker in the same domain + SRP and AppLocker use Group Policy for domain management. However, when policies are generated by SRP and AppLocker exist in the same domain, and they are applied through Group Policy, AppLocker policies take precedence over policies generated by SRP on computers that are running an operating system that supports AppLocker. For info about how inheritance in Group Policy applies to AppLocker policies and policies generated by SRP, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md). -**Important**   -As a best practice, use separate Group Policy Objects to implement your SRP and AppLocker policies. To reduce troubleshooting issues, do not combine them in the same GPO. + +>**Important:**  As a best practice, use separate Group Policy Objects to implement your SRP and AppLocker policies. To reduce troubleshooting issues, do not combine them in the same GPO.   The following scenario provides an example of how each type of policy would affect a bank teller software app, where the app is deployed on different Windows desktop operating systems and managed by the Tellers GPO. - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Operating systemTellers GPO with AppLocker policyTellers GPO with SRPTellers GPO with AppLocker policy and SRP

Windows 10, Windows 8.1, Windows 8,and Windows 7

AppLocker policies in the GPO are applied, and they supersede any local AppLocker policies.

Local AppLocker policies supersede policies generated by SRP that are applied through the GPO.

AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.

Windows Vista

AppLocker policies are not applied.

Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP.AppLocker policies are not applied.

Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.

Windows XP

AppLocker policies are not applied.

Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies are not applied.

Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.

+ +| Operating system | Tellers GPO with AppLocker policy | Tellers GPO with SRP | Tellers GPO with AppLocker policy and SRP | +| - | - | - | - | +| Windows 10, Windows 8.1, Windows 8,and Windows 7 | AppLocker policies in the GPO are applied, and they supersede any local AppLocker policies.| Local AppLocker policies supersede policies generated by SRP that are applied through the GPO. | AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.| +| Windows Vista| AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP.AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.| +| Windows XP| AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.|   -**Note**   -For info about supported versions and editions of the Windows operating system, see [Requirements to use AppLocker](requirements-to-use-applocker.md). +>**Note:**  For info about supported versions and editions of the Windows operating system, see [Requirements to use AppLocker](requirements-to-use-applocker.md).   ## Test and validate SRPs and AppLocker policies that are deployed in the same environment + Because SRPs and AppLocker policies function differently, they should not be implemented in the same GPO. This makes testing the result of the policy straightforward, which is critical to successfully controlling application usage in the organization. Configuring a testing and policy distribution system can help you understand the result of a policy. The effects of policies generated by SRP and AppLocker policies need to be tested separately and by using different tools. + ### Step 1: Test the effect of SRPs + You can use the Group Policy Management Console (GPMC) or the Resultant Set of Policy (RSoP) snap-in to determine the effect of applying SRPs by using GPOs. + ### Step 2: Test the effect of AppLocker policies + You can test AppLocker policies by using Windows PowerShell cmdlets. For info about investigating the result of a policy, see: + - [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md) - [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) + Another method to use when determining the result of a policy is to set the enforcement mode to **Audit only**. When the policy is deployed, events will be written to the AppLocker logs as if the policy was enforced. For info about using the **Audit only** mode, see: -[Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) -[Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) + +- [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) +- [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) + ## See also -[AppLocker deployment guide](applocker-policies-deployment-guide.md) -  -  + +- [AppLocker deployment guide](applocker-policies-deployment-guide.md) diff --git a/windows/keep-secure/view-the-security-event-log.md b/windows/keep-secure/view-the-security-event-log.md index 3c67e1191b..388d32ddc8 100644 --- a/windows/keep-secure/view-the-security-event-log.md +++ b/windows/keep-secure/view-the-security-event-log.md @@ -2,19 +2,22 @@ title: View the security event log (Windows 10) description: The security log records each event as defined by the audit policies you set on each object. ms.assetid: 20DD2ACD-241A-45C5-A92F-4BE0D9F198B9 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # View the security event log + **Applies to** - Windows 10 + The security log records each event as defined by the audit policies you set on each object. + **To view the security log** + 1. Open Event Viewer. 2. In the console tree, expand **Windows Logs**, and then click **Security**. The results pane lists individual security events. 3. If you want to see more details about a specific event, in the results pane, click the event. -  -  diff --git a/windows/keep-secure/vpn-profile-options.md b/windows/keep-secure/vpn-profile-options.md index 6f336cc6e6..77c548ec2a 100644 --- a/windows/keep-secure/vpn-profile-options.md +++ b/windows/keep-secure/vpn-profile-options.md @@ -2,10 +2,10 @@ title: VPN profile options (Windows 10) description: Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: networking +ms.pagetype: security, networking author: jdeckerMS --- diff --git a/windows/keep-secure/what-is-applocker.md b/windows/keep-secure/what-is-applocker.md index cfa573d478..c3b47e88d5 100644 --- a/windows/keep-secure/what-is-applocker.md +++ b/windows/keep-secure/what-is-applocker.md @@ -2,18 +2,24 @@ title: What Is AppLocker (Windows 10) description: This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. ms.assetid: 44a8a2bb-0f83-4f95-828e-1f364fb65869 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # What Is AppLocker? + **Applies to** - Windows 10 + This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. + AppLocker advances the app control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps. + Using AppLocker, you can: + - Control the following types of apps: executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.mst, .msi and .msp), and DLL files (.dll and .ocx), and packaged apps and packaged app installers (appx). - Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file. - Assign a rule to a security group or an individual user. @@ -21,11 +27,17 @@ Using AppLocker, you can: - Use audit-only mode to deploy the policy and understand its impact before enforcing it. - Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, all criteria in the existing policy are overwritten. - Streamline creating and managing AppLocker rules by using Windows PowerShell cmdlets. + AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of help desk calls that result from users running unapproved apps + For information about the application control scenarios that AppLocker addresses, see [AppLocker policy use scenarios](applocker-policy-use-scenarios.md). + ## What features are different between Software Restriction Policies and AppLocker? + **Feature differences** + The following table compares AppLocker to Software Restriction Policies. + @@ -99,6 +111,7 @@ The following table compares AppLocker to Software Restriction Policies.
  **Application control function differences** + The following table compares the application control functions of Software Restriction Policies (SRP) and AppLocker. @@ -167,6 +180,7 @@ The following table compares the application control functions of Software Restr
  ## Related topics -[AppLocker technical reference](applocker-technical-reference.md) + +- [AppLocker technical reference](applocker-technical-reference.md)     diff --git a/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md index 35a67350b8..4428ed173d 100644 --- a/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md +++ b/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md @@ -2,25 +2,30 @@ title: Which editions of Windows support advanced audit policy configuration (Windows 10) description: This reference topic for the IT professional describes which versions of the Windows operating systems support advanced security auditing policies. ms.assetid: 87c71cc5-522d-4771-ac78-34a2a0825f31 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Which editions of Windows support advanced audit policy configuration + **Applies to** - Windows 10 + This reference topic for the IT professional describes which versions of the Windows operating systems support advanced security auditing policies. + Versions of the Windows operating system that cannot join a domain do not have access to these features. There is no difference in security auditing support between 32-bit and 64-bit versions. + ## Are there any special considerations? + In addition, the following special considerations apply to the various tasks associated with advanced security auditing enhancements: + - **Creating an audit policy.** To create an advanced security auditing policy, you must use a computer running any supported version of Windows. You can use the Group Policy Management Console (GPMC) on a computer running a supported version of the Windows client operating system after installing the Remote Server Administration Tools. - **Applying audit policy settings.** If you are using Group Policy to apply the advanced audit policy settings and global object access settings, client computers must be running any supported version of the Windows server operating system or Windows client operating system. In addition, only computers running any of these supported operating systems can provide "reason for access" reporting data. - **Developing an audit policy model.** To plan advanced security audit settings and global object access settings, you must use the GPMC that targets a domain controller running a supported version of the Windows server operating system. -- **Distributing the audit policy.** After a Group Policy Object (GPO) that includes advanced security auditing settings is developed, it can be distributed by using domain controllers running any Windows Server operating system. However, if you cannot put client computers running a supported version of the Windows client operating system into a separate organizational unit (OU), you should use Windows Management Instrumentation (WMI) filtering to ensure that the advanced security auditing policy settings are applied only to client computers running a supported version of the Windows client operating system. -**Important**   -Using both the basic auditing policy settings under **Local Policies\\Audit Policy** and the advanced auditing policy settings under **Advanced Audit Policy Configuration** can cause unexpected results in audit reporting. Therefore, the two sets of audit policy settings should not be combined. If you use advanced audit policy configuration settings, you should enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.   -  -  -  +- **Distributing the audit policy.** After a Group Policy Object (GPO) that includes advanced security auditing settings is developed, it can be distributed by using domain controllers running any Windows Server operating system. +However, if you cannot put client computers running a supported version of the Windows client operating system into a separate organizational unit (OU), you should use Windows Management Instrumentation (WMI) filtering to ensure that the advanced security auditing policy settings are applied only to client computers running a supported version of the Windows client operating system. + +>**Important:**  Using both the basic auditing policy settings under **Local Policies\\Audit Policy** and the advanced auditing policy settings under **Advanced Audit Policy Configuration** can cause unexpected results in audit reporting. Therefore, the two sets of audit policy settings should not be combined. If you use advanced audit policy configuration settings, you should enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.   diff --git a/windows/keep-secure/why-a-pin-is-better-than-a-password.md b/windows/keep-secure/why-a-pin-is-better-than-a-password.md index 5afeb6f914..21d3ce97d3 100644 --- a/windows/keep-secure/why-a-pin-is-better-than-a-password.md +++ b/windows/keep-secure/why-a-pin-is-better-than-a-password.md @@ -3,7 +3,7 @@ title: Why a PIN is better than a password (Windows 10) description: Microsoft Passport in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password . ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212 keywords: pin, security, password -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/windows-10-enterprise-security-guides.md b/windows/keep-secure/windows-10-enterprise-security-guides.md index 510675e4ff..30f130d499 100644 --- a/windows/keep-secure/windows-10-enterprise-security-guides.md +++ b/windows/keep-secure/windows-10-enterprise-security-guides.md @@ -2,10 +2,10 @@ title: Enterprise security guides (Windows 10) description: Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. ms.assetid: 57134f84-bd4b-4b1d-b663-4a2d36f5a7f8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security +ms.pagetype: security, devices author: challum --- diff --git a/windows/keep-secure/windows-10-mobile-security-guide.md b/windows/keep-secure/windows-10-mobile-security-guide.md index 1008003440..16389caf95 100644 --- a/windows/keep-secure/windows-10-mobile-security-guide.md +++ b/windows/keep-secure/windows-10-mobile-security-guide.md @@ -3,10 +3,10 @@ title: Windows 10 Mobile security guide (Windows 10) description: This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security. ms.assetid: D51EF508-699E-4A68-A7CD-91D821A97205 keywords: data protection, encryption, malware resistance, smartphone, device, Windows Store -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -ms.pagetype: security; mobile +ms.pagetype: security, mobile author: AMeeus --- diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md index 2c0402513c..bb757267bb 100644 --- a/windows/keep-secure/windows-10-security-guide.md +++ b/windows/keep-secure/windows-10-security-guide.md @@ -3,7 +3,7 @@ title: Windows 10 security overview (Windows 10) description: This guide provides a detailed description of the most important security improvements in the Windows 10 operating system, with links to more detailed articles about many of its security features. ms.assetid: 4561D80B-A914-403C-A17C-3BE6FC95B59B keywords: configure, feature, file encryption -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/windows-defender-advanced-threat-protection.md b/windows/keep-secure/windows-defender-advanced-threat-protection.md index 9567620fcb..bae239bf1c 100644 --- a/windows/keep-secure/windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Windows Defender Advanced Threat Protection - Windows Defender description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats. keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, endpoint behavioral sensor, cloud security, analytics, threat intelligence search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/windows-defender-in-windows-10.md b/windows/keep-secure/windows-defender-in-windows-10.md index 72d8554def..2dc00afede 100644 --- a/windows/keep-secure/windows-defender-in-windows-10.md +++ b/windows/keep-secure/windows-defender-in-windows-10.md @@ -2,7 +2,7 @@ title: Windows Defender in Windows 10 (Windows 10) description: This topic provides an overview of Windows Defender, including a list of system requirements and new features. ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md index 7b9bed5681..40a4efa80a 100644 --- a/windows/keep-secure/windows-hello-in-enterprise.md +++ b/windows/keep-secure/windows-hello-in-enterprise.md @@ -2,10 +2,11 @@ title: Windows Hello biometrics in the enterprise (Windows 10) description: Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc -keywords: ["Windows Hello", "enterprise biometrics"] -ms.prod: W10 +keywords: Windows Hello, enterprise biometrics +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/windows-installer-rules-in-applocker.md b/windows/keep-secure/windows-installer-rules-in-applocker.md index 05f9214263..65a86eddfc 100644 --- a/windows/keep-secure/windows-installer-rules-in-applocker.md +++ b/windows/keep-secure/windows-installer-rules-in-applocker.md @@ -2,59 +2,36 @@ title: Windows Installer rules in AppLocker (Windows 10) description: This topic describes the file formats and available default rules for the Windows Installer rule collection. ms.assetid: 3fecde5b-88b3-4040-81fa-a2d36d052ec9 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Windows Installer rules in AppLocker + **Applies to** - Windows 10 + This topic describes the file formats and available default rules for the Windows Installer rule collection. + AppLocker defines Windows Installer rules to include only the following file formats: + - .msi - .msp - .mst + The purpose of this collection is to allow you to control the installation of files on client computers and servers through Group Policy or the Local Security Policy snap-in. The following table lists the default rules that are available for the Windows Installer rule collection. - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PurposeNameUserRule condition type

Allow members of the local Administrators group to run all Windows Installer files

(Default Rule) All Windows Installer files

BUILTIN\Administrators

Path: *

Allow all users to run Windows Installer files that are digitally signed

(Default Rule) All digitally signed Windows Installer files

Everyone

Publisher: * (all signed files)

Allow all users to run Windows Installer files that are located in the Windows Installer folder

(Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer

Everyone

Path: %windir%\Installer\*

+ +| Purpose | Name | User | Rule condition type | +| - | - | - | - | +| Allow members of the local Administrators group to run all Windows Installer files| (Default Rule) All Windows Installer files| BUILTIN\Administrators| Path: *| +| Allow all users to run Windows Installer files that are digitally signed | (Default Rule) All digitally signed Windows Installer files| Everyone| Publisher: * (all signed files)| +| Allow all users to run Windows Installer files that are located in the Windows Installer folder | (Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer| Everyone| Path: %windir%\Installer\*|   ## Related topics -[Understanding AppLocker default rules](understanding-applocker-default-rules.md) + +- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)     diff --git a/windows/keep-secure/working-with-applocker-policies.md b/windows/keep-secure/working-with-applocker-policies.md index af1edcf35e..219638880c 100644 --- a/windows/keep-secure/working-with-applocker-policies.md +++ b/windows/keep-secure/working-with-applocker-policies.md @@ -2,83 +2,35 @@ title: Working with AppLocker policies (Windows 10) description: This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. ms.assetid: 7062d2e0-9cbb-4cb8-aa8c-b24945c3771d -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Working with AppLocker policies + **Applies to** - Windows 10 + This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Configure the Application Identity service](configure-the-application-identity-service.md)

This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.

[Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)

This topic for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker.

[Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md)

This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.

[Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md)

This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.

[Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md)

This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.

[Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md)

This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.

[Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md)

This topic for IT professionals describes how to import an AppLocker policy.

[Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md)

This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).

[Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md)

This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).

[Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md)

This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.

[Merge AppLocker policies manually](merge-applocker-policies-manually.md)

This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).

[Refresh an AppLocker policy](refresh-an-applocker-policy.md)

This topic for IT professionals describes the steps to force an update for an AppLocker policy.

[Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md)

This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.

-  -  -  + +| Topic | Description | +| - | - | +| [Configure the Application Identity service](configure-the-application-identity-service.md) | This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.| +| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This topic for IT professionals describes how to set AppLocker policies to **Audit only ** within your IT environment by using AppLocker.| +| [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) | This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.| +| [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md) | This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.| +| [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) | This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.| +| [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) | This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.| +| [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md) | This topic for IT professionals describes how to import an AppLocker policy.| +| [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) | This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).| +| [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md) | This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).| +| [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md) | This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.| +| [Merge AppLocker policies manually](merge-applocker-policies-manually.md) | This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).| +| [Refresh an AppLocker policy](refresh-an-applocker-policy.md) | This topic for IT professionals describes the steps to force an update for an AppLocker policy.| +| [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md) | This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.| + diff --git a/windows/keep-secure/working-with-applocker-rules.md b/windows/keep-secure/working-with-applocker-rules.md index 9ee115544d..9c528133ef 100644 --- a/windows/keep-secure/working-with-applocker-rules.md +++ b/windows/keep-secure/working-with-applocker-rules.md @@ -2,338 +2,207 @@ title: Working with AppLocker rules (Windows 10) description: This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. ms.assetid: 3966b35b-f2da-4371-8b5f-aec031db6bc9 -ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Working with AppLocker rules + **Applies to** - Windows 10 + This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)

This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.

[Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)

This topic for IT professionals shows how to create an AppLocker rule with a path condition.

[Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)

This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.

[Create AppLocker default rules](create-applocker-default-rules.md)

This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.

[Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md)

This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.

[Create a rule for packaged apps](create-a-rule-for-packaged-apps.md)

This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.

[Delete an AppLocker rule](delete-an-applocker-rule.md)

This topic for IT professionals describes the steps to delete an AppLocker rule.

[Edit AppLocker rules](edit-applocker-rules.md)

This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.

[Enable the DLL rule collection](enable-the-dll-rule-collection.md)

This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.

[Enforce AppLocker rules](enforce-applocker-rules.md)

This topic for IT professionals describes how to enforce application control rules by using AppLocker.

[Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md)

This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.

+ +| Topic | Description | +| - | - | +| [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.| +| [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a path condition.| +| [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.| +| [Create AppLocker default rules](create-applocker-default-rules.md) | This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.| +| [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) | This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.| +| [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) | This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.| +| [Delete an AppLocker rule](delete-an-applocker-rule.md) | This topic for IT professionals describes the steps to delete an AppLocker rule.| +| [Edit AppLocker rules](edit-applocker-rules.md) | This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.| +| [Enable the DLL rule collection](enable-the-dll-rule-collection.md) | This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.| +| [Enforce AppLocker rules](enforce-applocker-rules.md) | This topic for IT professionals describes how to enforce application control rules by using AppLocker.| +| [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md) | This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.|   The three AppLocker enforcement modes are described in the following table. The enforcement mode setting defined here can be overwritten by the setting derived from a linked Group Policy Object (GPO) with a higher precedence. - ---- - - - - - - - - - - - - - - - - - - - - -
Enforcement modeDescription

Not configured

This is the default setting which means that the rules defined here will be enforced unless a linked GPO with a higher precedence has a different value for this setting.

Enforce rules

Rules are enforced.

Audit only

Rules are audited but not enforced. When a user runs an app that is affected by an AppLocker rule, the app is allowed to run and the info about the app is added to the AppLocker event log. The Audit-only enforcement mode helps you determine which apps will be affected by the policy before the policy is enforced. When the AppLocker policy for a rule collection is set to Audit only, rules for that rule collection are not enforced

-  + +| Enforcement mode | Description | +| - | - | +| **Not configured** | This is the default setting which means that the rules defined here will be enforced unless a linked GPO with a higher precedence has a different value for this setting.| +| **Enforce rules** | Rules are enforced.| +| **Audit only** | Rules are audited but not enforced. When a user runs an app that is affected by an AppLocker rule, the app is allowed to run and the info about the app is added to the AppLocker event log. The Audit-only enforcement mode helps you determine which apps will be affected by the policy before the policy is enforced. When the AppLocker policy for a rule collection is set to **Audit only**, rules for that rule collection are not enforced| + When AppLocker policies from various GPOs are merged, the rules from all the GPOs are merged and the enforcement mode setting of the winning GPO is applied. ## Rule collections + The AppLocker console is organized into rule collections, which are executable files, scripts, Windows Installer files, packaged apps and packaged app installers, and DLL files. These collections give you an easy way to differentiate the rules for different types of apps. The following table lists the file formats that are included in each rule collection. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rule collectionAssociated file formats

Executable files

.exe

-

.com

Scripts

.ps1

-

.bat

-

.cmd

-

.vbs

-

.js

Windows Installer files

.msi

-

.msp

-

.mst

Packaged apps and packaged app installers

.appx

DLL files

.dll

-

.ocx

+ +| Rule collection | Associated file formats | +| - | - | +| Executable files | .exe
.com| +| Scripts| .ps1
.bat
.cmd
.vbs
.js| +| Windows Installer files | .msi
.msp
.mst| +| Packaged apps and packaged app installers | .appx| +| DLL files | .dll
.ocx|   -**Important**   -If you use DLL rules, you need to create an allow rule for each DLL that is used by all of the allowed apps. +>**Important:**  If you use DLL rules, you need to create an allow rule for each DLL that is used by all of the allowed apps. + When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used. + The DLL rule collection is not enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#bkmk-dllrulecollections).   ## Rule conditions + Rule conditions are criteria that help AppLocker identify the apps to which the rule applies. The three primary rule conditions are publisher, path, and file hash. + - [Publisher](#bkmk-publisher): Identifies an app based on its digital signature - [Path](#bkmk-path): Identifies an app by its location in the file system of the computer or on the network - [File hash](#bkmk-filehash): Represents the system computed cryptographic hash of the identified file + ### Publisher + This condition identifies an app based on its digital signature and extended attributes when available. The digital signature contains info about the company that created the app (the publisher). Executable files, dlls, Windows installers, packaged apps and packaged app installers also have extended attributes, which are obtained from the binary resource. In case of executable files, dlls and Windows installers, these attributes contain the name of the product that the file is a part of, the original name of the file as supplied by the publisher, and the version number of the file. In case of packaged apps and packaged app installers, these extended attributes contain the name and the version of the app package. -**Note**   -Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers. + +>**Note:**  Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers.   -**Note**   -Use a publisher rule condition when possible because they can survive app updates as well as a change in the location of files. +>**Note:**  Use a publisher rule condition when possible because they can survive app updates as well as a change in the location of files.   When you select a reference file for a publisher condition, the wizard creates a rule that specifies the publisher, product, file name, and version number. You can make the rule more generic by moving the slider up or by using a wildcard character (\*) in the product, file name, or version number fields. -**Note**   -To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the **Use custom values** check box. When this check box is selected, you cannot use the slider. + +>**Note:**  To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the **Use custom values** check box. When this check box is selected, you cannot use the slider.   The **File version** and **Package version** control whether a user can run a specific version, earlier versions, or later versions of the app. You can choose a version number and then configure the following options: + - **Exactly.** The rule applies only to this version of the app - **And above.** The rule applies to this version and all later versions. - **And below.** The rule applies to this version and all earlier versions. + The following table describes how a publisher condition is applied. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionThe publisher condition allows or denies…

All signed files

All files that are signed by any publisher.

Publisher only

All files that are signed by the named publisher.

Publisher and product name

All files for the specified product that are signed by the named publisher.

Publisher and product name, and file name

Any version of the named file or package for the named product that are signed by the publisher.

Publisher, product name, file name, and file version

Exactly

-

The specified version of the named file or package for the named product that are signed by the publisher.

Publisher, product name, file name, and file version

And above

-

The specified version of the named file or package and any new releases for the product that are signed by the publisher.

Publisher, product name, file name, and file version

And below

-

The specified version of the named file or package and any earlier versions for the product that are signed by the publisher.

Custom

You can edit the Publisher, Product name, File name, Version Package name, and Package version fields to create a custom rule.

-  + + +| Option | The publisher condition allows or denies… | +| **All signed files** | All files that are signed by any publisher.| +| **Publisher only**| All files that are signed by the named publisher.| +| **Publisher and product name**| All files for the specified product that are signed by the named publisher.| +| **Publisher and product name, and file name**| Any version of the named file or package for the named product that are signed by the publisher.| +| **Publisher, product name, file name, and file version**| **Exactly**
The specified version of the named file or package for the named product that are signed by the publisher.| +| **Publisher, product name, file name, and file version**| **And above**
The specified version of the named file or package and any new releases for the product that are signed by the publisher.| +| **Publisher, product name, file name, and file version**| **And below**
The specified version of the named file or package and any earlier versions for the product that are signed by the publisher.| +| **Custom**| You can edit the **Publisher**, **Product name**, **File name**, **Version** **Package name**, and **Package version** fields to create a custom rule.| + ### Path + This rule condition identifies an application by its location in the file system of the computer or on the network. + AppLocker uses custom path variables for well-known paths, such as Program Files and Windows. + The following table details these path variables. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows directory or diskAppLocker path variableWindows environment variable

Windows

%WINDIR%

%SystemRoot%

System32

%SYSTEM32%

%SystemDirectory%

Windows installation directory

%OSDRIVE%

%SystemDrive%

Program Files

%PROGRAMFILES%

%ProgramFiles% and

-

%ProgramFiles(x86)%

Removable media (for example, a CD or DVD)

%REMOVABLE%

Removable storage device (for example, a USB flash drive)

%HOT%

+ +| Windows directory or disk | AppLocker path variable | Windows environment variable | +| - | - | - | +| Windows| %WINDIR%| %SystemRoot%| +| System32| %SYSTEM32%| %SystemDirectory%| +| Windows installation directory| %OSDRIVE%| %SystemDrive%| +| Program Files| %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)% | +| Removable media (for example, a CD or DVD)| %REMOVABLE%| | +| Removable storage device (for example, a USB flash drive)| %HOT% | |   -**Important**   -Because a path rule condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if an allow rule with a path condition includes a folder location that non-administrators are allowed to write data into, a user can copy unapproved files into that location and run the files. For this reason, it is a best practice to not create path conditions for standard user writable locations, such as a user profile. +>**Important:**  Because a path rule condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if an allow rule with a path condition includes a folder location that non-administrators are allowed to write data into, a user can copy unapproved files into that location and run the files. For this reason, it is a best practice to not create path conditions for standard user writable locations, such as a user profile.   ### File hash + When you choose the file hash rule condition, the system computes a cryptographic hash of the identified file. The advantage of this rule condition is that because each file has a unique hash, a file hash rule condition applies to only one file. The disadvantage is that each time the file is updated (such as a security update or upgrade) the file's hash will change. As a result, you must manually update file hash rules. + ## AppLocker default rules + AppLocker allows you to generate default rules for each rule collection. + Executable default rule types include: + - Allow members of the local **Administrators** group to run all apps. - Allow members of the **Everyone** group to run apps that are located in the Windows folder. - Allow members of the **Everyone** group to run apps that are located in the Program Files folder. + Script default rule types include: + - Allow members of the local **Administrators** group to run all scripts. - Allow members of the **Everyone** group to run scripts that are located in the Program Files folder. - Allow members of the **Everyone** group to run scripts that are located in the Windows folder. + Windows Installer default rule types include: + - Allow members of the local **Administrators** group to run all Windows Installer files. - Allow members of the **Everyone** group to run all digitally signed Windows Installer files. - Allow members of the **Everyone** group to run all Windows Installer files that are located in the Windows\\Installer folder. + DLL default rule types: + - Allow members of the local **Administrators** group to run all DLLs. - Allow members of the **Everyone** group to run DLLs that are located in the Program Files folder. - Allow members of the **Everyone** group to run DLLs that are located in the Windows folder. + Packaged apps default rule types: + - Allow members of the **Everyone** group to install and run all signed packaged apps and packaged app installers. + ## AppLocker rule behavior + If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For example, if you create an executable rule that allows .exe files in *%SystemDrive%\\FilePath* to run, only executable files located in that path are allowed to run. + A rule can be configured to use allow or deny actions: + - **Allow.** You can specify which files are allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. - **Deny.** You can specify which files are *not* allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. -**Important**   -For a best practice, use allow actions with exceptions. You can use a combination of allow and deny actions but understand that deny actions override allow actions in all cases, and can be circumvented. + +>**Important:**  For a best practice, use allow actions with exceptions. You can use a combination of allow and deny actions but understand that deny actions override allow actions in all cases, and can be circumvented.   -**Important**   -If you join a computer running at least Windows Server 2012 or Windows 8 to a domain that already enforces AppLocker rules for executable files, users will not be able to run any packaged apps unless you also create rules for packaged apps. If you want to allow any packaged apps in your environment while continuing to control executable files, you should create the default rules for packaged apps and set the enforcement mode to Audit-only for the packaged apps rule collection. +>**Important:**  If you join a computer running at least Windows Server 2012 or Windows 8 to a domain that already enforces AppLocker rules for executable files, users will not be able to run any packaged apps unless you also create rules for packaged apps. If you want to allow any packaged apps in your environment while continuing to control executable files, you should create the default rules for packaged apps and set the enforcement mode to Audit-only for the packaged apps rule collection.   ## Rule exceptions + You can apply AppLocker rules to individual users or to a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. For example, the rule "Allow everyone to run Windows except Registry Editor" allows everyone in the organization to run the Windows operating system, but it does not allow anyone to run Registry Editor. + The effect of this rule would prevent users such as Help Desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Help Desk user group: "Allow Help Desk to run Registry Editor." If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Help Desk user group to run Registry Editor. + ## DLL rule collection + Because the DLL rule collection is not enabled by default, you must perform the following procedure before you can create and enforce DLL rules. + Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. + **To enable the DLL rule collection** + 1. Click **Start**, type **secpol.msc**, and then press ENTER. 2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. 3. In the console tree, double-click **Application Control Policies**, right-click **AppLocker**, and then click **Properties**. 4. Click the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then click **OK**. - **Important**   - Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps. + + >**Important:**  Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps.   ## AppLocker wizards + You can create rules by using two AppLocker wizards: + 1. The Create Rules Wizard enables you to create one rule at a time. 2. The Automatically Generate Rules Wizard allows you to create multiple rules at one time. You can either select a folder and let the wizard create rules for the relevant files within that folder or in case of packaged apps let the wizard create rules for all packaged apps installed on the computer. You can also specify the user or group to which to apply the rules. This wizard automatically generates allow rules only. + ## Additional considerations + - By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. Administrators should maintain an up-to-date list of allowed applications. - There are two types of AppLocker conditions that do not persist following an update of an app: + - **A file hash condition** File hash rule conditions can be used with any app because a cryptographic hash value of the app is generated at the time the rule is created. However, the hash value is specific to that exact version of the app. If there are several versions of the application in use within the organization, you need to create file hash conditions for each version in use and for any new versions that are released. + - **A publisher condition with a specific product version set** If you create a publisher rule condition that uses the **Exactly** version option, the rule cannot persist if a new version of the app is installed. A new publisher condition must be created, or the version must be edited in the rule to be made less specific. + - If an app is not digitally signed, you cannot use a publisher rule condition for that app. - AppLocker rules cannot be used to manage computers running a Windows operating system earlier than Windows Server 2008 R2 or Windows 7. Software Restriction Policies must be used instead. If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs. - The packaged apps and packaged apps installer rule collection is available on devices running at least Windows Server 2012 and Windows 8. @@ -341,5 +210,3 @@ You can create rules by using two AppLocker wizards: - When an AppLocker rule collection is set to **Audit only**, the rules are not enforced. When a user runs an application that is included in the rule, the app is opened and runs normally, and information about that app is added to the AppLocker event log. - A custom configured URL can be included in the message that is displayed when an app is blocked. - Expect an increase in the number of Help Desk calls initially because of blocked apps until users understand that they cannot run apps that are not allowed. -  -  diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index b1976dec28..ebc01b4abf 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -4,6 +4,7 @@ ## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) ## [Manage corporate devices](manage-corporate-devices.md) ### [New policies for Windows 10](new-policies-for-windows-10.md) +### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) ### [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) ### [Bulk provisioning for Windows 10 devices](simple-bulk-provisioning.md) ### [Diagnostics for devices managed by MDM](diagnostics-for-mdm-devices.md) @@ -20,7 +21,7 @@ #### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) #### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) ### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md) -### [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md) +### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) ### [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) ### [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md) ### [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) @@ -28,7 +29,6 @@ #### [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) #### [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) ### [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) -### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) ## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) ## [Configure devices without MDM](configure-devices-without-mdm.md) ## [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) diff --git a/windows/manage/application-development-for-windows-as-a-service.md b/windows/manage/application-development-for-windows-as-a-service.md index 69df22ff69..cffbdd7092 100644 --- a/windows/manage/application-development-for-windows-as-a-service.md +++ b/windows/manage/application-development-for-windows-as-a-service.md @@ -6,7 +6,7 @@ ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -author: jdeckerMS +author: greg-lindsay --- # Application development for Windows as a service diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index df398cfd27..3035b4bb6c 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -17,7 +17,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | New or changed topic | Description | | ---|---| | [Group Policies that apply only to Windows 10 Enterprise and Education Editions](group-policies-for-enterprise-and-education-editions.md) | New | -| [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md) | Added section on how to turn off Live Tiles | +| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added section on how to turn off Live Tiles | | [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | New telemetry content | | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) |Removed info about sharing wi-fi network access with contacts, since it's been deprecated. | | [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher | diff --git a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md index 7b24cfdfbe..66f10dbf1e 100644 --- a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md +++ b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md @@ -1,11 +1,6 @@ --- title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10) -description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. -ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9 -keywords: privacy, stop data flow to Microsoft -ms.prod: W10 -ms.mktglfcycl: manage -ms.sitesec: library +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services --- # Configure Windows 10 devices to stop data flow to Microsoft @@ -285,7 +280,7 @@ When you enable the **Don't search the web or display web results in Search** Gr - For **Remote port**, choose **All ports**. -> **Note:** If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. You should use a network traffic analyzer, such as WireShark or Message Analyzer. +> **Note:** If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer. ### 1.2 Cortana MDM policies @@ -1083,7 +1078,7 @@ When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings scr ### 19. Windows Defender -You can opt of the Microsoft Antimalware Protection Service. +You can opt out of the Microsoft Antimalware Protection Service. - Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS** diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md index 58de9307b7..0c28495bbb 100644 --- a/windows/manage/configure-windows-telemetry-in-your-organization.md +++ b/windows/manage/configure-windows-telemetry-in-your-organization.md @@ -14,8 +14,7 @@ keywords: privacy Use this article to make informed decisions about how you can configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services. -**Note**   -This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those components use a different telemetry service than Windows and Windows Server. +>**Note:**  This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those components use a different telemetry service than Windows and Windows Server. It describes the types of telemetry we gather and the ways you can manage its telemetry. This article also lists some examples of how telemetry can provide you with valuable insights into your enterprise deployments, and how Microsoft uses the data to quickly identify and address issues affecting its customers. @@ -29,7 +28,7 @@ Microsoft is committed to improving customer experiences in a mobile-first and c Our goal is to leverage the aggregated data to drive changes in the product and ecosystem to improve our customer experiences. We are also partnering with enterprises to provide added value from the telemetry information shared by their devices. Some examples include identifying outdated patches and downloading the latest antimalware signatures to help keep their devices secure, identifying application compatibility issues prior to upgrades, and gaining insights into driver reliability issues affecting other customers. -For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for youcr organization. +For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization. ## How is telemetry data handled by Microsoft? @@ -91,8 +90,7 @@ The levels are cumulative and are illustrated in the following diagram. These le The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests secure with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions. -**Note**   -If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. +> **Note:**  If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center gathered. @@ -104,8 +102,7 @@ The data gathered at this level includes: - **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. - **Note**   - You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716). + >**Note:**  You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).   @@ -128,7 +125,7 @@ The Basic level gathers a limited set of data that’s critical for understandin The data gathered at this level includes: -- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Previewinstances in the ecosystem, including: +- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Preview instances in the ecosystem, including: - Device attributes, such as camera resolution and display type @@ -152,7 +149,7 @@ The data gathered at this level includes: - **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems. - - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade.This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage. + - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage. - **App usage data**. Includes how an app is used, including how long an app is used for, when the app has focus, and when the app is started @@ -168,7 +165,7 @@ The data gathered at this level includes: ### Enhanced level -The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experiencewith the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. +The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. This is the default level, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues. @@ -204,8 +201,7 @@ However, before more data is gathered, Microsoft’s privacy governance team, in We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center. -**Important**   -These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx). +>**Important:**  These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx). You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on. @@ -213,7 +209,7 @@ The lowest telemetry setting level supported through management policies is **Se ### Configure the operating system telemetry level -You can configure your operating system telemetry settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any devicelevel settings. +You can configure your operating system telemetry settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any device level settings. Use the appropriate value in the table below when you configure the management policy. @@ -274,8 +270,7 @@ There are a few more settings that you can turn off that may send telemetry info - Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At telemetry levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. - **Note**   - Microsoft do not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. + >**Note:**  Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.   @@ -284,7 +279,7 @@ There are a few more settings that you can turn off that may send telemetry info ### Drive higher application and driver quality in the ecosystem -Telemetry plays an important role in quickly identifying and fixing critical reliability and security issues in our customers’ deployments and configurations. Insights into the telemetry data we gather helps us to quickly identify crashes or hangs associated with a certain application or driver on a given configuration, like a particular storage type (for example, SCSI) or a memory size. For System Center, job usages and statuses can also help us enhance the job workload and the communication between System Center and its managed products. Microsoft’s ability to get this data from customers and drive improvements into the ecosystem helps raise the bar for the quality of System Center, Windows Server applications, Windows apps, and drivers. Real-time data about Windows installations reduces downtime and the cost associated with troubleshooting unreliable drivers or unstable applications +Telemetry plays an important role in quickly identifying and fixing critical reliability and security issues in our customers’ deployments and configurations. Insights into the telemetry data we gather helps us to quickly identify crashes or hangs associated with a certain application or driver on a given configuration, like a particular storage type (for example, SCSI) or a memory size. For System Center, job usages and statuses can also help us enhance the job workload and the communication between System Center and its managed products. Microsoft’s ability to get this data from customers and drive improvements into the ecosystem helps raise the bar for the quality of System Center, Windows Server applications, Windows apps, and drivers. Real-time data about Windows installations reduces downtime and the cost associated with troubleshooting unreliable drivers or unstable applications. ### Reduce your total cost of ownership and downtime diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md index ee2fd20508..5d5f71e9f1 100644 --- a/windows/manage/group-policies-for-enterprise-and-education-editions.md +++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md @@ -16,4 +16,7 @@ In Windows 10, version 1511, the following Group Policies apply only to Windows | Policy name | Policy path | Comments | | - | - | - | -| Turn off the Store application | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/en-us/kb/3135657). \ No newline at end of file +| Turn off the Store application | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/en-us/kb/3135657). | +| Start layout | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) | +| Force a specific default lock screen image | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) | + \ No newline at end of file diff --git a/windows/manage/images/settings-table.png b/windows/manage/images/settings-table.png index 527d92d9b2..6b77ce6002 100644 Binary files a/windows/manage/images/settings-table.png and b/windows/manage/images/settings-table.png differ diff --git a/windows/manage/index.md b/windows/manage/index.md index e6aff0c940..412bfc3d9b 100644 --- a/windows/manage/index.md +++ b/windows/manage/index.md @@ -74,4 +74,4 @@ Learn about managing and updating Windows 10. ## Related topics [Windows 10 and Windows 10 Mobile](../index.md)   -  + [Learn how Microsoft does IT at the IT Showcase](https://www.microsoft.com/itshowcase) diff --git a/windows/manage/introduction-to-windows-10-servicing.md b/windows/manage/introduction-to-windows-10-servicing.md index 23290ae499..0c6c2ab9a6 100644 --- a/windows/manage/introduction-to-windows-10-servicing.md +++ b/windows/manage/introduction-to-windows-10-servicing.md @@ -7,7 +7,7 @@ ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -author: jdeckerMS +author: greg-lindsay --- # Windows 10 servicing options for updates and upgrades diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md index f0782128f5..61004d8822 100644 --- a/windows/manage/lock-down-windows-10.md +++ b/windows/manage/lock-down-windows-10.md @@ -47,7 +47,7 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p

Use this article to make informed decisions about how you can configure Windows telemetry in your organization.

-

[Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md)

+

[Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)

Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.

@@ -67,10 +67,7 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p

[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)

There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset.

- -

[Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)

-

New

- + diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md new file mode 100644 index 0000000000..616f93dc73 --- /dev/null +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -0,0 +1,1264 @@ +--- +title: Manage connections from Windows operating system components to Microsoft services (Windows 10) +description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. +ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9 +keywords: privacy, manage connections to Microsoft +ms.prod: W10 +ms.mktglfcycl: manage +ms.sitesec: library +--- + +# Manage connections from Windows operating system components to Microsoft services + +**Applies to** + +- Windows 10 + +If you're looking for content on what each telemetry level means and how to configure it in your organization, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md). + +Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. + +If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. + +Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all. + +In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. + +We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization. + +Here's what's covered in this article: + +- [Info management settings](#bkmk-othersettings) + + - [1. Cortana](#bkmk-cortana) + + - [1.1 Cortana Group Policies](#bkmk-cortana-gp) + + - [1.2 Cortana MDM policies](#bkmk-cortana-mdm) + + - [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov) + + - [2. Date & Time](#bkmk-datetime) + + - [3. Device metadata retrieval](#bkmk-devinst) + + - [4. Font streaming](#font-streaming) + + - [5. Insider Preview builds](#bkmk-previewbuilds) + + - [6. Internet Explorer](#bkmk-ie) + + - [6.1 Internet Explorer Group Policies](#bkmk-ie-gp) + + - [6.2 ActiveX control blocking](#bkmk-ie-activex) + + - [7. Live Tiles](#live-tiles) + + - [8. Mail synchronization](#bkmk-mailsync) + + - [9. Microsoft Edge](#bkmk-edge) + + - [9.1 Microsoft Edge Group Policies](#bkmk-edgegp) + + - [9.2 Microsoft Edge MDM policies](#bkmk-edge-mdm) + + - [9.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov) + + - [10. Network Connection Status Indicator](#bkmk-ncsi) + + - [11. Offline maps](#bkmk-offlinemaps) + + - [12. OneDrive](#bkmk-onedrive) + + - [13. Preinstalled apps](#bkmk-preinstalledapps) + + - [14. Settings > Privacy](#bkmk-settingssection) + + - [14.1 General](#bkmk-priv-general) + + - [14.2 Location](#bkmk-priv-location) + + - [14.3 Camera](#bkmk-priv-camera) + + - [14.4 Microphone](#bkmk-priv-microphone) + + - [14.5 Speech, inking, & typing](#bkmk-priv-speech) + + - [14.6 Account info](#bkmk-priv-accounts) + + - [14.7 Contacts](#bkmk-priv-contacts) + + - [14.8 Calendar](#bkmk-priv-calendar) + + - [14.9 Call history](#bkmk-priv-callhistory) + + - [14.10 Email](#bkmk-priv-email) + + - [14.11 Messaging](#bkmk-priv-messaging) + + - [14.12 Radios](#bkmk-priv-radios) + + - [14.13 Other devices](#bkmk-priv-other-devices) + + - [14.14 Feedback & diagnostics](#bkmk-priv-feedback) + + - [14.15 Background apps](#bkmk-priv-background) + + - [15. Software Protection Platform](#bkmk-spp) + + - [16. Sync your settings](#bkmk-syncsettings) + + - [17. Teredo](#bkmk-teredo) + + - [18. Wi-Fi Sense](#bkmk-wifisense) + + - [19. Windows Defender](#bkmk-defender) + + - [20. Windows Media Player](#bkmk-wmp) + + - [21. Windows spotlight](#bkmk-spotlight) + + - [22. Windows Store](#bkmk-windowsstore) + + - [23. Windows Update Delivery Optimization](#bkmk-updates) + + - [23.1 Settings > Update & security](#bkmk-wudo-ui) + + - [23.2 Delivery Optimization Group Policies](#bkmk-wudo-gp) + + - [23.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm) + + - [23.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov) + + - [24. Windows Update](#bkmk-wu) + +## What's new in Windows 10, version 1511 + + +Here's a list of changes that were made to this article for Windows 10, version 1511: + +- Added the following new sections: + + - [Mail synchronization](#bkmk-mailsync) + + - [Offline maps](#bkmk-offlinemaps) + + - [Windows spotlight](#bkmk-spotlight) + + - [Windows Store](#bkmk-windowsstore) + +- Added the following Group Policies: + + - Open a new tab with an empty tab + + - Configure corporate Home pages + + - Let Windows apps access location + + - Let Windows apps access the camera + + - Let Windows apps access the microphone + + - Let Windows apps access account information + + - Let Windows apps access contacts + + - Let Windows apps access the calendar + + - Let Windows apps access messaging + + - Let Windows apps control radios + + - Let Windows apps access trusted devices + + - Do not show feedback notifications + + - Turn off Automatic Download and Update of Map Data + + - Force a specific default lock screen image + +- Added the AllowLinguisticDataCollection MDM policy. + +- Added steps in the [Cortana](#bkmk-cortana) section on how to disable outbound traffic using Windows Firewall. + +- Changed the Windows Update section to apply system-wide settings, and not just per user. + +## Info management settings + + +This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. + +The settings in this section assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch. + +- [1. Cortana](#bkmk-cortana) + +- [2. Date & Time](#bkmk-datetime) + +- [3. Device metadata retrieval](#bkmk-devinst) + +- [4. Font streaming](#font-streaming) + +- [5. Insider Preview builds](#bkmk-previewbuilds) + +- [6. Internet Explorer](#bkmk-ie) + +- [7. Live Tiles](#live-tiles) + +- [8. Mail synchronization](#bkmk-mailsync) + +- [9. Microsoft Edge](#bkmk-edge) + +- [10. Network Connection Status Indicator](#bkmk-ncsi) + +- [11. Offline maps](#bkmk-offlinemaps) + +- [12. OneDrive](#bkmk-onedrive) + +- [13. Preinstalled apps](#bkmk-preinstalledapps) + +- [14. Settings > Privacy](#bkmk-settingssection) + +- [15. Software Protection Platform](#bkmk-spp) + +- [16. Sync your settings](#bkmk-syncsettings) + +- [17. Teredo](#bkmk-teredo) + +- [18. Wi-Fi Sense](#bkmk-wifisense) + +- [19. Windows Defender](#bkmk-defender) + +- [20. Windows Media Player](#bkmk-wmp) + +- [21. Windows spotlight](#bkmk-spotlight) + +- [22. Windows Store](#bkmk-windowsstore) + +- [23. Windows Update Delivery Optimization](#bkmk-updates) + +- [24. Windows Update](#bkmk-wu) + + +See the following table for a summary of the management settings. For more info, see its corresponding section. + +![Management settings table](images/settings-table.png) + +### 1. Cortana + +Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730683). + +### 1.1 Cortana Group Policies + +Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**. + +| Policy | Description | +|------------------------------------------------------|---------------------------------------------------------------------------------------| +| Allow Cortana | Choose whether to let Cortana install and run on the device. | +| Allow search and Cortana to use location | Choose whether Cortana and Search can provide location-aware search results. | +| Do not allow web search | Choose whether to search the web from Windows Desktop Search.
Default: Disabled| +| Don't search the web or display web results in Search| Choose whether to search the web from Cortana. | +| Set what information is shared in Search | Control what information is shared with Bing in Search. | + +When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. + +1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. + +2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts. + +3. On the **Rule Type** page, click **Program**, and then click **Next**. + +4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**. + +5. On the **Action** page, click **Block the connection**, and then click **Next**. + +6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**. + +7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.** + +8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**. + +9. Configure the **Protocols and Ports** page with the following info, and then click **OK**. + + - For **Protocol type**, choose **TCP**. + + - For **Local port**, choose **All Ports**. + + - For **Remote port**, choose **All ports**. + +> **Note:** If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer. + +### 1.2 Cortana MDM policies + +The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). + +| Policy | Description | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Experience/AllowCortana | Choose whether to let Cortana install and run on the device. | +| Search/AllowSearchToUseLocation | Choose whether Cortana and Search can provide location-aware search results.
Default: Allowed| + +### 1.3 Cortana Windows Provisioning + +To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies** to find **Experience** > **AllowCortana** and **Search** > **AllowSearchToUseLocation**. + +### 2. Date & Time + +You can prevent Windows from setting the time automatically. + +- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically** + + -or- + +- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters** with a value of **NoSync**. + +### 3. Device metadata retrieval + +To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. + +### 4. Font streaming + +Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. + +To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1. + +> **Note:** This may change in future versions of Windows. + +### 5. Insider Preview builds + +To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds. + +- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Stop Insider builds**. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. + + -or- + +- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: + + - **0**. Users cannot make their devices available for downloading and installing preview software. + + - **1**. Users can make their devices available for downloading and installing preview software. + + - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. + + -or- + +- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where: + + - **0**. Users cannot make their devices available for downloading and installing preview software. + + - **1**. Users can make their devices available for downloading and installing preview software. + + - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. + +### 6. Internet Explorer + +Use Group Policy to manage settings for Internet Explorer. + +### 6.1 Internet Explorer Group Policies + +Find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**. + +| Policy | Description | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites.
Default: Enabled
You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.| +| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.
Default: Enabled| +| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
Default: Disabled
You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| +| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version.
Default: Enabled | +| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
Default: Disabled| + +### 6.2 ActiveX control blocking + +ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). + +For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx). + +### 7. Live Tiles + +To turn off Live Tiles: + +- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage** + +### 8. Mail synchronization + +To turn off mail synchronization for Microsoft Accounts that are configured on a device: + +- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts. + + -or- + +- Remove any Microsoft Accounts from the Mail app. + + -or- + +- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device. + +To turn off the Windows Mail app: + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application** + +### 9. Microsoft Edge + +Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682). + +### 9.1 Microsoft Edge Group Policies + +Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. + +> **Note:** The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes. + +| Policy | Description | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Turn off autofill | Choose whether employees can use autofill on websites.
Default: Enabled | +| Allow employees to send Do Not Track headers | Choose whether employees can send Do Not Track headers.
Default: Disabled | +| Turn off password manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled | +| Turn off address bar search suggestions | Choose whether the address bar shows search suggestions.
Default: Enabled | +| Turn off the SmartScreen Filter | Choose whether SmartScreen is turned on or off.
Default: Enabled | +| Open a new tab with an empty tab | Choose whether a new tab page appears.
Default: Enabled | +| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** | + +### 9.2 Microsoft Edge MDM policies + +The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). + +| Policy | Description | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Browser/AllowAutoFill | Choose whether employees can use autofill on websites.
Default: Allowed | +| Browser/AllowDoNotTrack | Choose whether employees can send Do Not Track headers.
Default: Not allowed | +| Browser/AllowPasswordManager | Choose whether employees can save passwords locally on their devices.
Default: Allowed | +| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions..
Default: Allowed | +| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
Default: Allowed | + +### 9.3 Microsoft Edge Windows Provisioning + +Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies**. + +For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx). + +### 10. Network Connection Status Indicator + +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx). + +You can turn off NCSI through Group Policy: + +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** + +> **Note** After you apply this policy, you must restart the device for the policy setting to take effect. + +### 11. Offline maps + +You can turn off the ability to download and update offline maps. + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** + +### 12. OneDrive + +To turn off OneDrive in your organization: + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** + +### 13. Preinstalled apps + +Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section. + +To remove the News app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage** + +To remove the Weather app: + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage** + +To remove the Money app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage** + +To remove the Sports app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage** + +To remove the Twitter app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage** + +To remove the XBOX app: + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage** + +To remove the Sway app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage** + +To remove the OneNote app: + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage** + +To remove the Get Office app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage** + +To remove the Get Skype app: + +- Right-click the Sports app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage** + +### 14. Settings > Privacy + +Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. + +- [14.1 General](#bkmk-general) + +- [14.2 Location](#bkmk-priv-location) + +- [14.3 Camera](#bkmk-priv-camera) + +- [14.4 Microphone](#bkmk-priv-microphone) + +- [14.5 Speech, inking, & typing](#bkmk-priv-speech) + +- [14.6 Account info](#bkmk-priv-accounts) + +- [14.7 Contacts](#bkmk-priv-contacts) + +- [14.8 Calendar](#bkmk-priv-calendar) + +- [14.9 Call history](#bkmk-priv-callhistory) + +- [14.10 Email](#bkmk-priv-email) + +- [14.11 Messaging](#bkmk-priv-messaging) + +- [14.12 Radios](#bkmk-priv-radios) + +- [14.13 Other devices](#bkmk-priv-other-devices) + +- [14.14 Feedback & diagnostics](#bkmk-priv-feedback) + +- [14.15 Background apps](#bkmk-priv-background) + +### 14.1 General + +**General** includes options that don't fall into other areas. + +To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**: + +> **Note:** When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. + + -or- + +- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero). + +To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Turn off the SmartScreen Filter**. + + Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. + + -or- + +- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. + + -or- + +- Create a provisioning package, using: + + - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen** + + - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen** + + -or- + +- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero). + +To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**: + +> **Note: ** If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically. + + + +- Turn off the feature in the UI. + + -or- + +- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: + + - **0**. Not allowed + + - **1**. Allowed (default) + +To turn off **Let websites provide locally relevant content by accessing my language list**: + +- Turn off the feature in the UI. + + -or- + +- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1. + +### 14.2 Location + +In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location. + +To turn off **Location for this device**: + +- Click the **Change** button in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. + + -or- + +- Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Turned off and the employee can't turn it back on. + + - **1**. Turned on, but lets the employee choose whether to use it. (default) + + - **2**. Turned on and the employee can't turn it off. + + **Note** + You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx). + + -or- + +- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where + + - **No**. Turns off location service. + + - **Yes**. Turns on location service. (default) + +To turn off **Location**: + +- Turn off the feature in the UI. + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** + + - Set the **Select a setting** box to **Force Deny**. + + -or- + +To turn off **Location history**: + +- Erase the history using the **Clear** button in the UI. + +To turn off **Choose apps that can use your location**: + +- Turn off each app using the UI. + +### 14.3 Camera + +In the **Camera** area, you can choose which apps can access a device's camera. + +To turn off **Let apps use my camera**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera** + + - Set the **Select a setting** box to **Force Deny**. + + -or- + +- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Apps can't use the camera. + + - **1**. Apps can use the camera. + + **Note** + You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx). + + -or- + +- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where: + + - **0**. Apps can't use the camera. + + - **1**. Apps can use the camera. + +To turn off **Choose apps that can use your camera**: + +- Turn off the feature in the UI for each app. + +### 14.4 Microphone + +In the **Microphone** area, you can choose which apps can access a device's microphone. + +To turn off **Let apps use my microphone**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose apps that can use your microphone**: + +- Turn off the feature in the UI for each app. + +### 14.5 Speech, inking, & typing + +In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees. + +> **Note:** For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article. + + + +To turn off the functionality: + +- Click the **Stop getting to know me** button, and then click **Turn off**. + + -or- + +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning** + + -or- + +- Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero). + + -and- + + Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero). + +### 14.6 Account info + +In the **Account Info** area, you can choose which apps can access your name, picture, and other account info. + +To turn off **Let apps access my name, picture, and other account info**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose the apps that can access your account info**: + +- Turn off the feature in the UI for each app. + +### 14.7 Contacts + +In the **Contacts** area, you can choose which apps can access an employee's contacts list. + +To turn off **Choose apps that can access contacts**: + +- Turn off the feature in the UI for each app. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** + + - Set the **Select a setting** box to **Force Deny**. + +### 14.8 Calendar + +In the **Calendar** area, you can choose which apps have access to an employee's calendar. + +To turn off **Let apps access my calendar**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose apps that can access calendar**: + +- Turn off the feature in the UI for each app. + +### 14.9 Call history + +In the **Call history** area, you can choose which apps have access to an employee's call history. + +To turn off **Let apps access my call history**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history** + + - Set the **Select a setting** box to **Force Deny**. + +### 14.10 Email + +In the **Email** area, you can choose which apps have can access and send email. + +To turn off **Let apps access and send email**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email** + + - Set the **Select a setting** box to **Force Deny**. + +### 14.11 Messaging + +In the **Messaging** area, you can choose which apps can read or send messages. + +To turn off **Let apps read or send messages (text or MMS)**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose apps that can read or send messages**: + +- Turn off the feature in the UI for each app. + +### 14.12 Radios + +In the **Radios** area, you can choose which apps can turn a device's radio on or off. + +To turn off **Let apps control radios**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose apps that can control radios**: + +- Turn off the feature in the UI for each app. + +### 14.13 Other devices + +In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info. + +To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**: + +- Turn off the feature in the UI. + +To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices** + + - Set the **Select a setting** box to **Force Deny**. + +### 14.14 Feedback & diagnostics + +In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. + +To change how frequently **Windows should ask for my feedback**: + +**Note** +Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device. + + + +- To change from **Automatically (Recommended)**, use the drop-down list in the UI. + + -or- + +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications** + + -or- + +- Create the registry keys (REG\_DWORD type): + + - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds + + - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod + + Based on these settings: + + | Setting | PeriodInNanoSeconds | NumberOfSIUFInPeriod | + |---------------|-----------------------------|-----------------------------| + | Automatically | Delete the registry setting | Delete the registry setting | + | Never | 0 | 0 | + | Always | 100000000 | Delete the registry setting | + | Once a day | 864000000000 | 1 | + | Once a week | 6048000000000 | 1 | + + + +To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**: + +- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**. + + > **Note:** You can't use the UI to change the telemetry level to **Security**. + + + + -or- + +- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** + + -or- + +- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Maps to the **Security** level. + + - **1**. Maps to the **Basic** level. + + - **2**. Maps to the **Enhanced** level. + + - **3**. Maps to the **Full** level. + + -or- + +- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where: + + - **0**. Maps to the **Security** level. + + - **1**. Maps to the **Basic** level. + + - **2**. Maps to the **Enhanced** level. + + - **3**. Maps to the **Full** level. + +### 14.15 Background apps + +In the **Background Apps** area, you can choose which apps can run in the background. + +To turn off **Let apps run in the background**: + +- Turn off the feature in the UI for each app. + +### 15. Software Protection Platform + +Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy: + +**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation** + +The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. + +### 16. Sync your settings + +You can control if your settings are synchronized: + +- In the UI: **Settings** > **Accounts** > **Sync your settings** + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync** + + -or- + +- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. + + -or- + +- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where + + - **No**. Settings are not synchronized. + + - **Yes**. Settings are synchronized. (default) + +To turn off Messaging cloud sync: + +- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero). + +### 17. Teredo + +You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx). + +- From an elevated command prompt, run **netsh interface teredo set state disabled** + +### 18. Wi-Fi Sense + +Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them. + +To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**: + +- Turn off the feature in the UI. + + -or- + +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**. + + -or- + +- Create a new REG\_DWORD registry setting called **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config**, with a value of 0 (zero). + + -or- + +- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620909). + + -or- + +- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620910). + +When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. + +### 19. Windows Defender + +You can disconnect from the Microsoft Antimalware Protection Service. + +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS** + + -or- + +- Apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). + + -or- + +- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero). + + -and- + + From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0** + +You can stop sending file samples back to Microsoft. + +- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. + + -or- + +- Apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Always prompt. + + - **1**. (default) Send safe samples automatically. + + - **2**. Never send. + + - **3**. Send all samples automatically. + + -or- + +- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send. + +You can stop downloading definition updates: + +- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. + + -and- + +- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. + +You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1. + +### 20. Windows Media Player + +To remove Windows Media Player: + +- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**. + + -or- + +- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** + +### 21. Windows spotlight + +Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy. + +- Configure the following in **Settings**: + + - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Show me tips, tricks, and more on the lock screen**. + + - **Personalization** > **Start** > **Occasionally show suggestions in Start**. + + - **System** > **Notifications & actions** > **Show me tips about Windows**. + + -or- + +- Apply the Group Policies: + + - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. + - Add a location in the **Path to local lock screen image** box. + + - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box. + + **Note** This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. + + + + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**. + + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. + +For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md). + +### 22. Windows Store + +You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**. + +### 23. Windows Update Delivery Optimization + +Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. + +By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network. + +Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization. + +### 23.1 Settings > Update & security + +You can set up Delivery Optimization from the **Settings** UI. + +- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. + +### 23.2 Delivery Optimization Group Policies + +You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. + +| Policy | Description | +|---------------------------|-----------------------------------------------------------------------------------------------------| +| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including

  • None. Turns off Delivery Optimization.

  • Group. Gets or sends updates and apps to PCs on the same local network domain.

  • Internet. Gets or sends updates and apps to PCs on the Internet.

  • LAN. Gets or sends updates and apps to PCs on the same NAT only.

| +| Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates.
** Note** This ID must be a GUID.| +| Max Cache Age | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).| +| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.| +| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.| + +### 23.3 Delivery Optimization MDM policies + +The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). + +| Policy | Description | +|---------------------------|-----------------------------------------------------------------------------------------------------| +| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including

  • 0. Turns off Delivery Optimization.

  • 1. Gets or sends updates and apps to PCs on the same NAT only.

  • 2. Gets or sends updates and apps to PCs on the same local network domain.

  • 3. Gets or sends updates and apps to PCs on the Internet.

| +| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates.
**Note** This ID must be a GUID.| +| DeliveryOptimization/DOMaxCacheAge | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).| +| DeliveryOptimization/DOMaxCacheSize | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.| +| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.| + + +### 23.4 Delivery Optimization Windows Provisioning + +If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies + +Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windows ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526803), to create a provisioning package for Delivery Optimization. + +1. Open Windows ICD, and then click **New provisioning package**. + +2. In the **Name** box, type a name for the provisioning package, and then click **Next.** + +3. Click the **Common to all Windows editions** option, click **Next**, and then click **Finish**. + +4. Go to **Runtime settings** > **Policies** > **DeliveryOptimization** to configure the policies. + +For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684). + +### 24. Windows Update + +You can turn off Windows Update by setting the following registry entries: + +- Add a REG\_DWORD value called **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. + + -and- + +- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. + +You can turn off automatic updates by doing one of the following. This is not recommended. + +- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5. + + -or- + +- Apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Notify the user before downloading the update. + + - **1**. Auto install the update and then notify the user to schedule a device restart. + + - **2** (default). Auto install and restart. + + - **3**. Auto install and restart at a specified time. + + - **4**. Auto install and restart without end-user control. + + - **5**. Turn off automatic updates. + +To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx). diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md index 227070a768..bbfa571b02 100644 --- a/windows/manage/manage-corporate-devices.md +++ b/windows/manage/manage-corporate-devices.md @@ -117,6 +117,8 @@ Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & [New policies for Windows 10](new-policies-for-windows-10.md) +[Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) + [Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md) [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) diff --git a/windows/manage/windows-10-mobile-and-mdm.md b/windows/manage/windows-10-mobile-and-mdm.md index 076e220c88..a818238913 100644 --- a/windows/manage/windows-10-mobile-and-mdm.md +++ b/windows/manage/windows-10-mobile-and-mdm.md @@ -2,48 +2,74 @@ title: Windows 10 Mobile and mobile device management (Windows 10) description: This guide provides an overview of the mobile device and app management technologies in the Windows 10 Mobile operating system. ms.assetid: 6CAA1004-CB65-4FEC-9B84-61AAD2125E5E -ms.pagetype: mobile; devices -keywords: ["telemetry", "BYOD", "MDM"] +keywords: telemetry, BYOD, MDM ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library +ms.pagetype: mobile; devices author: AMeeus --- + # Windows 10 Mobile and mobile device management + **Applies to** - Windows 10 Mobile + This guide provides an overview of the mobile device and app management technologies in the Windows 10 Mobile operating system. It describes how mobile device management (MDM) systems use the built-in device management client to deploy, configure, maintain, and support phones and small tablets running Windows 10 Mobile. + Bring Your Own Device (BYOD—that is, personal devices) and corporate devices are key scenarios that Windows 10 Mobile MDM capabilities support. The operating system offers a flexible approach to registering devices with directory services and MDM systems, and IT organizations can provision comprehensive device-configuration profiles based on their company’s need to control and secure mobile business data. Windows 10 Mobile not only delivers more comprehensive, restrictive configuration settings than Windows Phone 8.1 did but also provides capabilities to deploy and manage apps built on the Universal Windows Platform (UWP). Companies can distribute apps directly from Windows Store or by using their MDM system. They can control and distribute custom line-of-business (LOB) apps the same way. + ## Overview + Organizations’ users increasingly depend on their mobile devices, but phones and tablets bring new and unfamiliar challenges for IT departments. IT must be able to deploy and manage mobile devices and apps quickly to support the business while balancing the growing need to protect corporate data because of evolving laws, regulations, and cybercrime. IT must ensure that the apps and data on those mobile devices are safe, especially on personal devices. Windows 10 Mobile helps organizations address these challenges by providing a robust, flexible, built-in MDM client. IT departments can use the MDM system of their choice to manage this client. + ### Built-in MDM client + The built-in MDM client is common to all editions of the Windows 10 operating system, including desktop, mobile, and Internet of Things (IoT). The client provides a single interface through which you can manage any device that runs Windows 10. The client has two important roles: device enrollment in an MDM system and device management. + - **Device enrollment.** Users can enroll in the MDM system. On Windows 10, a user can register a device with Microsoft Azure Active Directory (Azure AD) and enroll in an MDM system at the same time so that the system can manage the device, the apps running on it, and the confidential data it holds. Enrollment establishes the management authority for the device. Only one management authority (or MDM enrollment) is possible at a time, which helps prevent unauthorized access to devices and ensures their stability and reliability. - **Device management.** The MDM client allows the MDM system to configure policy settings; deploy apps and updates; and perform other management tasks, such as remotely wiping the device. The MDM system sends configuration requests and collects inventory through the MDM client. The client uses [configuration service providers (CSPs)](http://go.microsoft.com/fwlink/p/?LinkId=734049) to configure and inventory settings. A CSP is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. (The security architecture of Windows 10 Mobile prevents direct access to registry settings and operating system files. For more information, see the [Windows 10 Mobile security guide](../keep-secure/windows-10-mobile-security-guide.md).) + The MDM client is an integral part of Windows 10 Mobile. As a result, there is no need for an additional, custom MDM app to enroll the device or to allow an MDM system to manage it. All MDM systems have equal access to Windows 10 Mobile MDM application programming interfaces (APIs), so you can choose Microsoft Intune or a third-party MDM product to manage Windows 10 Mobile devices. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=734050). + ### Windows 10 Mobile editions + Every device that runs Windows 10 Mobile includes all the enterprise mobile device security and management capabilities the MDM client provides. Microsoft also offers an Enterprise edition of Windows 10 Mobile, which includes three additional capabilities. To enable these capabilities, you can provision a license file without reinstalling the operating system: + - **Ability to postpone software updates.**Windows 10 Mobile gets software updates directly from Windows Update, and you cannot curate updates prior to deployment. Windows 10 Mobile Enterprise, however, allows you to curate and validate updates prior to deploying them. - **No limit on the number of self-signed LOB apps that you can deploy to a single device.** To use an MDM system to deploy LOB apps directly to devices, you must cryptographically sign the software packages with a code signing certificate that your organization’s certificate authority (CA) generates. You can deploy a maximum of 20 self-signed LOB apps to a Windows 10 Mobile device, more than 20 if your organization’s devices run Windows 10 Mobile Enterprise. - **Set telemetry to security level.** The telemetry security level configures the operating system to gather only the telemetry information required to keep devices secured. -**Note**   -Your organization can opt to purchase a code signing certificate from Verisign to sign LOB apps or use [Windows Store for Business](windows-store-for-business.md) to obtain apps. With either method, you can distribute more than 20 apps to a single device without activating Windows 10 Mobile Enterprise on that device by using your MDM system. + +>**Note:**  Your organization can opt to purchase a code signing certificate from Verisign to sign LOB apps or use [Windows Store for Business](windows-store-for-business.md) to obtain apps. With either method, you can distribute more than 20 apps to a single device without activating Windows 10 Mobile Enterprise on that device by using your MDM system.   To activate Windows 10 Mobile Enterprise on any Windows 10 Mobile device, use your company’s MDM system or a provisioning package to inject a license onto the device. You can download a Windows 10 Mobile Enterprise license from the Business Support Portal. + ### Lifecycle management + Windows 10 Mobile supports end-to-end lifecycle device management to give companies control of their devices, data, and apps. Comprehensive MDM systems use the built-in MDM client to manage devices throughout their lifecycle, as Figure 1 illustrates. The remainder of this guide describes the operating system’s mobile device and app management capabilities through each phase of the lifecycle, showing how MDM systems use specific features. + ![figure 1](images/win10-mobile-mdm-fig1.png) + Figure 1. Device management lifecycle + ## Device deployment + Device deployment includes the initial registration and configuration of the device, including its enrollment with an MDM system. Sometimes, companies preinstall apps. The major factors in how you deploy devices and which controls you put in place are device ownership and how the user will use the device. This guide covers two scenarios: + 1. Companies allow users to personalize their devices because the users own the devices or because company policy doesn’t require tight controls (defined as *personal devices* in this guide). 2. Companies don’t allow users to personalize their devices or they limit personalization, usually because the organization owns the devices and security considerations are high (defined as *corporate devices* in this guide). + Often, employees can choose devices from a list of supported models, or companies provide devices that they preconfigure, or bootstrap, with a baseline configuration. + Microsoft recommends Azure AD Join and MDM enrollment and management for corporate devices and Azure AD Registration and MDM enrollment and management for personal devices. + ### Deployment scenarios + Most organizations support both personal and corporate device scenarios. The infrastructure for these scenarios is similar, but the deployment process and configuration policies differ. Table 1 describes characteristics of the personal and corporate device scenarios. Activation of a device with an organizational identity is unique to Windows 10 Mobile. + Table 1. Characteristics of personal and corporate device scenarios + @@ -75,10 +101,14 @@ Table 1. Characteristics of personal and corporate device scenarios
  ### Identity management + People can use only one account to activate a device, so it’s imperative that your organization control which account you enable first. The account you choose will determine who controls the device and influence your management capabilities. The following list describes the impact that users’ identities have on management (Table 2 summarizes these considerations): + - **Personal identity.** In this scenario, employees use their Microsoft account to activate the device. Then, they use their Azure AD account (organizational identity) to register the device in Azure AD and enroll it with the company’s MDM solution. You can apply policies to help protect and contain corporate apps and data on the devices, designed to prevent intellectual property leaks, but users keep full control over personal activities, such as downloading and installing apps and games. - **Organizational identity.** In this scenario, employees use their Azure AD account to register the device to Azure AD and automatically enroll it with the organization’s MDM solution. In this case, companies can block personal use of devices. Using organizational Identities to initialize devices gives organizations complete control over devices and allows them to prevent personalization. + Table 2. Personal vs. organizational identity + @@ -127,33 +157,45 @@ Table 2. Personal vs. organizational identity
  ### Infrastructure requirements + For both device scenarios, the essential infrastructure and tools required to deploy and manage Windows 10 Mobile devices include an Azure AD subscription and an MDM system. + Azure AD is a cloud-based directory service that provides identity and access management. You can integrate it with existing on-premises directories to create a hybrid solution. Azure AD has three editions: Free, Basic, and Premium (see [Azure Active Directory editions](http://go.microsoft.com/fwlink/p/?LinkId=723980)). All editions support Azure AD device registration, but the Premium edition is required to enable MDM auto-enrollment and conditional access based on device state. Organizations that use Microsoft Office 365 or Intune are already using Azure AD. -**Note**   -Most industry-leading MDM vendors already support integration with Azure AD or are working on integration. You can find the MDM vendors that support Azure AD in [Azure Marketplace](http://go.microsoft.com/fwlink/p/?LinkId=723981). + +>**Note:**  Most industry-leading MDM vendors already support integration with Azure AD or are working on integration. You can find the MDM vendors that support Azure AD in [Azure Marketplace](http://go.microsoft.com/fwlink/p/?LinkId=723981).   Users can enroll Windows 10 Mobile devices in third-party MDM systems without using an Azure AD organizational account. (By default, Intune uses Azure AD and includes a license). If your organization doesn’t use Azure AD, you must use a personal identity to activate devices and enable common scenarios, such as downloading apps from Windows Store. + Multiple MDM systems that support Windows 10 Mobile are available. Most support personal and corporate device deployment scenarios. Microsoft offers [Intune](http://go.microsoft.com/fwlink/p/?LinkId=723983), which is part of the [Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=723984) and a cloud-based MDM system that manages devices off premises. Like Office 365, Intune uses Azure AD for identity management, so employees use the same credentials to enroll devices in Intune or sign in to Office 365. Intune supports devices that run other operating systems, as well, such as iOS and Android, to provide a complete MDM solution. + You can also integrate Intune with System Center Configuration Manager to gain a single console in which to manage all devices—in the cloud and on premises. For more information, see [Manage Mobile Devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=734051). For guidance on choosing between a stand-alone Intune installation and Intune integrated with Configuration Manager, see [Choose between Intune by itself or integrating Intune with System Center Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=723985). In addition to Intune, other MDM providers support Windows 10 Mobile. Currently, the following MDM systems claim to support Windows 10 and Windows 10 Mobile: [AirWatch](http://go.microsoft.com/fwlink/p/?LinkId=723986), [Citrix](http://go.microsoft.com/fwlink/p/?LinkId=723987), [Lightspeed Systems](http://go.microsoft.com/fwlink/p/?LinkId=723988), [Matrix42](http://go.microsoft.com/fwlink/p/?LinkId=723989), [MobileIron](http://go.microsoft.com/fwlink/p/?LinkId=723990), [SAP](http://go.microsoft.com/fwlink/p/?LinkId=723991), [SOTI](http://go.microsoft.com/fwlink/p/?LinkId=723992), and [Symantec](http://go.microsoft.com/fwlink/p/?LinkId=723993). + All MDM vendors have equal access to the [Windows 10 MDM APIs](http://go.microsoft.com/fwlink/p/?LinkId=734050). The extent to which they implement these APIs depends on the vendor. Contact your preferred MDM vendor to determine its level of support. -**Note**   -Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Office 365. + +>**Note:**  Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Office 365. In addition, Microsoft recently added MDM capabilities powered by Intune to Office 365. MDM for Office 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android. MDM for Office 365 offers a subset of the management capabilities found in Intune, including the ability to remotely wipe a device, block a device from accessing Exchange Server email, and configure device policies (for example, passcode requirements). For more information about MDM for Office 365 capabilities, see [Overview of Mobile Device Management for Office 365](http://go.microsoft.com/fwlink/p/?LinkId=734052).   ### Provisioning + Provisioning is new to Windows 10 and uses the MDM client in Windows 10 Mobile. You can create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10. To assist users with MDM system enrollment, use a provisioning package. To do so, use the [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911) to create a provisioning package, and then install that package on the device. Users can perform self-service MDM enrollment based on the following deployment scenarios: + - **Corporate device.** During the out-of-the-box experience (OOBE), you can instruct the user to select **This device is owned by my organization** and join the device to Azure AD and the MDM system. - **Personal device.** The user activates the device with a Microsoft account, but you can instruct him or her to register the device with Azure AD and enroll in Intune. To do so in Windows 10 Mobile, the user clicks, **Settings**, clicks **Accounts**, and then clicks **Work access**. To automate MDM enrollment, use provisioning packages as follows: - **Corporate device.** You can create a provisioning package and apply it to a corporate device before delivery to the user, or instruct the user to apply the package during OOBE. After application of the provisioning package, the OOBE process automatically chooses the enterprise path and requires the user to register the device with Azure AD and enroll it in the MDM system. - **Personal device.** You can create a provisioning package and make it available to users who want to enroll their personal device in the enterprise. The user enrolls the device in the corporate MDM for further configuration by applying the provisioning package. To do so in Windows 10 Mobile, the user clicks **Settings**, clicks **Accounts**, and then clicks **Provisioning**). + Distribute provisioning packages to devices by publishing them in an easily accessible location (e.g., an email attachment or a web page). You can cryptographically sign or encrypt provisioning packages and require that the user enter a password to apply them. + See [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkId=734054) for more information on creating provisioning packages. + ## Device configuration + The following sections describe the device configuration capabilities of the built-in Windows 10 Mobile MDM client. This client exposes the capabilities to any MDM system compatible with Windows 10. Configurable settings include: + - [Email accounts](#email) - [Account restrictions](#restrictions) - [Device lock restrictions](#device-lock) @@ -165,13 +207,17 @@ The following sections describe the device configuration capabilities of the bui - [Access point name (APN) profiles](#apn) - [Data leak prevention](#data) - [Storage management](#storage) -**Note**   -Although all the MDM settings this section describes are available in Windows 10 Mobile, not all MDM systems may show them in their user interface. In addition, naming may vary among MDM systems. Consult your MDM system’s documentation for more information. + +>**Note:**  Although all the MDM settings this section describes are available in Windows 10 Mobile, not all MDM systems may show them in their user interface. In addition, naming may vary among MDM systems. Consult your MDM system’s documentation for more information.   ### Email accounts + You can use your corporate MDM system to manage corporate email accounts. Define email account profiles in the MDM system, and then deploy them to devices. You would usually deploy these settings immediately after enrollment, regardless of scenario. + This capability extends to email systems that use EAS. Table 3 lists settings that you can configure in EAS email profiles. + Table 3. Windows 10 Mobile settings for EAS email profiles + | Setting | Description | |----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Email Address | The email address associated with the EAS account | @@ -191,7 +237,9 @@ Table 3. Windows 10 Mobile settings for EAS email profiles | Content Types | The content type that is synchronized (e.g., email, contacts, calendar, task items) |   Table 4 lists settings that you can configure in other email profiles. + Table 4. Windows 10 Mobile settings for other email profiles + | Setting | Description | |-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------| | User logon name | The user logon name for the email account | @@ -224,21 +272,26 @@ Table 4. Windows 10 Mobile settings for other email profiles | Incoming and outgoing servers require SSL | A group of properties that specify whether the incoming and outgoing email servers use SSL |   ### Account restrictions + On a corporate device registered with Azure AD and enrolled in the MDM system, you can control whether users can use a Microsoft account or add other consumer email accounts. Table 5 lists the settings that you can use to manage accounts on Windows 10 Mobile devices. + Table 5. Windows 10 Mobile account management settings -| Setting | Description | -|-------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Allow Microsoft Account | Specifies whether users are allowed to add a Microsoft account to the device after MDM enrollment and use this account for connection authentication and services, such as purchasing apps in Windows Store, or cloud-based consumer services, such as Xbox or Groove. If a device was activated with a Microsoft account, the MDM system would not be able to block that account from being used. | -| Allow Adding Non Microsoft Accounts | Specifies whether users are allowed to add email accounts other than Microsoft accounts after MDM enrollment. If **Allow Microsoft Account** is applied, user can also not use a Microsoft account. | -| Allow “Your Account” | Specifies whether users are able to change account configuration in the **Your Email and Accounts** panel in Settings. | +| Setting | Description | +| - | -| +| Allow Microsoft Account | Specifies whether users are allowed to add a Microsoft account to the device after MDM enrollment and use this account for connection authentication and services, such as purchasing apps in Windows Store, or cloud-based consumer services, such as Xbox or Groove. If a device was activated with a Microsoft account, the MDM system would not be able to block that account from being used. | +| Allow Adding Non Microsoft Accounts | Specifies whether users are allowed to add email accounts other than Microsoft accounts after MDM enrollment. If **Allow Microsoft Account** is applied, user can also not use a Microsoft account. | +| Allow “Your Account” | Specifies whether users are able to change account configuration in the **Your Email and Accounts** panel in Settings.|   ### Device lock restrictions + It’s common sense to lock a device when it is not in use. Microsoft recommends that you secure Windows 10 Mobile devices and implement a device lock policy. A device password or PIN lock is a best practice for securing apps and data on devices. [Windows Hello](http://go.microsoft.com/fwlink/p/?LinkId=723994) is the name given to the new biometric sign-in option that allows users to use their face, iris, or fingerprints to unlock their compatible device, all of which Windows 10 supports. -**Note**   -In addition to the device lock restrictions discussed in this section, Windows 10 supports Microsoft Passport for Work, which lets you access apps and services without a password. + +>**Note:**  In addition to the device lock restrictions discussed in this section, Windows 10 supports Microsoft Passport for Work, which lets you access apps and services without a password.   Table 6 lists the MDM settings in Windows 10 Mobile that you can use to configure device lock restrictions. + Table 6. Windows 10 Mobile device lock restrictions + @@ -314,9 +367,10 @@ Table 6. Windows 10 Mobile device lock restrictions
  ### Hardware restrictions + Windows 10 Mobile devices use state-of-the-art technology that includes popular hardware features such as cameras, global positioning system (GPS) sensors, microphones, speakers, near-field communication (NFC) radios, storage card slots, USB interfaces, Bluetooth interfaces, cellular radios, and Wi-Fi. You can also use hardware restrictions to control the availability of these features. Table 7 lists the MDM settings that Windows 10 Mobile supports to configure hardware restrictions. -**Note**   -Some of these hardware restrictions provide connectivity and assist in data protection. Enterprise data protection is currently being tested in select customer evaluation programs. + +>**Note:**  Some of these hardware restrictions provide connectivity and assist in data protection. Enterprise data protection is currently being tested in select customer evaluation programs.   Table 7. Windows 10 Mobile hardware restrictions | Setting | Description | @@ -338,8 +392,11 @@ Table 7. Windows 10 Mobile hardware restrictions | Allow Location | Whether the device can use the GPS sensor or other methods to determine location so applications can use location information |   ### Certificate management + Managing certificates can be difficult for users, but certificates are pervasive for a variety of uses, including, account authentication, Wi-Fi authentication, VPN encryption, and SSL encryption of web content. Although users could manage certificates on devices manually, it’s a best practice to use your MDM system to manage those certificates for their entire life cycle, from enrollment through renewal to revocation. You can use the Simple Certificate Enrollment Protocol (SCEP) and Personal Information Exchange (PFX) certificates files to install certificates on Windows 10 Mobile. Certificate management through SCEP and MDM systems is fully transparent to users and requires no user intervention, so it helps improve user productivity and reduce support calls. Your MDM system can automatically deploy these certificates to the devices’ certificate stores after you enroll the device. Table 8 lists the SCEP settings that the MDM client in Windows 10 Mobile provides. + Table 8. Windows 10 Mobile SCEP certificate enrollment settings + | Setting | Description | |------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Certificate enrollment server URLs | The certificate enrollment servers (to specify multiple server URLs, separate the URLs with semicolons \[;\]) | @@ -361,7 +418,9 @@ Table 8. Windows 10 Mobile SCEP certificate enrollment settings | Thumbprint | The current certificate thumbprint, if certificate enrollment succeeds |   In addition to SCEP certificate management, Windows 10 Mobile supports deployment of PFX certificates. Table 9 lists the Windows 10 Mobile PFX certificate deployment settings. + Table 9. Windows 10 Mobile PFX certificate deployment settings + | Setting | Description | |-----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Private key storage | Where to store the private key (in other words, the TPM, a software KSP, or the Microsoft Passport KSP) | @@ -373,8 +432,9 @@ Table 9. Windows 10 Mobile PFX certificate deployment settings | Thumbprint | The thumbprint of the installed PFX certificate |   Use the **Allow Manual Root Certificate Installation** setting to prevent users from manually installing root and intermediate CA certificates intentionally or accidently. -**Note**   -To diagnose certificate-related issues on Windows 10 Mobile devices, use the free [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=723996) in Windows Store. This Windows 10 Mobile app can help you: + +>**Note:**  To diagnose certificate-related issues on Windows 10 Mobile devices, use the free [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=723996) in Windows Store. This Windows 10 Mobile app can help you: + - View a summary of all personal certificates. - View the details of individual certificates. - View the certificates used for VPN, Wi-Fi, and email authentication. @@ -383,9 +443,13 @@ To diagnose certificate-related issues on Windows 10 Mobile devices, use the fr - View the certificate keys stored in the device TPM.   ### Wi-Fi + People use Wi-Fi on their mobile devices as much as or more than cellular data. Most corporate Wi-Fi networks require certificates and other complex information to restrict and secure user access. This advanced Wi-Fi information is difficult for typical users to configure, but you can use your MDM system to fully configure Wi-Fi settings without user intervention. + Table 10 lists the Windows 10 Mobile Wi-Fi connection profile settings. Use the information in this table to help you create Wi-Fi connection profiles in your MDM system. + Table 10. Windows 10 Mobile Wi-Fi connection profile settings + @@ -456,7 +520,9 @@ Table 10. Windows 10 Mobile Wi-Fi connection profile settings
  Table 11 lists the Windows 10 Mobile settings for managing Wi-Fi connectivity. + Table 11. Windows 10 Mobile Wi-Fi connectivity settings + | Setting | Configuration | |--------------------------------------------|----------------------------------------------------------------------------| | Allow Auto Connect To Wi-Fi Sense Hotspots | Whether the device will automatically detect and connect to Wi-Fi networks | @@ -465,12 +531,15 @@ Table 11. Windows 10 Mobile Wi-Fi connectivity settings | WLAN Scan Mode | How actively the device scans for Wi-Fi networks |   ### Proxy + Apps running on Windows 10 Mobile (for example, Microsoft Edge) can use proxy connections to access Internet content, but Wi-Fi connections on the corporate intranet most typically use proxy connections, instead. You can define multiple proxies in Windows 10 Mobile. -**Note**   -Windows 10 Mobile also supports proxy auto-configuration (PAC) files, which can automatically configure proxy settings. The Web Proxy Auto-Discovery Protocol (WPAD) lets apps use Dynamic Host Configuration Protocol and Domain Name System (DNS) lookups to locate the PAC file. + +>**Note:**  Windows 10 Mobile also supports proxy auto-configuration (PAC) files, which can automatically configure proxy settings. The Web Proxy Auto-Discovery Protocol (WPAD) lets apps use Dynamic Host Configuration Protocol and Domain Name System (DNS) lookups to locate the PAC file.   Table 12 lists the Windows 10 Mobile settings for proxy connections. + Table 12. Windows 10 Mobile proxy connection settings + @@ -538,14 +607,21 @@ Table 12. Windows 10 Mobile proxy connection settings
  ### VPN -In addition to Wi-Fi, users often use a VPN to securely access apps and resources on their company’s intranet behind a firewall. Windows 10 Mobile supports several VPN vendors in addition to native Microsoft VPNs (such as Point to Point Tunneling Protocol \[PPTP\], Layer 2 Tunneling Protocol \[L2TP\], and Internet Key Exchange Protocol version 2 \[IKEv2\]), including: + +In addition to Wi-Fi, users often use a VPN to securely access apps and resources on their company’s intranet behind a firewall. Windows 10 Mobile supports several VPN vendors in addition to native Microsoft VPNs (such as Point to Point Tunneling Protocol \[PPTP\], Layer 2 Tunneling Protocol \ +[L2TP\], and Internet Key Exchange Protocol version 2 \[IKEv2\]), including: + - IKEv2 - IP security - SSL VPN connections (which require a downloadable plug-in from the VPN server vendor) + You can configure Windows 10 Mobile to use auto-triggered VPN connections, as well. You define a VPN connection for each app that requires intranet connectivity. When users switch between apps, the operating system automatically establishes the VPN connection for that app. In the event the device drops the VPN connection, Windows 10 Mobile automatically reconnects to the VPN without user intervention. + With always-on VPN, Windows 10 Mobile can automatically start a VPN connection when a user signs-in, as well. The VPN stays connected until the user manually disconnects it. MDM support for VPN connections in Windows 10 Mobile includes provisioning and updating VPN connection profiles and associating VPN connections with apps. You can create and provision VPN connection profiles, and then deploy them to managed devices that run Windows 10 Mobile. Table 13 lists the Windows 10 Mobile fields for VPN connection profiles. + Table 13. Windows 10 Mobile VPN connection profile settings + @@ -680,7 +756,9 @@ Table 13. Windows 10 Mobile VPN connection profile settings
  Table 14 lists the Windows 10 Mobile settings for managing VPN connections. These settings help you manage VPNs over cellular data connections, which in turn help reduce costs associated with roaming or data plan charges. + Table 14. Windows 10 Mobile VPN management settings + | Setting | Description | |--------------------------------------|---------------------------------------------------------------------------------| | Allow VPN | Whether users can change VPN settings | @@ -688,10 +766,15 @@ Table 14. Windows 10 Mobile VPN management settings | Allow VPN Over Cellular when Roaming | Whether users can establish VPN connections over cellular networks when roaming |   ### APN profiles + An APN defines network paths for cellular data connectivity. Typically, you define just one APN for a device in collaboration with a mobile operator, but you can define multiple APNs if your company uses multiple mobile operators. + An APN provides a private connection to the corporate network that is unavailable to other companies on the mobile operator network. Corporations in Europe and the Asia-Pacific use APNs, but they are not common in the United States. + You can define and deploy APN profiles in MDM systems that configure cellular data connectivity for Windows 10 Mobile. Devices running Windows 10 Mobile can have only one APN profile. Table 15 lists the MDM settings that Windows 10 Mobile supports for APN profiles. + Table 15. Windows 10 Mobile APN profile settings + @@ -753,8 +836,12 @@ Table 15. Windows 10 Mobile APN profile settings
  ### Data leak protection -Some user experiences can risk corporate data stored on corporate devices. For example, allowing users to copy and paste information out of the organization’s LOB app can put data at risk. To mitigate the risk, you can restrict the Windows 10 Mobile user experience to help protect corporate data and prevent data leaks. For example, you can prevent settings synchronization, copy-and-paste operations, and screen captures. Table 16 lists the MDM settings in Windows 10 Mobile that you can use to help prevent data leaks. + +Some user experiences can risk corporate data stored on corporate devices. For example, allowing users to copy and paste information out of the organization’s LOB app can put data at risk. To mitigate the risk, you can restrict the Windows 10 Mobile user experience to help protect corporate data +and prevent data leaks. For example, you can prevent settings synchronization, copy-and-paste operations, and screen captures. Table 16 lists the MDM settings in Windows 10 Mobile that you can use to help prevent data leaks. + Table 16. Windows 10 Mobile data leak protection settings + | Setting | Description | |----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Allow copy and paste | Whether users can copy and paste content | @@ -769,13 +856,19 @@ Table 16. Windows 10 Mobile data leak protection settings | Allow voice recording | Whether users are allowed to perform voice recordings. |   ### Storage management + Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage by using the device encryption in Windows 10 Mobile. This encryption helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device. + A feature in Windows 10 Mobile is the ability to install apps on a secure digital (SD) card. The operating system stores apps on a partition specifically designated for that purpose. This feature is always on, so you don’t need to set a policy explicitly to enable it. The SD card is uniquely paired with a device. No other devices can see the apps or data on the encrypted partition, but they can access the data stored on the unencrypted partition of the SD card, such as music or photos. You can disable the **Allow Storage Card** setting to prevent users from using SD cards altogether, but the primary advantage of the SD card app partition–encryption feature is that organizations can give users the flexibility to use an SD card while still protecting the confidential apps and data on it. + If you don’t encrypt storage, you can help protect your corporate apps and data by using the **Restrict app data to the system volume** and **Restrict apps to the system volume** settings. They help ensure that users cannot copy your apps and data to SD cards. + Table 17 lists the MDM storage-management settings that Windows 10 Mobile provides. + Table 17. Windows 10 Mobile storage management settings + @@ -826,33 +919,52 @@ Table 17. Windows 10 Mobile storage management settings
  ## App management + Apps help improve user productivity on mobile devices. New to Windows 10 is the ability for organizations purchase apps from Windows Store for their employees and deploy those apps from Windows Store or an MDM system. App management is becoming a key capability of MDM systems, helping reduce the effort required to perform common app-related tasks, such as distributing apps, and protecting data through app policies. This section describes the app management features in Windows 10 Mobile and includes the following topics: + - [Universal Windows Platform (UWP)](#uwp) - [Sourcing the right app](#sourcing) - [Windows Store for Business](#store) - [Mobile application management (MAM) policies](#mam) - [Microsoft Edge](#edge) + ### Universal Windows Platform + Windows 10 introduces UWP, converging the application platform for all devices running some edition of Windows 10. UWP apps run without modification on all editions of Windows 10, and Windows Store now has apps that you can license and purchased for all your Windows 10 devices. Windows Phone 8.1 and Windows 8.1 apps still run on Windows 10 devices, but the MAM improvements in Windows 10 work only with UWP apps. See the [Guide to Universal Windows Platform (UWP) apps](http://go.microsoft.com/fwlink/p/?LinkId=734056) for additional information. + ### Sourcing the right app + The first step in app management is to obtain the apps your users need, and you can now acquire apps from Windows Store. Developers can also create apps specific to an organization, known as *line-of-business (LOB) apps* (the developers of these apps are *LOB publishers*). An LOB developer (internal or external) can now publish these apps to Windows Store at your request, or you can obtain the app packages offline and distribute them through your MDM system. + To install Windows Store or LOB apps, use the Windows Store cloud service or your MDM system to distribute the app packages. Your MDM system can deploy apps online by redirecting the user to a licensed app in Windows Store or offline by distributing a package that you downloaded from Windows Store (also called *sideloading*) on Windows 10 Mobile devices. You can fully automate the app deployment process so that no user intervention is required. + IT administrators can obtain apps through Store for Business. Most apps can be distributed online, meaning that the user must be logged in to the device with an Azure AD account and have Internet access at the time of installation. To distribute an app offline, the developer must opt in. If the app developer doesn’t allow download of the app from Windows Store, then you must obtain the files directly from the developer or use the online method. See [Windows Store for Business](windows-store-for-business.md) for additional information about apps obtained through Store for Business. Windows Store apps are automatically trusted. For custom LOB apps developed internally or by a trusted software vendor, ensure that the device trusts the app signing certificate. There are two ways to establish this trust: use a signing certificate from a trusted source, or generate your own signing certificate and add your chain of trust to the trusted certificates on the device. You can install up to 20 self-signed apps on a Windows 10 Mobile device. When you purchase a signing certificate from a public CA, you can install more than 20 apps on a device, although you can install more than 20 self-signed apps per device with [Windows 10 Mobile Enterprise](#mobile-edition). + Users can install apps from Windows Store that the organization purchases through the Store app on their device. If you allow your users to log in with a Microsoft account, the Store app on the device provides a unified method for installing personal and corporate apps. + ### Store for Business + [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910) is a web portal that IT pros and purchasers use to find, acquire, manage, and distribute apps to Windows 10 devices. This online portal gives Azure AD authenticated managers access to Store for Business functionality and settings. Store managers can create a private section of Windows Store in which organizations can manage apps specific and private to them. Store for Business allows organizations to make apps available to their users and purchase app licenses for them. They can also integrate their Store for Business subscriptions with their MDM systems, so the MDM system can deploy apps from their free Store for Business subscription. + The process for using Store for Business is as follows: + 1. Create a Store for Business subscription for your organization. 2. In the Store for Business portal, acquire apps from Windows Store (only free apps are available at this time). 3. In Store for Business, distribute apps to users, and manage the app licenses for the apps acquired in the previous step. 4. Integrate your MDM system with your organization’s Store for Business subscription. 5. Use your MDM system to deploy the apps. + For more information about Store for Business, see [Windows Store for Business](windows-store-for-business.md). + ### Mobile application management (MAM) policies + With MDM, you can manage Device Guard on Windows 10 Mobile and create an allow (whitelist) or deny (blacklist) list of apps. This capability extends to built-in apps, as well, such as phone, text messaging, email, and calendar. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes. + You can also control users’ access to Windows Store and whether the Store service updates apps automatically. You can manage all these capabilities through your MDM system. Table 18 lists the Windows 10 Mobile app management settings. + Table 18. Windows 10 Mobile app management settings + | Setting | Description | |------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Allow All Trusted Apps | Whether users can sideload apps on the device | @@ -868,9 +980,13 @@ Table 18. Windows 10 Mobile app management settings | Start screen layout | An XML blob used to configure the Start screen (See [Start layout for Windows 10 Mobile editions](http://go.microsoft.com/fwlink/p/?LinkId=734057) for more information.) |   One potential security issue is that users can register as Windows 10 Mobile app developers and turn on developer features on their device, potentially installing apps from unknown sources and opening the device to malware threats. To prevent users from turning on developer features on their devices, set the **Disable development unlock (side loading)** policy, which you can configure through your MDM system. + ### Microsoft Edge + MDM systems give you the ability to manage Microsoft Edge on mobile devices. Table 19 lists the Microsoft Edge settings for Windows 10 Mobile. + Table 19. Microsoft Edge settings for Windows 10 Mobile + | Setting | Description | |-------------------------------------------------|-------------------------------------------------------------------------------------------------------| | Allow Active Scripting | Whether active scripting is allowed | @@ -886,16 +1002,24 @@ Table 19. Microsoft Edge settings for Windows 10 Mobile | Prevent Smart Screen Prompt Override For Files | Whether users can override the SmartScreen Filter warnings about downloading unverified files |   ## Device operations + In this section, you learn how MDM settings in Windows 10 Mobile enable the following scenarios: + - [Device update](#device-update) - [Device compliance monitoring](#device-comp) - [Device inventory](#data-inv) - [Remote assistance](#remote-assist) - [Cloud services](#cloud-serv) + ### Device update + To help protect mobile devices and their data, you must keep those devices updated. Windows Update automatically installs updates and upgrades when they become available. -The device update features described in this section are available only in [Windows 10 Mobile Enterprise](#mobile-edition). You can use your MDM system to postpone system upgrades when you activate an Enterprise license on managed Windows 10 Mobile devices and control how updates and upgrades are applied. For example, you can disable updates altogether, defer updates and upgrades, and schedule the day and time to install updates, as you would with Windows Server Update Services (WSUS) on Windows 10 desktops running the [Current Branch for Business](introduction-to-windows-10-servicing.md). Table 20 lists the Windows 10 Mobile Enterprise settings that you can use to configure updates and upgrades. + +The device update features described in this section are available only in [Windows 10 Mobile Enterprise](#mobile-edition). You can use your MDM system to postpone system upgrades when you activate an Enterprise license on managed Windows 10 Mobile devices and control how updates and upgrades are applied. For example, you can disable updates altogether, defer updates and upgrades, and schedule the day and time to install updates, as you would with Windows Server Update Services (WSUS) on Windows 10 desktops running the [Current Branch for Business](introduction-to-windows-10-servicing.md). +Table 20 lists the Windows 10 Mobile Enterprise settings that you can use to configure updates and upgrades. + Table 20. Windows 10 Mobile Enterprise update management settings + @@ -968,7 +1092,9 @@ Table 20. Windows 10 Mobile Enterprise update management settings
  In addition to configuring how Windows 10 Mobile Enterprise obtains updates, you can manage individual Windows 10 Mobile updates. Table 21 provides information about approved updates to help you control the rollout of new updates to Windows 10 Mobile Enterprise devices. + Table 21. Windows 10 Mobile Enterprise approved update information + @@ -1025,25 +1151,36 @@ Table 21. Windows 10 Mobile Enterprise approved update information
  + ### Device compliance monitoring + You can use your MDM system to monitor compliance. Windows 10 Mobile provides audit information to track issues or perform remedial actions. This information helps you ensure that devices are configured to comply with organizational standards. + You can also assess the health of devices that run Windows 10 Mobile and take enterprise policy actions. The process that the health attestation feature in Windows 10 Mobile uses is as follows: + 1. The health attestation client collects data used to verify device health. 2. The client forwards the data to the Health Attestation Service (HAS). 3. The HAS generates a Health Attestation Certificate. 4. The client forwards the Health Attestation Certificate and related information to the MDM system for verification. + For more information about health attestation in Windows 10 Mobile, see the [Windows 10 Mobile security guide](../keep-secure/windows-10-mobile-security-guide.md). + Depending on the results of the health state validation, an MDM system can take one of the following actions: + - Allow the device to access resources. - Allow the device to access resources but identify the device for further investigation. - Prevent the device from accessing resources. + Table 21 lists data points that the HAS collects and evaluates from devices that run Windows 10 Mobile to determine the action to perform. For most of these data points, the MDM system can take one of the following actions: + - Disallow all access. - Disallow access to high-business-impact assets. - Allow conditional access based on other data points that are present at evaluation time—for example, other attributes on the health certificate or a device’s past activities and trust history. - Take one of the previous actions, and also place the device on a watch list to monitor it more closely for potential risks. - Take corrective action, such as informing IT administrators to contact the owner and investigate the issue. + Table 21. Windows 10 Mobile HAS data points + | Data point | Description | |----------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Attestation Identity Key (AIK) present | Indicates that an AIK is present (in other words, the device can be trusted more than a device without an AIK). | @@ -1062,38 +1199,46 @@ Table 21. Windows 10 Mobile HAS data points | Boot cycle whitelist | The view of the host platform between boot cycles as defined by the manufacturer compared to a published whitelist. A device that complies with the whitelist is more trustworthy (secure) than a device that is noncompliant. |   ### Device inventory + Device inventory helps organizations better manage devices because it provides in-depth information about those devices. MDM systems collect inventory information remotely, and you can use the system’s reporting capabilities to analyze device resources and information. With this information, you can determine the current hardware and software resources of the device (for example, installed updates). + Table 22 lists examples of the Windows 10 Mobile software and hardware information that a device inventory provides. In addition to this information, the MDM system can read any of the configuration settings described in this guide. + Table 22. Windows 10 Mobile software and hardware inventory examples -| Setting | Description | -|----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Installed enterprise apps | List of the enterprise apps installed on the device | -| Device name | The device name configured for the device | -| Firmware version | Version of firmware installed on the device | -| Operating system version | Version of the operating system installed on the device | -| Device local time | Local time on the device | -| Processor type | Processor type for the device | -| Device model | Model of the device as defined by the manufacturer | -| Device manufacturer | Manufacturer of the device | -| Device processor architecture | Processor architecture for the device | -| Device language | Language in use on the device | -| Phone number | Phone number assigned to the device | -| Roaming status | Indicates whether the device has a roaming cellular connection | -| International mobile equipment identity (IMEI) and international mobile subscriber identity (IMSI) | Unique identifiers for the cellular connection for the phone; Global System for Mobile Communications networks identify valid devices by using the IMEI, and all cellular networks use the IMSI to identify the device and user | -| Wi-Fi IP address | IPv4 and IPv6 addresses currently assigned to the Wi-Fi adapter in the device | -| Wi-Fi media access control (MAC) address | MAC address assigned to the Wi-Fi adapter in the device | -| Wi-Fi DNS suffix and subnet mask | DNS suffix and IP subnet mask assigned to the Wi-Fi adapter in the device | -| Secure Boot state | Indicates whether Secure Boot is enabled | -| Enterprise encryption policy compliance | Indicates whether the device is encrypted | + +| Setting | Description | +| - | - | +| Installed enterprise apps | List of the enterprise apps installed on the device | +| Device name | The device name configured for the device | +| Firmware version | Version of firmware installed on the device | +| Operating system version | Version of the operating system installed on the device | +| Device local time | Local time on the device | +| Processor type | Processor type for the device | +| Device model | Model of the device as defined by the manufacturer | +| Device manufacturer | Manufacturer of the device | +| Device processor architecture | Processor architecture for the device | +| Device language | Language in use on the device | +| Phone number | Phone number assigned to the device | +| Roaming status | Indicates whether the device has a roaming cellular connection | +| International mobile equipment identity (IMEI) and international mobile subscriber identity (IMSI) | Unique identifiers for the cellular connection for the phone; Global System for Mobile Communications networks identify valid devices by using the IMEI, and all cellular networks use the IMSI to identify the device and user | | IPv4 and IPv6 addresses currently assigned to the Wi-Fi adapter in the device | +| Wi-Fi media access control (MAC) address | MAC address assigned to the Wi-Fi adapter in the device | +| Wi-Fi DNS suffix and subnet mask | DNS suffix and IP subnet mask assigned to the Wi-Fi adapter in the device | +| Secure Boot state | Indicates whether Secure Boot is enabled | +| Enterprise encryption policy compliance | Indicates whether the device is encrypted |   ### Remote assistance + The remote assistance features in Windows 10 Mobile help resolve issues that users might encounter even when the help desk does not have physical access to the device. These features include: + - **Remote lock.** Support personnel can remotely lock a device. This ability can help when a user loses his or her mobile device and can retrieve it but not immediately (for example, leaving the device at a customer site). - **Remote PIN reset.** Support personnel can remotely reset the PIN, which helps when users forget their PIN and are unable to access their device. No corporate or user data is lost, and users are able to gain access to their devices quickly. - **Remote ring.** Support personnel can remotely make devices ring. This ability can help users locate misplaced devices and, in conjunction with the Remote Lock feature, help ensure that unauthorized users are unable to access the device if they find it. - **Remote find.** Support personnel can remotely locate a device on a map, which helps identify the geographic location of the device. To configure Windows 10 Mobile remote find, use the settings in Table 23. The remote find feature returns the most current latitude, longitude, and altitude of the device. + These remote management features help organizations reduce the IT effort required to manage devices. They also help users quickly regain use of their device should they misplace it or forget the device password. + Table 23. Windows 10 Mobile remote find settings + | Setting | Description | |---------------------------|---------------------------------------------------------------------------------------------------------------------------------| | Desired location accuracy | The desired accuracy as a radius value in meters; has a value between 1 and 1,000 meters | @@ -1101,37 +1246,49 @@ Table 23. Windows 10 Mobile remote find settings | Remote find timeout | The number of seconds devices should wait for a remote find to finish; has a value between 0 and 1,800 seconds |   ### Cloud services + On mobile devices that run Windows 10 Mobile, users can easily connect to apps and data. As a result, they frequently connect to cloud services that provide user notifications and collect telemetry (usage data). Windows 10 Mobile enables organizations to manage how devices consume these cloud services. + **Manage push notifications** + The Windows Push Notification Services enable software developers to send toast, tile, badge, and raw updates from their cloud services. It provides a mechanism to deliver updates to users in a power-efficient and dependable way. Push notifications can affect battery life, however, so the battery saver in Windows 10 Mobile limits background activity on the devices to extend battery life. Users can configure battery saver to turn on automatically when the battery drops below a set threshold. When battery saver is on, Windows 10 Mobile disables the receipt of push notifications to save energy. + There is an exception to this behavior, however. In Windows 10 Mobile, the **Always allowed** battery saver settings (found in the Settings app) allow apps to receive push notifications even when battery saver is on. Users can manually configure this list, or you can use the MDM system to configure it—that is, you can use the battery saver settings URI scheme in Windows 10 Mobile (**ms-settings:batterysaver-settings**) to configure these settings. For more information about push notifications, see [Windows Push Notification Services (WNS) overview](http://go.microsoft.com/fwlink/p/?LinkId=734060). + **Manage telemetry** + As people use Windows 10 Mobile, it can collect performance and usage telemetry that helps Microsoft identify and troubleshoot problems as well as improve its products and services. Microsoft recommends that you select **Full** for this setting. Microsoft employees, contractors, vendors, and partners might have access to relevant portions of the information that Windows 10 Mobile collects, but they are permitted to use the information only to repair or improve Microsoft products and services or third-party software and hardware designed for use with Microsoft products and services. + You can control the level of data that MDM systems collect. Table 24 lists the data levels that Windows 10 Mobile collects and provides a brief description of each. To configure devices, specify one of these levels in the **Allow Telemetry** setting. Table 24. Windows 10 Mobile data collection levels -| Level of data | Description | -|---------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Security | Collects only the information required to keep Windows 10 Mobile enterprise-grade secure, including information about telemetry client settings, the Malicious Software Removal Tool, and Windows Defender. This level is available only on Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core. For Windows 10 Mobile, this setting disables Windows 10 Mobile telemetry. | +| Level of data | Description | +|- | - | +| Security | Collects only the information required to keep Windows 10 Mobile enterprise-grade secure, including information about telemetry client settings, the Malicious Software Removal Tool, and Windows Defender. This level is available only on Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core. For Windows 10 Mobile, this setting disables Windows 10 Mobile telemetry. | | Basic | Provides only the data vital to the operation of Windows 10 Mobile. This data level helps keep Windows 10 Mobile and apps running properly by letting Microsoft know the device’s capabilities, what’s installed, and whether Windows is operating correctly. This option also turns on basic error reporting back to Microsoft. By selecting this option, you allow Microsoft to provide updates through Windows Update, including malicious software protection through the Malicious Software Removal Tool. | | Enhanced | Includes all Basic data plus data about how users use Windows 10 Mobile, such as how frequently or how long they use certain features or apps and which apps they use most often. This option also lets operating system collect enhanced diagnostic information, such as the memory state of a device when a system or app crash occurs, and measure reliability of devices, the operating system, and apps. | | Full | Includes all Basic and Enhanced data and also turns on advanced diagnostic features that collect additional data from devices, such as system files or memory snapshots, which may unintentionally include parts of documents user are working on when a problem occurred. This information helps Microsoft further troubleshoot and fix problems. If an error report contains personal data, Microsoft does not use that information to identify, contact, or target advertising to users. |   ## Device retirement + Device retirement (unenrollment) is the last phase of the device life cycle. Historically, mobile device retirement has been a complex and difficult process for organizations. When the organization no longer needs devices, it must remove (wipe) corporate data from them. BYOD scenarios make retirement even more complex because users expect their personal apps and data to remain untouched. Therefore, organizations must remove their data without affecting users’ data. + You can remotely remove all corporate data from devices that run Windows 10 Mobile without affecting existing user data (partial or enterprise wipe). The help desk or the devices’ users can initiate device retirement. When retirement is complete, Windows 10 Mobile returns the devices to a consumer state, as they were before enrollment. The following list summarizes the corporate data removed from a device when it’s retired: + - Email accounts - Enterprise-issued certificates - Network profiles - Enterprise-deployed apps - Any data associated with the enterprise-deployed apps -**Note**   -All these features are in addition to the device’s software and hardware factory reset features, which users can use to restore devices to their factory configuration. + +>**Note:**  All these features are in addition to the device’s software and hardware factory reset features, which users can use to restore devices to their factory configuration.   To specify whether users can delete the workplace account in Control Panel and unenroll from the MDM system, enable the **Allow Manual MDM Unenrollment** setting. Table 25 lists additional Windows 10 remote wipe settings that you can use the MDM system to configure. + Table 25. Windows 10 Mobile remote wipe settings + | Setting | Description | |-------------------------------|----------------------------------------------------------------------------------------------------------------------| | Wipe | Specifies that a remote wipe of the device should be performed | @@ -1139,9 +1296,8 @@ Table 25. Windows 10 Mobile remote wipe settings | Allow user to reset phone | Whether users are allowed to use Control Panel or hardware key combinations to return the device to factory defaults |   ## Related topics -[Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=734050) -[Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=723984) -[Overview of Mobile Device Management for Office 365](http://go.microsoft.com/fwlink/p/?LinkId=734052) -[Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910) -  -  + +- [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=734050) +- [Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=723984) +- [Overview of Mobile Device Management for Office 365](http://go.microsoft.com/fwlink/p/?LinkId=734052) +- [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910) diff --git a/windows/plan/TOC.md b/windows/plan/TOC.md index a188d6d0a1..d6212238a6 100644 --- a/windows/plan/TOC.md +++ b/windows/plan/TOC.md @@ -7,9 +7,6 @@ ## [Windows Update for Business](windows-update-for-business.md) ### [Setup and deployment](setup-and-deployment.md) ### [Integration with management solutions](integration-with-management-solutions-.md) -## [Guidance for education environments](windows-10-guidance-for-education-environments.md) -### [Chromebook migration guide](chromebook-migration-guide.md) -### [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Windows To Go: feature overview](windows-to-go-overview.md) ### [Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md) ### [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) diff --git a/windows/plan/act-community-ratings-and-process.md b/windows/plan/act-community-ratings-and-process.md index 90c94ca481..6d28ac6493 100644 --- a/windows/plan/act-community-ratings-and-process.md +++ b/windows/plan/act-community-ratings-and-process.md @@ -2,9 +2,10 @@ title: ACT Community Ratings and Process (Windows 10) description: The Application Compatibility Toolkit (ACT) Community uses the Microsoft® Compatibility Exchange to share compatibility ratings between all registered ACT Community members. ms.assetid: be6c8c71-785b-4adf-a375-64ca7d24e26c -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan ms.sitesec: library +ms.pagetype: appcompat author: TrudyHa --- diff --git a/windows/plan/act-database-configuration.md b/windows/plan/act-database-configuration.md index 528cd9a8e2..dc8103e03e 100644 --- a/windows/plan/act-database-configuration.md +++ b/windows/plan/act-database-configuration.md @@ -2,8 +2,9 @@ title: ACT Database Configuration (Windows 10) description: The Application Compatibility Toolkit (ACT) uses a Microsoft® SQL Server® database for storing and sharing compatibility issue data. ms.assetid: 032bbfe0-86fa-48ff-b638-b9d6a908c45e -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-database-migration.md b/windows/plan/act-database-migration.md index 38d1886347..4b4009c05e 100644 --- a/windows/plan/act-database-migration.md +++ b/windows/plan/act-database-migration.md @@ -2,8 +2,9 @@ title: ACT Database Migration (Windows 10) description: The schema for an ACT database can change when ACT is updated or when a new version of ACT is released. ms.assetid: b13369b4-1fb7-4889-b0b8-6d0ab61aac3d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-deployment-options.md b/windows/plan/act-deployment-options.md index bf817c11b1..32bb1e10f0 100644 --- a/windows/plan/act-deployment-options.md +++ b/windows/plan/act-deployment-options.md @@ -2,8 +2,9 @@ title: ACT Deployment Options (Windows 10) description: While planning your deployment of the Application Compatibility Toolkit (ACT), consider which computers you want running the various tools, packages, and services for ACT. ms.assetid: 90d56dd8-8d57-44e8-bf7a-29aabede45ba -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-glossary.md b/windows/plan/act-glossary.md index ed5fb09904..87b42aab6e 100644 --- a/windows/plan/act-glossary.md +++ b/windows/plan/act-glossary.md @@ -2,8 +2,9 @@ title: ACT Glossary (Windows 10) description: The following table lists terms and definitions used by the Application Compatibility Toolkit (ACT). ms.assetid: 984d1cce-c1ac-4aa8-839a-a23e15da6f32 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-lps-share-permissions.md b/windows/plan/act-lps-share-permissions.md index f9299c2fed..f2496dc915 100644 --- a/windows/plan/act-lps-share-permissions.md +++ b/windows/plan/act-lps-share-permissions.md @@ -2,8 +2,9 @@ title: ACT LPS Share Permissions (Windows 10) description: To upload log files to the ACT Log Processing Service (LPS) share, certain permissions must be set at the share level and folder level. ms.assetid: 51f6ddf7-f424-4abe-a0e0-71fe616f9e84 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-operatingsystem-application-report.md b/windows/plan/act-operatingsystem-application-report.md index ef3cee87c4..3c0f49d348 100644 --- a/windows/plan/act-operatingsystem-application-report.md +++ b/windows/plan/act-operatingsystem-application-report.md @@ -2,8 +2,9 @@ title: OperatingSystem - Application Report (Windows 10) description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. ms.assetid: 9721485b-6092-4974-8cfe-c84472237a57 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-operatingsystem-computer-report.md b/windows/plan/act-operatingsystem-computer-report.md index 4a49ff56db..3547b28c17 100644 --- a/windows/plan/act-operatingsystem-computer-report.md +++ b/windows/plan/act-operatingsystem-computer-report.md @@ -2,8 +2,9 @@ title: OperatingSystem - Computer Report (Windows 10) ms.assetid: ed0a56fc-9f2a-4df0-8cef-3a09d6616de8 description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-operatingsystem-device-report.md b/windows/plan/act-operatingsystem-device-report.md index e4be3521b9..67e74536c6 100644 --- a/windows/plan/act-operatingsystem-device-report.md +++ b/windows/plan/act-operatingsystem-device-report.md @@ -2,8 +2,9 @@ title: OperatingSystem - Device Report (Windows 10) ms.assetid: 8b5a936f-a92e-46a7-ac44-6edace262355 description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-product-and-documentation-resources.md b/windows/plan/act-product-and-documentation-resources.md index 54cb4635de..02677af71d 100644 --- a/windows/plan/act-product-and-documentation-resources.md +++ b/windows/plan/act-product-and-documentation-resources.md @@ -2,8 +2,9 @@ title: ACT Product and Documentation Resources (Windows 10) description: The following sections provide links to resources and reference material for the Application Compatibility Toolkit (ACT). ms.assetid: c7954b5a-164d-4548-af58-cd3a1de5cc43 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-settings-dialog-box-preferences-tab.md b/windows/plan/act-settings-dialog-box-preferences-tab.md index bfaea35f75..6af88e476e 100644 --- a/windows/plan/act-settings-dialog-box-preferences-tab.md +++ b/windows/plan/act-settings-dialog-box-preferences-tab.md @@ -2,8 +2,9 @@ title: Settings Dialog Box - Preferences Tab (Windows 10) description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings. ms.assetid: deae2100-4110-4d72-b5ee-7c167f80bfa4 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-settings-dialog-box-settings-tab.md b/windows/plan/act-settings-dialog-box-settings-tab.md index 411450f21f..0f1b179b3c 100644 --- a/windows/plan/act-settings-dialog-box-settings-tab.md +++ b/windows/plan/act-settings-dialog-box-settings-tab.md @@ -2,8 +2,9 @@ title: Settings Dialog Box - Settings Tab (Windows 10) description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings. ms.assetid: aeec1647-cf91-4f8b-9f6d-dbf4b898d901 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-technical-reference.md b/windows/plan/act-technical-reference.md index 6544f9dc8e..c05f03fc92 100644 --- a/windows/plan/act-technical-reference.md +++ b/windows/plan/act-technical-reference.md @@ -2,8 +2,9 @@ title: Application Compatibility Toolkit (ACT) Technical Reference (Windows 10) description: The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. ms.assetid: d90d38b2-2718-4481-90eb-4480719627ba -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-toolbar-icons-in-acm.md b/windows/plan/act-toolbar-icons-in-acm.md index 1620557d16..9a0d2b3e79 100644 --- a/windows/plan/act-toolbar-icons-in-acm.md +++ b/windows/plan/act-toolbar-icons-in-acm.md @@ -2,8 +2,9 @@ title: Toolbar Icons in ACM (Windows 10) description: The following table shows icons that appear on toolbars and navigational elements in Application Compatibility Manager (ACM). ms.assetid: 44872da1-c7ad-41b9-8323-d3c3f49b2706 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-tools-packages-and-services.md b/windows/plan/act-tools-packages-and-services.md index 5d3ef9ba47..bf9c2bf728 100644 --- a/windows/plan/act-tools-packages-and-services.md +++ b/windows/plan/act-tools-packages-and-services.md @@ -2,8 +2,9 @@ title: ACT Tools, Packages, and Services (Windows 10) description: The Application Compatibility Toolkit is included with the Windows ADK. Download the Windows ADK. ms.assetid: f5a16548-7d7b-4be9-835e-c06158dd0b89 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-user-interface-reference.md b/windows/plan/act-user-interface-reference.md index 80687eea7c..ff28470715 100644 --- a/windows/plan/act-user-interface-reference.md +++ b/windows/plan/act-user-interface-reference.md @@ -2,8 +2,9 @@ title: ACT User Interface Reference (Windows 10) description: This section contains information about the user interface for Application Compatibility Manager (ACM), which is a tool in the Application Compatibility Toolkit (ACT). ms.assetid: 303d3dd7-2cc1-4f5f-b032-b7e288b04893 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/activating-and-closing-windows-in-acm.md b/windows/plan/activating-and-closing-windows-in-acm.md index 3e7eaaef87..dfa085659e 100644 --- a/windows/plan/activating-and-closing-windows-in-acm.md +++ b/windows/plan/activating-and-closing-windows-in-acm.md @@ -2,8 +2,9 @@ title: Activating and Closing Windows in ACM (Windows 10) description: The Windows dialog box shows the windows that are open in Application Compatibility Manager (ACM). ms.assetid: 747bf356-d861-4ce7-933e-fa4ecfac7be5 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/adding-or-editing-a-solution.md b/windows/plan/adding-or-editing-a-solution.md index a3ebf8c8ff..f16e5237b2 100644 --- a/windows/plan/adding-or-editing-a-solution.md +++ b/windows/plan/adding-or-editing-a-solution.md @@ -2,8 +2,9 @@ title: Adding or Editing a Solution (Windows 10) description: If you find your own solutions to compatibility issues, you can enter the solutions in Application Compatibility Manager (ACM). You can use the Microsoft Compatibility Exchange to upload solutions to Microsoft Corporation. ms.assetid: 86cb8804-d577-4af6-b96f-5e0409784a23 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/adding-or-editing-an-issue.md b/windows/plan/adding-or-editing-an-issue.md index 51a8522a05..75e4e67390 100644 --- a/windows/plan/adding-or-editing-an-issue.md +++ b/windows/plan/adding-or-editing-an-issue.md @@ -2,8 +2,9 @@ title: Adding or Editing an Issue (Windows 10) description: In Application Compatibility Manager (ACM), you can enter information about the compatibility issues that you discover. ms.assetid: 8a9fff79-9f88-4ce2-a4e6-b9382f28143d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/analyzing-your-compatibility-data.md b/windows/plan/analyzing-your-compatibility-data.md index 4b145ad92f..30f6a43c24 100644 --- a/windows/plan/analyzing-your-compatibility-data.md +++ b/windows/plan/analyzing-your-compatibility-data.md @@ -2,8 +2,9 @@ title: Analyzing Your Compatibility Data (Windows 10) description: This section provides information about viewing and working with your compatibility data in Application Compatibility Manager (ACM). ms.assetid: b98f3d74-fe22-41a2-afe8-2eb2799933a1 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/application-dialog-box.md b/windows/plan/application-dialog-box.md index 1700305f86..c8d9515fa6 100644 --- a/windows/plan/application-dialog-box.md +++ b/windows/plan/application-dialog-box.md @@ -2,8 +2,9 @@ title: Application Dialog Box (Windows 10) description: In Application Compatibility Manager (ACM), the Application dialog box shows information about the selected application. ms.assetid: a43e85a6-3cd4-4235-bc4d-01e4d097db7e -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/applying-filters-to-data-in-the-sua-tool.md b/windows/plan/applying-filters-to-data-in-the-sua-tool.md index 7f960b8cf6..7b716d119a 100644 --- a/windows/plan/applying-filters-to-data-in-the-sua-tool.md +++ b/windows/plan/applying-filters-to-data-in-the-sua-tool.md @@ -2,8 +2,9 @@ title: Applying Filters to Data in the SUA Tool (Windows 10) description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply filters to the issues that the tool has found so that you can view only the information that interests you. ms.assetid: 48c39919-3501-405d-bcf5-d2784cbb011f -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md b/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md index bc5e40d571..8076d0787c 100644 --- a/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md +++ b/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Available Data Types and Operators in Compatibility Administrator (Windows 10) description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases. ms.assetid: 67d9c03e-ab9d-4fda-8a55-8c5b90266d3b -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/best-practice-recommendations-for-windows-to-go.md b/windows/plan/best-practice-recommendations-for-windows-to-go.md index 4ef9e9177e..c9cc2ac741 100644 --- a/windows/plan/best-practice-recommendations-for-windows-to-go.md +++ b/windows/plan/best-practice-recommendations-for-windows-to-go.md @@ -2,9 +2,10 @@ title: Best practice recommendations for Windows To Go (Windows 10) description: Best practice recommendations for Windows To Go ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86 -keywords: ["best practices, USB, device, boot"] +keywords: best practices, USB, device, boot ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: plan +pagetype: mobility ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/categorizing-your-compatibility-data.md b/windows/plan/categorizing-your-compatibility-data.md index 637af36069..f00d576eee 100644 --- a/windows/plan/categorizing-your-compatibility-data.md +++ b/windows/plan/categorizing-your-compatibility-data.md @@ -2,8 +2,9 @@ title: Categorizing Your Compatibility Data (Windows 10) ms.assetid: 6420f012-316f-4ef0-bfbb-14baaa664e6e description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/change-history-for-plan-for-windows-10-deployment.md b/windows/plan/change-history-for-plan-for-windows-10-deployment.md index 7d8965c6d6..4f0b96a684 100644 --- a/windows/plan/change-history-for-plan-for-windows-10-deployment.md +++ b/windows/plan/change-history-for-plan-for-windows-10-deployment.md @@ -2,8 +2,8 @@ title: Change history for Plan for Windows 10 deployment (Windows 10) description: This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for Windows 10 and Windows 10 Mobile. ms.assetid: 70D9F4F8-F2A4-4FB4-9459-5B2BE7BCAC66 -ms.prod: W10 -ms.mktglfcycl: deploy +ms.prod: w10 +ms.mktglfcycl: plan ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/chromebook-migration-guide.md b/windows/plan/chromebook-migration-guide.md index 5f6f426691..12773fdd7e 100644 --- a/windows/plan/chromebook-migration-guide.md +++ b/windows/plan/chromebook-migration-guide.md @@ -1,9 +1,10 @@ --- title: Chromebook migration guide (Windows 10) description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. +redirect_url: https://technet.microsoft.com/edu/windows/chromebook-migration-guide ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA keywords: migrate, automate, device -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu; devices diff --git a/windows/plan/common-compatibility-issues.md b/windows/plan/common-compatibility-issues.md index e9feba9487..4e96594b85 100644 --- a/windows/plan/common-compatibility-issues.md +++ b/windows/plan/common-compatibility-issues.md @@ -2,8 +2,9 @@ title: Common Compatibility Issues (Windows 10) ms.assetid: f5ad621d-bda2-45b5-ae85-bc92970f602f description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/compatibility-administrator-users-guide.md b/windows/plan/compatibility-administrator-users-guide.md index 06246f50b6..8625f9e210 100644 --- a/windows/plan/compatibility-administrator-users-guide.md +++ b/windows/plan/compatibility-administrator-users-guide.md @@ -2,8 +2,9 @@ title: Compatibility Administrator User's Guide (Windows 10) ms.assetid: 0ce05f66-9009-4739-a789-60f3ce380e76 description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md b/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md index 9abe28e94d..f608310bd6 100644 --- a/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md +++ b/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md @@ -2,8 +2,9 @@ title: Compatibility Fix Database Management Strategies and Deployment (Windows 10) ms.assetid: fdfbf02f-c4c4-4739-a400-782204fd3c6c description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md index 1efec32cb1..688cf0a0d5 100644 --- a/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md +++ b/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md @@ -2,8 +2,9 @@ title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista (Windows 10) description: You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. ms.assetid: cd51c824-557f-462a-83bb-54b0771b7dff -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/compatibility-monitor-users-guide.md b/windows/plan/compatibility-monitor-users-guide.md index f5b56c4858..9a72ed30d3 100644 --- a/windows/plan/compatibility-monitor-users-guide.md +++ b/windows/plan/compatibility-monitor-users-guide.md @@ -2,8 +2,9 @@ title: Compatibility Monitor User's Guide (Windows 10) description: Compatibility Monitor is a tool in the runtime analysis package that you can use to monitor applications for compatibility issues. You can also use the Compatibility Monitor tool to submit compatibility feedback. ms.assetid: 67d6eff0-1576-44bd-99b4-a3ffa5e205ac -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/computer-dialog-box.md b/windows/plan/computer-dialog-box.md index 498f20d93c..b191d79a79 100644 --- a/windows/plan/computer-dialog-box.md +++ b/windows/plan/computer-dialog-box.md @@ -2,8 +2,9 @@ title: Computer Dialog Box (Windows 10) description: In Application Compatibility Manager (ACM), the Computer dialog box shows information about the selected computer. ms.assetid: f89cbb28-adcd-41cd-9a54-402bc4aaffd9 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/configuring-act.md b/windows/plan/configuring-act.md index ef72f68d43..f5803ddd81 100644 --- a/windows/plan/configuring-act.md +++ b/windows/plan/configuring-act.md @@ -2,8 +2,9 @@ title: Configuring ACT (Windows 10) description: This section provides information about setting up the Application Compatibility Toolkit (ACT) in your organization. ms.assetid: aacbe35e-ea40-47ac-bebf-ed2660c8fd86 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md b/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md index 26d4a51ca0..a88189a7a2 100644 --- a/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md +++ b/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Creating a Custom Compatibility Fix in Compatibility Administrator (Windows 10) description: The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. ms.assetid: e4f2853a-0e46-49c5-afd7-0ed12f1fe0c2 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md index 75f3706089..ac5091d0bb 100644 --- a/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md +++ b/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Creating a Custom Compatibility Mode in Compatibility Administrator (Windows 10) description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. ms.assetid: 661a1c0d-267f-4a79-8445-62a9a98d09b0 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-a-runtime-analysis-package.md b/windows/plan/creating-a-runtime-analysis-package.md index 8246a9de4a..04411a5fa7 100644 --- a/windows/plan/creating-a-runtime-analysis-package.md +++ b/windows/plan/creating-a-runtime-analysis-package.md @@ -2,8 +2,9 @@ title: Creating a Runtime-Analysis Package (Windows 10) description: In Application Compatibility Manager (ACM), you can create runtime-analysis packages, which you can then deploy to computers for compatibility testing in your test environment. ms.assetid: 3c703ebe-46b3-4dcd-b355-b28344bc159b -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md index 4fc5707012..5b48ebdbb8 100644 --- a/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md +++ b/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Creating an AppHelp Message in Compatibility Administrator (Windows 10) description: The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system. ms.assetid: 5c6e89f5-1942-4aa4-8439-ccf0ecd02848 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md b/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md index 339ef48aaf..840fa87695 100644 --- a/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md +++ b/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md @@ -2,8 +2,9 @@ title: Creating an Enterprise Environment for Compatibility Testing (Windows 10) description: The goal of the test environment is to model the operating system that you want to deploy and assess compatibility before deploying the operating system to your production environment. ms.assetid: cbf6d8b6-7ebc-4faa-bbbd-e02653ed4adb -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-an-inventory-collector-package.md b/windows/plan/creating-an-inventory-collector-package.md index 01d9dcf89c..c174e746e0 100644 --- a/windows/plan/creating-an-inventory-collector-package.md +++ b/windows/plan/creating-an-inventory-collector-package.md @@ -2,8 +2,9 @@ title: Creating an Inventory-Collector Package (Windows 10) description: You can use Application Compatibility Manager (ACM) to create an inventory-collector package. ms.assetid: 61d041d6-e308-47b3-921b-709d72926d6d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-and-editing-issues-and-solutions.md b/windows/plan/creating-and-editing-issues-and-solutions.md index d4e183c235..0ce76a3f2f 100644 --- a/windows/plan/creating-and-editing-issues-and-solutions.md +++ b/windows/plan/creating-and-editing-issues-and-solutions.md @@ -2,8 +2,9 @@ title: Creating and Editing Issues and Solutions (Windows 10) description: This section provides step-by-step instructions for adding and editing application compatibility issues and solutions. Your issue and solution data can be uploaded to Microsoft through the Microsoft® Compatibility Exchange. ms.assetid: b64fe4e0-24bd-4bbd-9645-80ae5644e774 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/customizing-your-report-views.md b/windows/plan/customizing-your-report-views.md index 97566482eb..a68961a2e6 100644 --- a/windows/plan/customizing-your-report-views.md +++ b/windows/plan/customizing-your-report-views.md @@ -2,8 +2,9 @@ title: Customizing Your Report Views (Windows 10) description: You can customize how you view your report data in Application Compatibility Manager (ACM). ms.assetid: ba8da888-6749-43b4-8efb-4f26c7954721 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md b/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md index 4f5456aa5d..8bb30d37a8 100644 --- a/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md +++ b/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md @@ -2,8 +2,9 @@ title: Data Sent Through the Microsoft Compatibility Exchange (Windows 10) description: The Microsoft Compatibility Exchange propagates data of various types between Microsoft Corporation, independent software vendors (ISVs) and the Application Compatibility Toolkit (ACT) Community. ms.assetid: 3ec61e33-9db8-4367-99d5-e05c2f50e144 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md b/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md index ed48afa8a9..0bf24136b1 100644 --- a/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md +++ b/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md @@ -2,8 +2,9 @@ title: Deciding Whether to Fix an Application or Deploy a Workaround (Windows 10) description: You can fix a compatibility issue by changing the code for the application or by deploying a workaround. ms.assetid: e495d0c8-bfba-4537-bccd-64c4b52206f1 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/deciding-which-applications-to-test.md b/windows/plan/deciding-which-applications-to-test.md index f5719dbdb7..a0d4d06986 100644 --- a/windows/plan/deciding-which-applications-to-test.md +++ b/windows/plan/deciding-which-applications-to-test.md @@ -2,8 +2,9 @@ title: Deciding Which Applications to Test (Windows 10) description: Before starting your compatibility testing on the version of Windows that you want to deploy, you can use the Application Compatibility Toolkit (ACT) to identify which applications should be the focus of your testing. ms.assetid: d7c1c28f-b7b4-43ac-bf87-2910a2b603bf -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/deleting-a-data-collection-package.md b/windows/plan/deleting-a-data-collection-package.md index ade04833e1..002a431377 100644 --- a/windows/plan/deleting-a-data-collection-package.md +++ b/windows/plan/deleting-a-data-collection-package.md @@ -2,8 +2,9 @@ title: Deleting a Data-Collection Package (Windows 10) description: In Application Compatibility Manager (ACM), you can delete any of your existing data-collection packages from the database. ms.assetid: 1b397d7a-7216-4078-93d9-47c7becbf73e -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/deploy-windows-10-in-a-school.md b/windows/plan/deploy-windows-10-in-a-school.md index f1ba01d1a5..dd53f66282 100644 --- a/windows/plan/deploy-windows-10-in-a-school.md +++ b/windows/plan/deploy-windows-10-in-a-school.md @@ -1,6 +1,7 @@ --- title: Deploy Windows 10 in a school (Windows 10) description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy. +redirect_url: https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school keywords: configure, tools, device, school ms.prod: w10 ms.mktglfcycl: plan diff --git a/windows/plan/deploying-a-runtime-analysis-package.md b/windows/plan/deploying-a-runtime-analysis-package.md index 09c49b1cc9..bf01c5258c 100644 --- a/windows/plan/deploying-a-runtime-analysis-package.md +++ b/windows/plan/deploying-a-runtime-analysis-package.md @@ -2,8 +2,9 @@ title: Deploying a Runtime-Analysis Package (Windows 10) description: When you deploy a runtime-analysis package, you are deploying it to your test environment for compatibility testing. ms.assetid: 304bf0be-0e7c-4c5f-baac-bed7f8bef509 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/deploying-an-inventory-collector-package.md b/windows/plan/deploying-an-inventory-collector-package.md index a3d471a410..406a2823fd 100644 --- a/windows/plan/deploying-an-inventory-collector-package.md +++ b/windows/plan/deploying-an-inventory-collector-package.md @@ -2,8 +2,8 @@ title: Deploying an Inventory-Collector Package (Windows 10) ms.assetid: 8726ff71-0d17-4449-bdb7-66957ae51c62 description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/deployment-considerations-for-windows-to-go.md b/windows/plan/deployment-considerations-for-windows-to-go.md index 8d512f6395..da2f4412e7 100644 --- a/windows/plan/deployment-considerations-for-windows-to-go.md +++ b/windows/plan/deployment-considerations-for-windows-to-go.md @@ -2,9 +2,10 @@ title: Deployment considerations for Windows To Go (Windows 10) description: Deployment considerations for Windows To Go ms.assetid: dcfc5d96-b96b-44cd-ab65-416b5611c65e -keywords: ["deploy, mobile, device, USB, boot, image, workspace, driver"] +keywords: deploy, mobile, device, USB, boot, image, workspace, driver ms.prod: W10 -ms.mktglfcycl: deploy +ms.mktglfcycl: plan +ms.pagetype: mobility ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/device-dialog-box.md b/windows/plan/device-dialog-box.md index ae65f7330b..7cd1c0d3ec 100644 --- a/windows/plan/device-dialog-box.md +++ b/windows/plan/device-dialog-box.md @@ -2,8 +2,9 @@ title: Device Dialog Box (Windows 10) description: In Application Compatibility Manager (ACM), the Device dialog box shows information about the selected device. ms.assetid: 5bd7cfda-31ea-4967-8b64-6c0425092f4e -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md index 0f3ad7aa3d..85c5e0ba27 100644 --- a/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md +++ b/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator (Windows 10) description: You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes. ms.assetid: 6bd4a7c5-0ed9-4a35-948c-c438aa4d6cb6 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/example-filter-queries.md b/windows/plan/example-filter-queries.md index a128516e95..7b7732863d 100644 --- a/windows/plan/example-filter-queries.md +++ b/windows/plan/example-filter-queries.md @@ -2,8 +2,9 @@ title: Example Filter Queries (Windows 10) description: You can filter your compatibility-issue data or reports by selecting specific restriction criteria. ms.assetid: eae59380-56cc-4d57-bd2c-11a0e3c689c9 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/exporting-a-data-collection-package.md b/windows/plan/exporting-a-data-collection-package.md index c1eef9d0ad..5baee693f6 100644 --- a/windows/plan/exporting-a-data-collection-package.md +++ b/windows/plan/exporting-a-data-collection-package.md @@ -2,8 +2,9 @@ title: Exporting a Data-Collection Package (Windows 10) description: In Application Compatibility Manager (ACM), you can export a data-collection package as a Windows installer (.msi) file. You can then use the .msi file to install the data-collection package on the computers from which you want to gather data. ms.assetid: 98fe19e4-9533-4ffc-a275-8b3776ee93ed -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/filtering-your-compatibility-data.md b/windows/plan/filtering-your-compatibility-data.md index 36776e764a..fcc724c2d5 100644 --- a/windows/plan/filtering-your-compatibility-data.md +++ b/windows/plan/filtering-your-compatibility-data.md @@ -2,8 +2,9 @@ title: Filtering Your Compatibility Data (Windows 10) description: You can use Query Builder to filter your compatibility-issue data or reports by selecting specific restriction criteria. ms.assetid: b64267b5-83c0-4b4d-a075-0975d3a359c8 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/fixing-applications-by-using-the-sua-tool.md b/windows/plan/fixing-applications-by-using-the-sua-tool.md index 99bd4deb6e..bdfe9b9c63 100644 --- a/windows/plan/fixing-applications-by-using-the-sua-tool.md +++ b/windows/plan/fixing-applications-by-using-the-sua-tool.md @@ -2,8 +2,9 @@ title: Fixing Applications by Using the SUA Tool (Windows 10) description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application. ms.assetid: 7f5947b1-977b-4d7e-bb52-fbe8e76f6b8b -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/fixing-compatibility-issues.md b/windows/plan/fixing-compatibility-issues.md index dc3e884415..b7f338d5ac 100644 --- a/windows/plan/fixing-compatibility-issues.md +++ b/windows/plan/fixing-compatibility-issues.md @@ -2,8 +2,9 @@ title: Fixing Compatibility Issues (Windows 10) description: This section provides step-by-step instructions and describes development tools that you can use to help fix your compatibility issues. ms.assetid: 30ba8d14-a41a-41b3-9019-e8658d6974de -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/identifying-computers-for-inventory-collection.md b/windows/plan/identifying-computers-for-inventory-collection.md index 638addad76..a7378b9820 100644 --- a/windows/plan/identifying-computers-for-inventory-collection.md +++ b/windows/plan/identifying-computers-for-inventory-collection.md @@ -2,8 +2,8 @@ title: Identifying Computers for Inventory Collection (Windows 10) ms.assetid: f5bf2d89-fff2-4960-a153-dc1146b442fb description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/index.md b/windows/plan/index.md index 3c830e97d4..e57a04c1cb 100644 --- a/windows/plan/index.md +++ b/windows/plan/index.md @@ -2,8 +2,8 @@ title: Plan for Windows 10 deployment (Windows 10) description: Windows 10 provides new deployment capabilities, scenarios, and tools by building on technologies introduced in Windows 7, and Windows 8.1, while at the same time introducing new Windows as a service concepts to keep the operating system up to date. ms.assetid: 002F9B79-B50F-40C5-A7A5-0B4770E6EC15 -keywords: ["deploy", "upgrade", "update", "configure"] -ms.prod: W10 +keywords: deploy, upgrade, update, configure +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library author: TrudyHa @@ -21,7 +21,6 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi |[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. | |[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. | |[Windows Update for Business](windows-update-for-business.md) |Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems. | -|[Guidance for education environments](windows-10-guidance-for-education-environments.md) |Find resources to help you plan your deployment of Windows 10 to desktops, laptops, tablets, and other devices in educational institutions. | |[Windows To Go: feature overview](windows-to-go-overview.md) |Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. | |[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) |The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. | diff --git a/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md index 2d040ed0be..c55deebb84 100644 --- a/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md +++ b/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator (Windows 10) description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. ms.assetid: 659c9d62-5f32-433d-94aa-12141c01368f -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/integration-with-management-solutions-.md b/windows/plan/integration-with-management-solutions-.md index 788d1ad4e8..83dcaee001 100644 --- a/windows/plan/integration-with-management-solutions-.md +++ b/windows/plan/integration-with-management-solutions-.md @@ -6,7 +6,7 @@ keywords: update, upgrade, deployment, manage, tools ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library -ms.pagetype: servicing; devices +ms.pagetype: servicing, devices author: TrudyHa --- diff --git a/windows/plan/internet-explorer-web-site-report.md b/windows/plan/internet-explorer-web-site-report.md index fdcd6ef921..da0098b6c3 100644 --- a/windows/plan/internet-explorer-web-site-report.md +++ b/windows/plan/internet-explorer-web-site-report.md @@ -2,8 +2,9 @@ title: Internet Explorer - Web Site Report (Windows 10) ms.assetid: f072033d-9d42-47ed-8fb0-dbdc28442910 description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/labeling-data-in-acm.md b/windows/plan/labeling-data-in-acm.md index d9fe6d9da7..1e0ae71639 100644 --- a/windows/plan/labeling-data-in-acm.md +++ b/windows/plan/labeling-data-in-acm.md @@ -2,8 +2,9 @@ title: Labeling Data in ACM (Windows 10) description: Application data and its associated compatibility issues can vary within an organization. ms.assetid: d099c747-e68a-4cad-a639-9f33efab35b3 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/log-file-locations-for-data-collection-packages.md b/windows/plan/log-file-locations-for-data-collection-packages.md index 6483bf1b49..99ea5bc63f 100644 --- a/windows/plan/log-file-locations-for-data-collection-packages.md +++ b/windows/plan/log-file-locations-for-data-collection-packages.md @@ -2,8 +2,9 @@ title: Log File Locations for Data-Collection Packages (Windows 10) ms.assetid: dcc395e7-2d9c-4935-abab-33c5934ce24a description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md index d85029f97f..7c8a961d1d 100644 --- a/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md +++ b/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md @@ -2,8 +2,9 @@ title: Managing Application-Compatibility Fixes and Custom Fix Databases (Windows 10) description: This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases. ms.assetid: 9c2e9396-908e-4a36-ad67-2e40452ce017 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/managing-your-data-collection-packages.md b/windows/plan/managing-your-data-collection-packages.md index eb9af845ad..46eaa26130 100644 --- a/windows/plan/managing-your-data-collection-packages.md +++ b/windows/plan/managing-your-data-collection-packages.md @@ -2,8 +2,9 @@ title: Managing Your Data-Collection Packages (Windows 10) description: This section provides information about using Application Compatibility Manager (ACM) to manage your data-collection packages. ms.assetid: 369ae82f-c8ca-42ec-85df-1b760a74e70a -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/organizational-tasks-for-each-report-type.md b/windows/plan/organizational-tasks-for-each-report-type.md index e49ccba8f8..e572f3b042 100644 --- a/windows/plan/organizational-tasks-for-each-report-type.md +++ b/windows/plan/organizational-tasks-for-each-report-type.md @@ -2,8 +2,9 @@ title: Organizational Tasks for Each Report Type (Windows 10) description: The following table shows which tasks can be performed for each report type. ms.assetid: 7463fab1-ba6e-4a9a-9112-0b69a18fe353 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/organizing-your-compatibility-data.md b/windows/plan/organizing-your-compatibility-data.md index 15d1d152b6..54bc38d151 100644 --- a/windows/plan/organizing-your-compatibility-data.md +++ b/windows/plan/organizing-your-compatibility-data.md @@ -2,8 +2,9 @@ title: Organizing Your Compatibility Data (Windows 10) description: This section provides step-by-step instructions for organizing your compatibility data in Application Compatibility Manager (ACM). ms.assetid: e91ae444-5d85-4b5f-b655-a765ecc78b1e -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/prepare-your-organization-for-windows-to-go.md b/windows/plan/prepare-your-organization-for-windows-to-go.md index f66acaff2b..fabf25bc73 100644 --- a/windows/plan/prepare-your-organization-for-windows-to-go.md +++ b/windows/plan/prepare-your-organization-for-windows-to-go.md @@ -3,8 +3,9 @@ title: Prepare your organization for Windows To Go (Windows 10) description: Prepare your organization for Windows To Go ms.assetid: f3f3c160-90ad-40a8-aeba-2aedee18f7ff keywords: ["mobile, device, USB, deploy"] -ms.prod: W10 -ms.mktglfcycl: deploy +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: mobility ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/prioritizing-your-compatibility-data.md b/windows/plan/prioritizing-your-compatibility-data.md index b597b63fc8..3d55e9d1f3 100644 --- a/windows/plan/prioritizing-your-compatibility-data.md +++ b/windows/plan/prioritizing-your-compatibility-data.md @@ -2,8 +2,9 @@ title: Prioritizing Your Compatibility Data (Windows 10) ms.assetid: 103e125a-bd2b-4019-9d6a-2e1d50c380b1 description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/ratings-icons-in-acm.md b/windows/plan/ratings-icons-in-acm.md index ab8a3a47ec..e8f095c0ac 100644 --- a/windows/plan/ratings-icons-in-acm.md +++ b/windows/plan/ratings-icons-in-acm.md @@ -2,8 +2,9 @@ title: Ratings Icons in ACM (Windows 10) description: Compatibility ratings can originate from Microsoft, the application vendor, your organization, and from the Application Compatibility Toolkit (ACT) community. ms.assetid: 0165499e-cb47-4d76-98a6-b871d23e4e83 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/resolving-an-issue.md b/windows/plan/resolving-an-issue.md index 74ffe1f620..4d5557c944 100644 --- a/windows/plan/resolving-an-issue.md +++ b/windows/plan/resolving-an-issue.md @@ -2,8 +2,9 @@ title: Resolving an Issue (Windows 10) description: You can use Application Compatibility Manager (ACM) to flag issues as resolved. Resolving an issue changes the status of the issue from a red x to a green check mark on your report and report detail screens. ms.assetid: 96195122-185d-4f6a-8e84-79c3d069e933 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/saving-opening-and-exporting-reports.md b/windows/plan/saving-opening-and-exporting-reports.md index 2f947a935e..67d940bd0d 100644 --- a/windows/plan/saving-opening-and-exporting-reports.md +++ b/windows/plan/saving-opening-and-exporting-reports.md @@ -2,8 +2,9 @@ title: Saving, Opening, and Exporting Reports (Windows 10) description: You can perform several common reporting tasks from the Analyze screen, including saving a compatibility report, opening a saved compatibility report (.adq) file, and exporting your report data to a spreadsheet (.xls) file. ms.assetid: 8be72a6c-63ab-4451-ad79-815e2ac18aa2 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md index 6c83a990ee..99b2f4a61f 100644 --- a/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md +++ b/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Searching for Fixed Applications in Compatibility Administrator (Windows 10) description: With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. ms.assetid: 1051a2dc-0362-43a4-8ae8-07dae39b1cb8 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md index bdc0043f6b..25906a1746 100644 --- a/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md +++ b/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator (Windows 10) description: You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature. ms.assetid: dd213b55-c71c-407a-ad49-33db54f82f22 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md b/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md index 7343863528..999d2e6956 100644 --- a/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md @@ -2,9 +2,10 @@ title: Security and data protection considerations for Windows To Go (Windows 10) description: One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure. ms.assetid: 5f27339f-6761-44f4-8c29-9a25cf8e75fe -keywords: ["mobile, device, USB, secure, BitLocker"] -ms.prod: W10 -ms.mktglfcycl: deploy +keywords: mobile, device, USB, secure, BitLocker +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: mobility, security ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/selecting-the-send-and-receive-status-for-an-application.md b/windows/plan/selecting-the-send-and-receive-status-for-an-application.md index 0a8f1c3450..782d3c1651 100644 --- a/windows/plan/selecting-the-send-and-receive-status-for-an-application.md +++ b/windows/plan/selecting-the-send-and-receive-status-for-an-application.md @@ -2,8 +2,9 @@ title: Selecting the Send and Receive Status for an Application (Windows 10) description: For each application listed in Application Compatibility Manager (ACM), you can select whether to send and receive specific application data through the Microsoft Compatibility Exchange. ms.assetid: ae139093-27cf-4ad8-882d-e0509e78d33a -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/selecting-your-compatibility-rating.md b/windows/plan/selecting-your-compatibility-rating.md index 3b64974c1d..b7042d456d 100644 --- a/windows/plan/selecting-your-compatibility-rating.md +++ b/windows/plan/selecting-your-compatibility-rating.md @@ -2,8 +2,9 @@ title: Selecting Your Compatibility Rating (Windows 10) description: You can rate the compatibility of your applications, installation packages, or websites, based on whether they run successfully on a 32-bit or 64-bit operating system. ms.assetid: 959da499-8fd6-4f32-8771-a0580dd8e0d3 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/selecting-your-deployment-status.md b/windows/plan/selecting-your-deployment-status.md index 4d47ec35fb..8cc4a070bc 100644 --- a/windows/plan/selecting-your-deployment-status.md +++ b/windows/plan/selecting-your-deployment-status.md @@ -2,8 +2,9 @@ title: Selecting Your Deployment Status (Windows 10) description: In Application Compatibility Manager (ACM), you can track the deployment status of your applications and websites. ms.assetid: 7735d256-77eb-4498-93aa-c838ee6e00fc -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/sending-and-receiving-compatibility-data.md b/windows/plan/sending-and-receiving-compatibility-data.md index e2165cb7e6..5a694085b2 100644 --- a/windows/plan/sending-and-receiving-compatibility-data.md +++ b/windows/plan/sending-and-receiving-compatibility-data.md @@ -2,8 +2,9 @@ title: Sending and Receiving Compatibility Data (Windows 10) description: The Microsoft® Compatibility Exchange is a web service that propagates application compatibility issues between various data sources, for example Microsoft Corporation, independent software vendors (ISVs) and the ACT Community. ms.assetid: b86d2431-1caa-4f95-baf9-52ff6af546cd -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/settings-for-acm.md b/windows/plan/settings-for-acm.md index b548b8f403..6abb406ec3 100644 --- a/windows/plan/settings-for-acm.md +++ b/windows/plan/settings-for-acm.md @@ -2,8 +2,9 @@ title: Settings for ACM (Windows 10) description: This section provides information about settings that you can configure in Application Compatibility Manager (ACM). ms.assetid: e0126284-4348-4708-8976-a1e404f35971 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/setup-and-deployment.md b/windows/plan/setup-and-deployment.md index 590be310dd..618c4b80a0 100644 --- a/windows/plan/setup-and-deployment.md +++ b/windows/plan/setup-and-deployment.md @@ -6,7 +6,7 @@ keywords: update, upgrade, deployment ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library -ms.pagetype: servicing; devices +ms.pagetype: servicing, devices author: TrudyHa --- diff --git a/windows/plan/showing-messages-generated-by-the-sua-tool.md b/windows/plan/showing-messages-generated-by-the-sua-tool.md index 1b34533117..03651875c5 100644 --- a/windows/plan/showing-messages-generated-by-the-sua-tool.md +++ b/windows/plan/showing-messages-generated-by-the-sua-tool.md @@ -2,8 +2,9 @@ title: Showing Messages Generated by the SUA Tool (Windows 10) description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated. ms.assetid: 767eb7f2-d6c4-414c-a7b3-a997337d904a -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/software-requirements-for-act.md b/windows/plan/software-requirements-for-act.md index 5b3047ffaf..3564e2d753 100644 --- a/windows/plan/software-requirements-for-act.md +++ b/windows/plan/software-requirements-for-act.md @@ -2,8 +2,9 @@ title: Software Requirements for ACT (Windows 10) description: The Application Compatibility Toolkit (ACT) has the following software requirements. ms.assetid: 9bbc21d4-f2ac-4a91-8add-017b1eacdeee -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/software-requirements-for-rap.md b/windows/plan/software-requirements-for-rap.md index 18462f9bd7..07311438e4 100644 --- a/windows/plan/software-requirements-for-rap.md +++ b/windows/plan/software-requirements-for-rap.md @@ -2,8 +2,9 @@ title: Software Requirements for RAP (Windows 10) description: The runtime-analysis package (RAP) has the following software requirements. ms.assetid: 0163ce70-f5ba-400c-bdd5-a25511aac91f -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/sua-users-guide.md b/windows/plan/sua-users-guide.md index d907f4229d..e0f2921b80 100644 --- a/windows/plan/sua-users-guide.md +++ b/windows/plan/sua-users-guide.md @@ -2,8 +2,9 @@ title: SUA User's Guide (Windows 10) description: You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. ms.assetid: ea525c25-b557-4ed4-b042-3e4d0e543e10 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/tabs-on-the-sua-tool-interface.md b/windows/plan/tabs-on-the-sua-tool-interface.md index 70a9ac7535..721e32bca7 100644 --- a/windows/plan/tabs-on-the-sua-tool-interface.md +++ b/windows/plan/tabs-on-the-sua-tool-interface.md @@ -2,8 +2,9 @@ title: Tabs on the SUA Tool Interface (Windows 10) description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze. ms.assetid: 0d705321-1d85-4217-bf2c-0ca231ca303b -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/taking-inventory-of-your-organization.md b/windows/plan/taking-inventory-of-your-organization.md index d42fc430b2..07b40d240a 100644 --- a/windows/plan/taking-inventory-of-your-organization.md +++ b/windows/plan/taking-inventory-of-your-organization.md @@ -2,8 +2,9 @@ title: Taking Inventory of Your Organization (Windows 10) description: This section provides information about how to use the Application Compatibility Toolkit (ACT) to identify applications and devices that are installed in your organization. ms.assetid: d52f138d-c6b2-4ab1-bb38-5b036311a51d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/testing-compatibility-on-the-target-platform.md b/windows/plan/testing-compatibility-on-the-target-platform.md index 10111af439..621a8bfeb2 100644 --- a/windows/plan/testing-compatibility-on-the-target-platform.md +++ b/windows/plan/testing-compatibility-on-the-target-platform.md @@ -2,8 +2,9 @@ title: Testing Compatibility on the Target Platform (Windows 10) description: This section provides information about setting up a test environment for compatibility testing, and about creating and deploying runtime-analysis packages to the test environment. ms.assetid: 8f3e9d58-37c2-41ea-a216-32712baf6cf4 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/testing-your-application-mitigation-packages.md b/windows/plan/testing-your-application-mitigation-packages.md index df727951fd..669904c1e6 100644 --- a/windows/plan/testing-your-application-mitigation-packages.md +++ b/windows/plan/testing-your-application-mitigation-packages.md @@ -2,8 +2,9 @@ title: Testing Your Application Mitigation Packages (Windows 10) description: This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues. ms.assetid: ae946f27-d377-4db9-b179-e8875d454ccf -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/troubleshooting-act-database-issues.md b/windows/plan/troubleshooting-act-database-issues.md index 758df1a050..ba1e7c4f7a 100644 --- a/windows/plan/troubleshooting-act-database-issues.md +++ b/windows/plan/troubleshooting-act-database-issues.md @@ -2,8 +2,9 @@ title: Troubleshooting ACT Database Issues (Windows 10) description: The following solutions may help you resolve issues that are related to your Microsoft® SQL Server® database for the Application Compatibility Toolkit (ACT). ms.assetid: c36ab5d8-cc82-4681-808d-3d491551b75e -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/troubleshooting-act.md b/windows/plan/troubleshooting-act.md index 1dbfeee130..3de62348a2 100644 --- a/windows/plan/troubleshooting-act.md +++ b/windows/plan/troubleshooting-act.md @@ -2,8 +2,9 @@ title: Troubleshooting ACT (Windows 10) description: This section provides troubleshooting information for the Application Compatibility Toolkit (ACT). ms.assetid: 5696b0c0-5db5-4111-a1e1-825129e683d8 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/troubleshooting-the-act-configuration-wizard.md b/windows/plan/troubleshooting-the-act-configuration-wizard.md index 058b39db72..709b60fb6d 100644 --- a/windows/plan/troubleshooting-the-act-configuration-wizard.md +++ b/windows/plan/troubleshooting-the-act-configuration-wizard.md @@ -2,8 +2,9 @@ title: Troubleshooting the ACT Configuration Wizard (Windows 10) description: When you start Application Compatibility Manager (ACM) for the first time, the Application Compatibility Toolkit (ACT) Configuration Wizard appears. ms.assetid: f4f489c7-50b7-4b07-8b03-79777e1aaefd -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/troubleshooting-the-act-log-processing-service.md b/windows/plan/troubleshooting-the-act-log-processing-service.md index 8fef3bc4b5..0fff19e588 100644 --- a/windows/plan/troubleshooting-the-act-log-processing-service.md +++ b/windows/plan/troubleshooting-the-act-log-processing-service.md @@ -2,8 +2,9 @@ title: Troubleshooting the ACT Log Processing Service (Windows 10) description: The following solutions may help you resolve issues that are related to the Application Compatibility Toolkit (ACT) Log Processing Service. ms.assetid: cb6f90c2-9f7d-4a34-a91e-8ed55b8c256d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/understanding-and-using-compatibility-fixes.md b/windows/plan/understanding-and-using-compatibility-fixes.md index bde6db5bc2..6c73a5645b 100644 --- a/windows/plan/understanding-and-using-compatibility-fixes.md +++ b/windows/plan/understanding-and-using-compatibility-fixes.md @@ -2,8 +2,9 @@ title: Understanding and Using Compatibility Fixes (Windows 10) description: As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. ms.assetid: 84bf663d-3e0b-4168-99d6-a26e054821b7 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/using-act.md b/windows/plan/using-act.md index a091159a76..3793af0dd1 100644 --- a/windows/plan/using-act.md +++ b/windows/plan/using-act.md @@ -2,8 +2,9 @@ title: Using ACT (Windows 10) description: This section describes how to use the Application Compatibility Toolkit (ACT) in your organization. ms.assetid: e6a68f44-7503-450d-a000-a04fbb93a146 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/using-compatibility-monitor-to-send-feedback.md b/windows/plan/using-compatibility-monitor-to-send-feedback.md index 4bf3abf7e8..9a86a64d25 100644 --- a/windows/plan/using-compatibility-monitor-to-send-feedback.md +++ b/windows/plan/using-compatibility-monitor-to-send-feedback.md @@ -2,8 +2,9 @@ title: Using Compatibility Monitor to Send Feedback (Windows 10) description: The Microsoft Compatibility Monitor tool is installed as part of the runtime-analysis package. ms.assetid: dc59193e-7ff4-4950-8c20-e90c246e469d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/using-the-compatibility-administrator-tool.md b/windows/plan/using-the-compatibility-administrator-tool.md index 09f3b30d05..26bd9c4a90 100644 --- a/windows/plan/using-the-compatibility-administrator-tool.md +++ b/windows/plan/using-the-compatibility-administrator-tool.md @@ -2,8 +2,9 @@ title: Using the Compatibility Administrator Tool (Windows 10) description: This section provides information about using the Compatibility Administrator tool. ms.assetid: 57271e47-b9b9-4018-a0b5-7115a533166d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/using-the-sdbinstexe-command-line-tool.md b/windows/plan/using-the-sdbinstexe-command-line-tool.md index 26fdc888d1..fdd93bf2f3 100644 --- a/windows/plan/using-the-sdbinstexe-command-line-tool.md +++ b/windows/plan/using-the-sdbinstexe-command-line-tool.md @@ -2,8 +2,9 @@ title: Using the Sdbinst.exe Command-Line Tool (Windows 10) description: You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. ms.assetid: c1945425-3f8d-4de8-9d2d-59f801f07034 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/using-the-sua-tool.md b/windows/plan/using-the-sua-tool.md index 978389cd95..c758d2f32d 100644 --- a/windows/plan/using-the-sua-tool.md +++ b/windows/plan/using-the-sua-tool.md @@ -2,8 +2,9 @@ title: Using the SUA Tool (Windows 10) description: By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature. ms.assetid: ebe52061-3816-47f7-a865-07bc5f405f03 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/using-the-sua-wizard.md b/windows/plan/using-the-sua-wizard.md index 7571be582c..a8f3b3ce03 100644 --- a/windows/plan/using-the-sua-wizard.md +++ b/windows/plan/using-the-sua-wizard.md @@ -2,8 +2,9 @@ title: Using the SUA Wizard (Windows 10) description: The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions. ms.assetid: 29d07074-3de7-4ace-9a54-678af7255d6c -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md b/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md index 29d76d517d..8c89db2a64 100644 --- a/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md +++ b/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Viewing the Events Screen in Compatibility Administrator (Windows 10) description: The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities. ms.assetid: f2b2ada4-1b7b-4558-989d-5b52b40454b3 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/viewing-your-compatibility-reports.md b/windows/plan/viewing-your-compatibility-reports.md index b1a40653dc..c0f5ffaae9 100644 --- a/windows/plan/viewing-your-compatibility-reports.md +++ b/windows/plan/viewing-your-compatibility-reports.md @@ -2,8 +2,9 @@ title: Viewing Your Compatibility Reports (Windows 10) description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. ms.assetid: a28bbfbe-5f05-4a1e-9397-0a3ceb585871 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/websiteurl-dialog-box.md b/windows/plan/websiteurl-dialog-box.md index 10f108276b..f9f44433db 100644 --- a/windows/plan/websiteurl-dialog-box.md +++ b/windows/plan/websiteurl-dialog-box.md @@ -2,8 +2,9 @@ title: WebsiteURL Dialog Box (Windows 10) description: In Application Compatibility Manager (ACM), the websiteURL dialog box shows information about the selected website. ms.assetid: 0dad26e1-4bba-4fef-b160-3fa1f4325da8 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/welcome-to-act.md b/windows/plan/welcome-to-act.md index fdbbc6ad7d..c6755be21e 100644 --- a/windows/plan/welcome-to-act.md +++ b/windows/plan/welcome-to-act.md @@ -2,8 +2,9 @@ title: Welcome to ACT (Windows 10) description: The Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. ms.assetid: 3963db88-83d2-4b9a-872e-31c275d1a321 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/whats-new-in-act-60.md b/windows/plan/whats-new-in-act-60.md index c765ca62eb..b516ef3eae 100644 --- a/windows/plan/whats-new-in-act-60.md +++ b/windows/plan/whats-new-in-act-60.md @@ -2,8 +2,9 @@ title: What's New in ACT 6.1 (Windows 10) description: Two major updates have been released since ACT 6.1. ms.assetid: f12e137d-0b55-4f7d-88e0-149302655d9b -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/windows-10-compatibility.md b/windows/plan/windows-10-compatibility.md index 7823fc3961..7466117367 100644 --- a/windows/plan/windows-10-compatibility.md +++ b/windows/plan/windows-10-compatibility.md @@ -2,9 +2,10 @@ title: Windows 10 compatibility (Windows 10) description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. ms.assetid: 829BE5B5-330A-4702-807A-8908B4FC94E8 -keywords: ["deploy", "upgrade", "update", "appcompat"] -ms.prod: W10 +keywords: deploy, upgrade, update, appcompat +ms.prod: w10 ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/windows-10-deployment-considerations.md b/windows/plan/windows-10-deployment-considerations.md index 51d122fa2b..cefe2e8c90 100644 --- a/windows/plan/windows-10-deployment-considerations.md +++ b/windows/plan/windows-10-deployment-considerations.md @@ -2,8 +2,8 @@ title: Windows 10 deployment considerations (Windows 10) description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. ms.assetid: A8DD6B37-1E11-4CD6-B588-92C2404219FE -keywords: ["deploy", "upgrade", "update", "in-place"] -ms.prod: W10 +keywords: deploy, upgrade, update, in-place +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library author: mtniehaus diff --git a/windows/plan/windows-10-guidance-for-education-environments.md b/windows/plan/windows-10-guidance-for-education-environments.md index c40e7da07e..f4ce0e1a32 100644 --- a/windows/plan/windows-10-guidance-for-education-environments.md +++ b/windows/plan/windows-10-guidance-for-education-environments.md @@ -1,11 +1,12 @@ --- title: Guidance for education environments (Windows 10) description: Find resources to help you plan your deployment of Windows 10 to desktops, laptops, tablets, and other devices in educational institutions. +redirect_url: https://technet.microsoft.com/edu/windows/index ms.assetid: 225C9D6F-9329-4DDF-B447-6CE7804E314E -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library -ms.pagetype: security +ms.pagetype: edu, security author: craigash --- diff --git a/windows/plan/windows-10-infrastructure-requirements.md b/windows/plan/windows-10-infrastructure-requirements.md index bfa40b1eca..f8a5b10095 100644 --- a/windows/plan/windows-10-infrastructure-requirements.md +++ b/windows/plan/windows-10-infrastructure-requirements.md @@ -2,8 +2,8 @@ title: Windows 10 infrastructure requirements (Windows 10) description: There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64 -keywords: ["deploy", "upgrade", "update", "hardware"] -ms.prod: W10 +keywords: deploy, upgrade, update, hardware +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library author: mtniehaus diff --git a/windows/plan/windows-10-servicing-options.md b/windows/plan/windows-10-servicing-options.md index 0cf0cd63eb..2e67c97c04 100644 --- a/windows/plan/windows-10-servicing-options.md +++ b/windows/plan/windows-10-servicing-options.md @@ -2,9 +2,10 @@ title: Windows 10 servicing options (Windows 10) description: Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process. ms.assetid: 6EF0792C-B587-497D-8489-4A7F5848D92A -keywords: ["deploy", "upgrade", "update", "servicing"] -ms.prod: W10 +keywords: deploy, upgrade, update, servicing +ms.prod: w10 ms.mktglfcycl: plan +ms.pagetype: servicing ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/windows-to-go-frequently-asked-questions.md b/windows/plan/windows-to-go-frequently-asked-questions.md index 0eaa4178e6..a9f0dfee6c 100644 --- a/windows/plan/windows-to-go-frequently-asked-questions.md +++ b/windows/plan/windows-to-go-frequently-asked-questions.md @@ -2,9 +2,10 @@ title: Windows To Go frequently asked questions (Windows 10) description: Windows To Go frequently asked questions ms.assetid: bfdfb824-4a19-4401-b369-22c5e6ca9d6e -keywords: ["FAQ, mobile, device, USB"] -ms.prod: W10 +keywords: FAQ, mobile, device, USB +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: mobility ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/windows-to-go-overview.md b/windows/plan/windows-to-go-overview.md index c473ab949b..f00dfb55ea 100644 --- a/windows/plan/windows-to-go-overview.md +++ b/windows/plan/windows-to-go-overview.md @@ -2,9 +2,10 @@ title: Windows To Go feature overview (Windows 10) description: Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. ms.assetid: 9df82b03-acba-442c-801d-56db241f8d42 -keywords: ["workspace, mobile, installation, image, USB, device, image"] +keywords: workspace, mobile, installation, image, USB, device, image, edu ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: mobility, edu ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/windows-update-for-business.md b/windows/plan/windows-update-for-business.md index 7371c01825..67c4200203 100644 --- a/windows/plan/windows-update-for-business.md +++ b/windows/plan/windows-update-for-business.md @@ -2,7 +2,7 @@ title: Windows Update for Business (Windows 10) description: Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems. ms.assetid: DF61F8C9-A8A6-4E83-973C-8ABE090DB8C6 -keywords: [update, upgrade, deployment, WSUS +keywords: update, upgrade, deployment, WSUS ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library diff --git a/windows/whats-new/applocker.md b/windows/whats-new/applocker.md index cd25de1dee..355d16bacc 100644 --- a/windows/whats-new/applocker.md +++ b/windows/whats-new/applocker.md @@ -3,7 +3,7 @@ title: What's new in AppLocker (Windows 10) description: AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. ms.assetid: 6F836FF6-7794-4E7B-89AA-1EABA1BF183F ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: brianlic-msft diff --git a/windows/whats-new/bitlocker.md b/windows/whats-new/bitlocker.md index d0b31ecfc5..99353d9d7b 100644 --- a/windows/whats-new/bitlocker.md +++ b/windows/whats-new/bitlocker.md @@ -2,7 +2,7 @@ title: What's new in BitLocker (Windows 10) description: BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. ms.assetid: 3F2DE365-68A1-4CDB-AB5F-C65574684C7B -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/whats-new/change-history-for-what-s-new-in-windows-10.md b/windows/whats-new/change-history-for-what-s-new-in-windows-10.md index 077f30c7a7..14362dd08c 100644 --- a/windows/whats-new/change-history-for-what-s-new-in-windows-10.md +++ b/windows/whats-new/change-history-for-what-s-new-in-windows-10.md @@ -2,7 +2,7 @@ title: Change history for What's new in Windows 10 (Windows 10) description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 and Windows 10 Mobile. ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: TrudyHa diff --git a/windows/whats-new/credential-guard.md b/windows/whats-new/credential-guard.md index 148a76ff4e..5bd63a42af 100644 --- a/windows/whats-new/credential-guard.md +++ b/windows/whats-new/credential-guard.md @@ -3,7 +3,7 @@ title: What's new in Credential Guard (Windows 10) description: Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. ms.assetid: 59C206F7-2832-4555-97B4-3070D93CC3C5 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: brianlic-msft diff --git a/windows/whats-new/device-guard-overview.md b/windows/whats-new/device-guard-overview.md index bdb9a878db..669cdadb48 100644 --- a/windows/whats-new/device-guard-overview.md +++ b/windows/whats-new/device-guard-overview.md @@ -4,7 +4,7 @@ description: Device Guard is a combination of enterprise-related hardware and so ms.assetid: FFE244EE-5804-4CE8-A2A9-48F49DC3AEF2 ms.pagetype: security keywords: Device Guard -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: brianlic-msft diff --git a/windows/whats-new/device-management.md b/windows/whats-new/device-management.md index acf0982f94..4ea023327b 100644 --- a/windows/whats-new/device-management.md +++ b/windows/whats-new/device-management.md @@ -2,7 +2,8 @@ title: Enterprise management for Windows 10 devices (Windows 10) description: Windows 10 provides mobile device management (MDM) capabilities that enable enterprise-level management of devices. ms.assetid: 36DA67A1-25F1-45AD-A36B-AEEAC30C9BC4 -ms.prod: W10 +ms.prod: w10 +ms.pagetype: devices, mobile ms.mktglfcycl: explore ms.sitesec: library author: jdeckerMS diff --git a/windows/whats-new/edge-ie11-whats-new-overview.md b/windows/whats-new/edge-ie11-whats-new-overview.md index 7a70709259..ab7d69d78f 100644 --- a/windows/whats-new/edge-ie11-whats-new-overview.md +++ b/windows/whats-new/edge-ie11-whats-new-overview.md @@ -2,7 +2,7 @@ title: Browser Microsoft Edge and Internet Explorer 11 (Windows 10) description: Resources to help you explore the Windows 10 browsing options for your enterprise. ms.assetid: e986f903-69ad-4145-9d24-0c6d04b3e489 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: eross-msft diff --git a/windows/whats-new/edp-whats-new-overview.md b/windows/whats-new/edp-whats-new-overview.md index 26e5b09d9b..696556b54d 100644 --- a/windows/whats-new/edp-whats-new-overview.md +++ b/windows/whats-new/edp-whats-new-overview.md @@ -3,7 +3,7 @@ title: Enterprise data protection (EDP) overview (Windows 10) description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud. ms.assetid: 428A3135-CB5E-478B-B1FF-B6EB76F0DF14 keywords: EDP Overview, EDP -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index 28468ba5d2..91bd262819 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -3,7 +3,7 @@ title: What's new in Windows 10 (Windows 10) description: Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Microsoft Passport, Device Guard, and more. ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44 keywords: ["What's new in Windows 10", "Windows 10"] -ms.prod: W10 +ms.prod: w10 author: TrudyHa --- diff --git a/windows/whats-new/lockdown-features-windows-10.md b/windows/whats-new/lockdown-features-windows-10.md index 265ddba22a..7df7446f4e 100644 --- a/windows/whats-new/lockdown-features-windows-10.md +++ b/windows/whats-new/lockdown-features-windows-10.md @@ -3,7 +3,7 @@ title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10) description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. ms.assetid: 3C006B00-535C-4BA4-9421-B8F952D47A14 keywords: lockdown, embedded -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/whats-new/microsoft-passport.md b/windows/whats-new/microsoft-passport.md index 6ee13afe28..2c49406384 100644 --- a/windows/whats-new/microsoft-passport.md +++ b/windows/whats-new/microsoft-passport.md @@ -3,7 +3,7 @@ title: Microsoft Passport overview (Windows 10) description: In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication. ms.assetid: 292F3BE9-3651-4B20-B83F-85560631EF5B keywords: password, hello, fingerprint, iris, biometric -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/whats-new/new-provisioning-packages.md b/windows/whats-new/new-provisioning-packages.md index b389c0b3c6..9a0d03ddeb 100644 --- a/windows/whats-new/new-provisioning-packages.md +++ b/windows/whats-new/new-provisioning-packages.md @@ -2,7 +2,7 @@ title: Provisioning packages (Windows 10) description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: jdeckerMS diff --git a/windows/whats-new/security-auditing.md b/windows/whats-new/security-auditing.md index 92e3548a8c..26276b5e0a 100644 --- a/windows/whats-new/security-auditing.md +++ b/windows/whats-new/security-auditing.md @@ -2,7 +2,7 @@ title: What's new in security auditing (Windows 10) description: Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. ms.assetid: CB35A02E-5C66-449D-8C90-7B73C636F67B -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: brianlic-msft diff --git a/windows/whats-new/security.md b/windows/whats-new/security.md index d8784f6c41..ae44b5893e 100644 --- a/windows/whats-new/security.md +++ b/windows/whats-new/security.md @@ -3,7 +3,7 @@ title: What's new in Windows 10 security (Windows 10) description: There are several key client security improvements Microsoft has made in Windows 10. ms.assetid: 6B8A5F7A-ABD3-416C-87B0-85F68B214C81 keywords: secure, data loss prevention, multifactor authentication -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/whats-new/trusted-platform-module.md b/windows/whats-new/trusted-platform-module.md index 34233ef3a4..bbf7d88d6b 100644 --- a/windows/whats-new/trusted-platform-module.md +++ b/windows/whats-new/trusted-platform-module.md @@ -2,7 +2,7 @@ title: What's new in Trusted Platform Module (Windows 10) description: This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10. ms.assetid: CE8BBC2A-EE2D-4DFA-958E-2A178F2E6C44 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/whats-new/user-account-control.md b/windows/whats-new/user-account-control.md index 0b655fc120..fad8ee0ff5 100644 --- a/windows/whats-new/user-account-control.md +++ b/windows/whats-new/user-account-control.md @@ -2,7 +2,7 @@ title: What's new in User Account Control (Windows 10) description: User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. ms.assetid: 9281870C-0819-4694-B4F1-260255BB8D07 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/whats-new/windows-spotlight.md b/windows/whats-new/windows-spotlight.md index 4a183d6587..554c9149cb 100644 --- a/windows/whats-new/windows-spotlight.md +++ b/windows/whats-new/windows-spotlight.md @@ -3,7 +3,7 @@ title: Windows Spotlight on the lock screen (Windows 10) description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A keywords: ["lockscreen"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: jdeckerMS diff --git a/windows/whats-new/windows-store-for-business-overview.md b/windows/whats-new/windows-store-for-business-overview.md index f2eea69ec7..ca022e0b5d 100644 --- a/windows/whats-new/windows-store-for-business-overview.md +++ b/windows/whats-new/windows-store-for-business-overview.md @@ -2,7 +2,8 @@ title: Windows Store for Business overview (Windows 10) description: With the new Windows Store for Business, organizations can make volume purchases of Windows apps. ms.assetid: 9DA71F6B-654D-4121-9A40-D473CC654A1C -ms.prod: W10 +ms.prod: w10 +ms.pagetype: store ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/whats-new/windows-update-for-business.md b/windows/whats-new/windows-update-for-business.md index 0d2dfd165d..24ae371549 100644 --- a/windows/whats-new/windows-update-for-business.md +++ b/windows/whats-new/windows-update-for-business.md @@ -2,7 +2,7 @@ title: What's new in Windows Update for Business (Windows 10) description: Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. ms.assetid: 9271FC9A-6AF1-4BBD-A272-909BF54363F4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: TrudyHa