Added the following new policies for Windows 10, version 1803:
-
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index c5ec170ba9..42c5737c3e 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -573,6 +573,9 @@ The following diagram shows the Policy configuration service provider in tree fo
- Connectivity/AllowNFC +
- + Connectivity/AllowPhonePCLinking +
- Connectivity/AllowUSBConnection @@ -4456,235 +4459,6 @@ The following diagram shows the Policy configuration service provider in tree fo - [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc) - [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing) - -## Policies supported by IoT Core - -- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) -- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) -- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) -- [Browser/AllowAutofill](#browser-allowautofill) -- [Browser/AllowBrowser](#browser-allowbrowser) -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowInPrivate](#browser-allowinprivate) -- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) -- [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl) -- [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer) -- [Camera/AllowCamera](#camera-allowcamera) -- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui) -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) -- [Connectivity/AllowNFC](#connectivity-allownfc) -- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) -- [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular) -- [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular) -- [Connectivity/DiablePrintingOverHTTP](#connectivity-diableprintingoverhttp) -- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](#connectivity-disabledownloadingofprintdriversoverhttp) -- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) -- [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths) -- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](#connectivity-prohibitinstallationandconfigurationofnetworkbridge) -- [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon) -- [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword) -- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess) -- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) -- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) -- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) -- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) -- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) -- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) -- [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage) -- [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage) -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) -- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) -- [System/AllowEmbeddedMode](#system-allowembeddedmode) -- [System/AllowFontProviders](#system-allowfontproviders) -- [System/AllowStorageCard](#system-allowstoragecard) -- [System/TelemetryProxy](#system-telemetryproxy) -- [Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/PauseDeferrals](#update-pausedeferrals) -- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](#update-requireupdateapproval) -- [Update/ScheduledInstallDay](#update-scheduledinstallday) -- [Update/ScheduledInstallTime](#update-scheduledinstalltime) -- [Update/UpdateServiceUrl](#update-updateserviceurl) -- [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots) -- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) -- [Wifi/AllowWiFi](#wifi-allowwifi) -- [Wifi/WLANScanMode](#wifi-wlanscanmode) - - - -## Policies supported by Windows Holographic for Business - -- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection) -- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps) -- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) -- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](#browser-allowsmartscreen) -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword) -- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) -- [Experience/AllowCortana](#experience-allowcortana) -- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment) -- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) -- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) -- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) -- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) -- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) -- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) -- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) -- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) -- [Settings/AllowDateTime](#settings-allowdatetime) -- [Settings/AllowVPN](#settings-allowvpn) -- [System/AllowLocation](#system-allowlocation) -- [System/AllowTelemetry](#system-allowtelemetry) -- [Update/AllowAutoUpdate](#update-allowautoupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](#update-requireupdateapproval) -- [Update/UpdateServiceUrl](#update-updateserviceurl) - - - -## Policies supported by Microsoft Surface Hub - -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) -- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) -- [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown) -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDeveloperTools](#browser-allowdevelopertools) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](#browser-allowsmartscreen) -- [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit) -- [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines) -- [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages) -- [Browser/HomePages](#browser-homepages) -- [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection) -- [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride) -- [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles) -- [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine) -- [Camera/AllowCamera](#camera-allowcamera) -- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui) -- [ConfigOperations/ADMXInstall](#configoperations-admxinstall) -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices) -- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy) -- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites) -- [Defender/AllowArchiveScanning](#defender-allowarchivescanning) -- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring) -- [Defender/AllowCloudProtection](#defender-allowcloudprotection) -- [Defender/AllowEmailScanning](#defender-allowemailscanning) -- [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives) -- [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning) -- [Defender/AllowIOAVProtection](#defender-allowioavprotection) -- [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem) -- [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection) -- [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring) -- [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles) -- [Defender/AllowScriptScanning](#defender-allowscriptscanning) -- [Defender/AllowUserUIAccess](#defender-allowuseruiaccess) -- [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor) -- [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware) -- [Defender/ExcludedExtensions](#defender-excludedextensions) -- [Defender/ExcludedPaths](#defender-excludedpaths) -- [Defender/ExcludedProcesses](#defender-excludedprocesses) -- [Defender/PUAProtection](#defender-puaprotection) -- [Defender/RealTimeScanDirection](#defender-realtimescandirection) -- [Defender/ScanParameter](#defender-scanparameter) -- [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime) -- [Defender/ScheduleScanDay](#defender-schedulescanday) -- [Defender/ScheduleScanTime](#defender-schedulescantime) -- [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval) -- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent) -- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction) -- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize) -- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching) -- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode) -- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid) -- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage) -- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth) -- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos) -- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer) -- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache) -- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer) -- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive) -- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap) -- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth) -- [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders) -- [Privacy/EnableActivityFeed](#privacy-enableactivityfeed) -- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) -- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) -- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) -- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) -- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) -- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) -- [Privacy/PublishUserActivities](#privacy-publishuseractivities) -- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) -- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot) -- [Start/StartLayout](#start-startlayout) -- [System/AllowFontProviders](#system-allowfontproviders) -- [System/AllowLocation](#system-allowlocation) -- [System/AllowTelemetry](#system-allowtelemetry) -- [TextInput/AllowIMELogging](#textinput-allowimelogging) -- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess) -- [TextInput/AllowInputPanel](#textinput-allowinputpanel) -- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters) -- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters) -- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph) -- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary) -- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall) -- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208) -- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc) -- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis) -- [Update/AllowAutoUpdate](#update-allowautoupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule) -- [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal) -- [Update/BranchReadinessLevel](#update-branchreadinesslevel) -- [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays) -- [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays) -- [Update/DetectionFrequency](#update-detectionfrequency) -- [Update/PauseFeatureUpdates](#update-pausefeatureupdates) -- [Update/PauseQualityUpdates](#update-pausequalityupdates) -- [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning) -- [Update/ScheduleRestartWarning](#update-schedulerestartwarning) -- [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable) -- [Update/UpdateServiceUrl](#update-updateserviceurl) -- [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate) -- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting) - - ## Policies that can be set using Exchange Active Sync (EAS) @@ -4712,7 +4486,6 @@ The following diagram shows the Policy configuration service provider in tree fo - [Wifi/AllowWiFi](#wifi-allowwifi) - ## Examples Set the minimum password length to 4 characters. diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index faf33814cc..e07d5f9e02 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 03/12/2018 +ms.date: 03/14/2018 --- # Policy CSP - Connectivity +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
- Connectivity/AllowNFC +
- + Connectivity/AllowPhonePCLinking +
- Connectivity/AllowUSBConnection @@ -355,6 +360,76 @@ The following list shows the supported values:
@@ -34,6 +36,9 @@ ms.date: 03/12/2018
+ +**Connectivity/AllowPhonePCLinking** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
 |
+  4 |
+ 4 |
+ 4 |
+ 4 |
+ + | + |
+ + + +Added in Windows 10, version 1803. This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue tasks, such as reading, email, and other tasks that require linking between Phone and PC. + +If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in 'Continue on PC experiences'. If you disable this policy setting, the Windows device is not allowed to be linked to phones, will remove itself from the device list of any linked Phones, and cannot participate in 'Continue on PC experiences'. +If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. + + + +ADMX Info: +- GP name: *enableMMX* +- GP ADMX file name: *grouppolicy.admx* + + + +This setting supports a range of values between 0 and 1. + +- 0 - Do not link +- 1 (default) - Allow phone-PC linking + + + + + + + +Validation: + +If the Connectivity/AllowPhonePCLinking policy is configured to value 0, the add a phone button in the Phones section in settings will be greyed out and clicking it will not launch the window for a user to enter their phone number. + +Device that has previously opt-in to MMX will also stop showing on the device list. + + + +
+ **Connectivity/AllowUSBConnection** diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md index 8f5c11db9d..b7fa5a8362 100644 --- a/windows/client-management/mdm/rootcacertificates-csp.md +++ b/windows/client-management/mdm/rootcacertificates-csp.md @@ -7,11 +7,14 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/26/2017 +ms.date: 03/06/2018 --- # RootCATrustedCertificates CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + The RootCATrustedCertificates configuration service provider enables the enterprise to set the Root Certificate Authority (CA) certificates. > [!Note] @@ -44,6 +47,9 @@ Node for trusted publisher certificates. **RootCATrustedCertificates/TrustedPeople** Node for trusted people certificates. +**RootCATrustedCertificates/UntrustedCertificates** +Addeded in Windows 10, version 1803. Node for certificates that are not trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable. + **_CertHash_** Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md index 6e6492a240..03c352d150 100644 --- a/windows/client-management/mdm/rootcacertificates-ddf-file.md +++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md @@ -7,17 +7,19 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 12/05/2017 +ms.date: 03/07/2018 --- # RootCATrustedCertificates DDF file +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **RootCACertificates** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the current version for this CSP. +The XML below is for Windows 10, version 1803. ``` syntax @@ -28,7 +30,7 @@ The XML below is the current version for this CSP.
(Phone proximity, Network location) | \{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}| + +>[!NOTE] +>Multifactor unlock does not support third-party credential providers or credential providers not listed in the above table. + +The default credential providers for the **First unlock factor credential provider** include: +* PIN +* Fingerprint +* Facial Recongition + +The default credential providers for the **Second unlock factor credential provider** include: +* Trusted Signal +* PIN + +Configure a comma separated list of credential provider GUIDs you want to use as first and second unlock factors. While a credential provider can appear in both lists, remember that a credential supported by that provider can only satisfy one of the unlock factors. Listed credential providers do not need to be in any specific order. + +For example, if you include the PIN and fingerprint credential providers in both first and second factor lists, a user can use their fingerprint or PIN as the first unlock factor. However, whichever factor they used to satisfy the first unlock factor cannot be used to satisfy the second unlock factor. Each factor can therefore be used exactly once. The Trusted Signal provider can *only* be specified as part of the Second unlock factor credential provider list. + + +## Configure Signal Rules for the Trusted Signal Credential Provider + +The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device. + +### Rule element +You represent signal rules in XML. Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value. The current supported scheam version is 1.0.
+**Example** +``` +
+ +|Attribute|Value| +|---------|-----| +| type| "bluetooth" or "ipConfig" (Windows 10, version 1709)| + +#### Bluetooth +You define the bluetooth signal with additional attribute in the signal elment. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>". + +|Attribute|Value|Required| +|---------|-----|--------| +|type|"bluetooth"|yes| +|scenario|"Authentication"|yes| +|classOfDevice|"*number*"|no| +|rssiMin|"*number*"|no| +|rssiMaxDelta|"*number*"|no| + +Example: +``` +
+**Example** +``` +
+**Example** +``` +
+**Example** +``` +
+**Example:** +``` +
+**Example** +``` +
+**Example** +``` +
+**Example** +``` +
+**Example** +``` +
+ +8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values.
+ +9. Configure first and second unlock factors using the information in the [Configure Unlock Factors](#configuring-unlock-factors) section. +10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in the [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider) section. +11. Click **Ok** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers. + + ## Troubleshooting +Mulitfactor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**. + +### Events + +|Event ID|Details| +|:------:|:------| +|3520|Unlock attempt initiated| +|5520|Unlock policy not configured| +|6520|Warning event| +|7520|Error event| +|8520|Success event| diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 227053e01a..d5f526f94f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -346,13 +346,6 @@ Sign-in the AD FS server with Domain Admin equivalent credentials. ```PowerShell Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication ``` - - -The `Set-AdfsCertificateAuthority` cmdlet may show the following warning: ->WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured. These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured. - -This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in. - >[!NOTE] > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md index d2126063c5..99a39e91b2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md @@ -6,10 +6,10 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin -ms.localizationpriority: high -ms.author: daniha -ms.date: 07/27/2017 +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 03/5/2018 --- # Configure or Deploy Multifactor Authentication Services @@ -523,7 +523,7 @@ Before you continue with the deployment, validate your deployment progress by re * Confirm you saved the changes to the web.config file. * Confirm you restarted the AD FS Service after completing the configuration. -## Test AD FS with the Multifactor Authentication connector +## Test Multifactor Authentication Now, you should test your Azure Multi-Factor Authentication server configuration before proceeding any further in the deployment. The AD FS and Azure Multi-Factor Authentication server configurations are complete. diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md index 5c6fcc07d2..1800c4b80f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-features.md +++ b/windows/security/identity-protection/hello-for-business/hello-features.md @@ -10,7 +10,7 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen localizationpriority: high -ms.date: 12/04/2017 +ms.date: 3/5/2018 --- # Windows Hello for Business Features @@ -20,7 +20,6 @@ Consider these additional features you can use after your organization deploys W * [Dynamic lock](#dynamic-lock) * [PIN reset](#pin-reset) * [Privileged credentials](#privileged-credentials) -* [Mulitfactor Unlock](#multifactor-unlock) ## Conditional access @@ -153,77 +152,4 @@ The privileged credentials scenario enables administrators to perform elevated, By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, Allow enumeration of emulated smartd card for all users, you can configure a device to all this enumeration on selected devices. -With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal workflow such as email, but can launch Microsoft Managment Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternativing between privileged and non-privileged workloads. - -## Multifactor Unlock - -**Requirements:** -* Windows Hello for Business deployment (Hybrid or On-premises) -* Hybird Azure AD joined (Hybrid deployments) -* Domain Joined (on-premises deployments) -* Windows 10, version 1709 -* Bluetooth, Bluetooth capable smartphone - optional - -Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. - -Windows 10 offers Multifactor device unlock by extending Windows Hello with trusted signals, administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices. - -Which organizations can take advanage of Multifactor unlock? Those who: -* Have expressed that PINs alone do not meet their security needs. -* Want to prevent Information Workers from sharing credentials. -* Want their orgs to comply with regulatory two-factor authentication policy. -* Want to retain the familiar Windows logon UX and not settle for a custom solution. - ->[!IMPORTANT] ->Once the you deploy multifactor unlock policies, users are not be able to unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed). - -You enable multifactor unlock using Group Policy. The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. - -The policy setting has three components: -* First unlock factor credential provider -* Second unlock factor credential provider -* Signal rules for device unlock - -### The Basics: How it works - -First unlock factor credential provider and Second unlock credential provider are repsonsible for the bulk of the configuration. Each of these components contains a globally unqiue identifier (GUID) that represents a different Windows credential provider. With the policy setting enabled, users unlock the device using at least one credenital provider from each category before Windows allows the user to proceed to their desktop. - -The credenital providers included in the default policy settings are: - -|Credential Provider| GUID| -|:------------------|:----:| -|PIN | \{D6886603-9D2F-4EB2-B667-1971041FA96B}| -|Fingerprint | \{BEC09223-B018-416D-A0AC-523971B639F5}| -|Facial Recognition | \{8AF662BF-65A0-4D0A-A540-A338A999D36F}| -|Trusted Signal | \{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}| - -The default credential providers for the **First unlock factor credential provider** include: -* PIN -* Fingerprint -* Facial Recongition - -The default credential providers for the **Second unlock factor credential provider** include: -* Trusted Signal -* PIN - -The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device. - -The default signal rules for the policy setting include the proximity of any paired bluetooth smartphone. - -To successfully reach their desktop, the user must satisfy one credential provider from each category. The order in which the user satisfies each credential provider does not matter. Therefore, using the default policy setting a user can provide: -* PIN and Fingerprint -* PIN and Facial Recognition -* Fingerprint and PIN -* Facial Recognition and Trusted Signal (bluetooth paired smartphone) - ->[!IMPORTANT] -> * PIN **must** be in at least one of the groups -> * Trusted signals **must** be combined with another credential provider -> * You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can be used to satisfy either category, but not both. - - - - - - - +With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal workflow such as email, but can launch Microsoft Managment Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternativing between privileged and non-privileged workloads. \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 57a3df8925..866c851a11 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -9,7 +9,7 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen localizationpriority: high -ms.date: 10/23/2017 +ms.date: 02/23/2018 --- # Configure Device Registration for Hybrid Windows Hello for Business @@ -495,8 +495,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe  -- object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration -- Configuration,CN=Services,CN=Configuration,DC=<domain> +- object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - read/write access to the specified AD connector account name on the new object - object of type msDS-DeviceRegistrationServiceContainer at CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - object of type msDS-DeviceRegistrationService in the above container diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index b0e4a403a4..96d449f9d3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -71,6 +71,9 @@ The table shows the minimum requirements for each deployment. ## Frequently Asked Questions +### Can I deploy Windows Hello for Business using System Center Configuration Manager? +Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deploymnet model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager wil no long be supported after November 2018. + ### What is the password-less strategy? Watch Senior Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less** diff --git a/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gp-setting.png b/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gp-setting.png new file mode 100644 index 0000000000..47823d76a8 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gp-setting.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gpme.png b/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gpme.png new file mode 100644 index 0000000000..fd7afd80cb Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gpme.png differ diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md index 81267549c1..86c01a544c 100644 --- a/windows/security/identity-protection/hello-for-business/toc.md +++ b/windows/security/identity-protection/hello-for-business/toc.md @@ -43,4 +43,5 @@ ##### [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md) #### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) -## [Windows Hello for Business Features](hello-features.md) \ No newline at end of file +## [Windows Hello for Business Features](hello-features.md) +### [Multifactor Unlock](feature-multifactor-unlock.md) \ No newline at end of file diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 9e780394d7..94f1153940 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -24,15 +24,6 @@ This article assumes that you understand how to set up AD DS to back up BitLock This article does not detail how to configure AD DS to store the BitLocker recovery information. -This article contains the following topics: - -- [What Is BitLocker Recovery?](#bkmk-whatisrecovery) -- [Testing Recovery](#bkmk-testingrecovery) -- [Planning Your Recovery Process](#bkmk-planningrecovery) -- [Using Additional Recovery Information](#bkmk-usingaddrecovery) -- [Resetting Recovery Passwords](#bkmk-appendixb) -- [Retrieving the BitLocker Key Package](#bkmk-appendixc) - ## What is BitLocker recovery? BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario you have the following options to restore access to the drive: @@ -109,7 +100,7 @@ Before you create a thorough BitLocker recovery process, we recommend that you t 2. At the command prompt, type the following command and then press ENTER: `manage-bde. -ComputerName