diff --git a/windows/whats-new/applocker.md b/windows/whats-new/applocker.md index 1c14abc6dc..48ac0556a8 100644 --- a/windows/whats-new/applocker.md +++ b/windows/whats-new/applocker.md @@ -7,6 +7,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: brianlic-msft +redirect_url: whats-new-windows-10-version-1511.md --- # What's new in AppLocker? diff --git a/windows/whats-new/bitlocker.md b/windows/whats-new/bitlocker.md index 4e9d0f7b61..128d29fdc0 100644 --- a/windows/whats-new/bitlocker.md +++ b/windows/whats-new/bitlocker.md @@ -7,6 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security, mobile author: brianlic-msft +redirect_url: whats-new-windows-10-version-1511.md --- # What's new in BitLocker? diff --git a/windows/whats-new/credential-guard.md b/windows/whats-new/credential-guard.md index 48f7a4f853..885f9f4e3a 100644 --- a/windows/whats-new/credential-guard.md +++ b/windows/whats-new/credential-guard.md @@ -7,6 +7,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: brianlic-msft +redirect_url: whats-new-windows-10-version-1511.md --- # What's new in Credential Guard? diff --git a/windows/whats-new/security-auditing.md b/windows/whats-new/security-auditing.md index 13c6a7e5b8..446912aa1d 100644 --- a/windows/whats-new/security-auditing.md +++ b/windows/whats-new/security-auditing.md @@ -7,6 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library author: brianlic-msft ms.pagetype: security, mobile +redirect_url: whats-new-windows-10-version-1511.md --- # What's new in security auditing? diff --git a/windows/whats-new/trusted-platform-module.md b/windows/whats-new/trusted-platform-module.md index 18a325aa7f..e30d99b83d 100644 --- a/windows/whats-new/trusted-platform-module.md +++ b/windows/whats-new/trusted-platform-module.md @@ -7,6 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security, mobile author: brianlic-msft +redirect_url: whats-new-windows-10-version-1511.md --- # What's new in Trusted Platform Module? diff --git a/windows/whats-new/user-account-control.md b/windows/whats-new/user-account-control.md index fad8ee0ff5..ebee1b9403 100644 --- a/windows/whats-new/user-account-control.md +++ b/windows/whats-new/user-account-control.md @@ -7,6 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: brianlic-msft +redirect_url: whats-new-windows-10-version-1511.md --- # What's new in User Account Control? diff --git a/windows/whats-new/whats-new-windows-10-version-1511.md b/windows/whats-new/whats-new-windows-10-version-1511.md index c4cb4f3014..21442a52f1 100644 --- a/windows/whats-new/whats-new-windows-10-version-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1511.md @@ -23,6 +23,27 @@ With Windows 10, you can create provisioning packages that let you quickly and e ## Security +### Bitlocker + +The following Bitlocker features were added in Windows 10, version 1511. + +- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. + It provides the following benefits: + - The algorithm is FIPS-compliant. + - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. + >**Note:**  Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. + +### Credential Guard + +The following Credential Guard features were added in Windows 10, version 1511. + +- **Credential Manager support**. Credentials that are stored with Credential Manager, including domain credentials, are protected with Credential Guard with the following considerations: + - Credentials that are saved by the Remote Desktop Protocol cannot be used. Employees in your organization can manually store credentials in Credential Manager as generic credentials. + - Applications that extract derived domain credentials using undocumented APIs from Credential Manager will no longer be able to use those saved derived credentials. + - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. +- **Enable Credential Guard without UEFI lock**. You can enable Credential Guard by using the registry. This allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can configure this by using Group Policy. +- **CredSSP/TsPkg credential delegation**. CredSSP/TsPkg cannot delegate default credentials when Credential Guard is enabled. + ### Easier certificate management @@ -32,8 +53,15 @@ For Windows 10-based devices, you can use your MDM server to directly deploy cl In Windows 10, [Microsoft Passport](~/keep-secure/manage-identity-verification-using-microsoft-passport.md) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. -Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. +Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. +### Security auditing + +- The [WindowsSecurityAuditing](http://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](http://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices. + +### Trusted Platform Module + +- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC). ## Management