From 07ebb32e0b8559858113b15324ef880b6d5ddc19 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 4 Jun 2018 17:13:21 -0700 Subject: [PATCH 1/5] removed outdated TPM backup info --- ...ion-for-bitlocker-planning-and-policies.md | 58 ++----------------- 1 file changed, 4 insertions(+), 54 deletions(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 0fbd75a787..f3e5d15248 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 04/19/2017 +ms.date: 06/04/2018 --- # Prepare your organization for BitLocker: Planning and policies @@ -157,17 +157,12 @@ Full drive encryption means that the entire drive will be encrypted, regardless ## Active Directory Domain Services considerations -BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure Group Policy settings to enable backup of BitLocker or TPM recovery information. Before configuring these settings verify that access permissions have been granted to perform the backup. +BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following Group Policy setting to enable backup of BitLocker recovery information: -By default, domain administrators are the only users that will have access to BitLocker recovery information. When you plan your support process, define what parts of your organization need access to BitLocker recovery information. Use this information to define how the appropriate rights will be delegated in your AD DS environment. +Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Turn on BitLocker backup to Active Directory Domain Services -It is a best practice to require backup of recovery information for both the TPM and BitLocker to AD DS. You can implement this practice by configuring the Group Policy settings below for your BitLocker-protected computers. +By default, only Domain Admins have access to BitLocker recovery information. When you plan your support process, define what parts of your organization need access to BitLocker recovery information. Use this information to define how the appropriate rights will be delegated in your AD DS environment. -| BitLocker Group Policy setting | Configuration | -| - | - | -| BitLocker Drive Encryption: Turn on BitLocker backup to Active Directory Domain Services| Require BitLocker backup to AD DS (Passwords and key packages)| -| Trusted Platform Module Services: Turn on TPM backup to Active Directory Domain Services | Require TPM backup to AD DS| -  The following recovery data will be saved for each computer object: - **Recovery password** @@ -178,51 +173,6 @@ The following recovery data will be saved for each computer object: With this key package and the recovery password, you will be able decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package will only work with the volume it was created on, which can be identified by the corresponding volume ID. -- **TPM owner authorization password hash** - - When ownership of the TPM is taken a hash of the ownership password can be taken and stored in AD DS. This information can then be used to reset ownership of the TPM. - -Starting in Windows 8, a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 and later schemas. - -To take advantage of this integration, you must upgrade your domain controllers to Windows Server 2012 or extend the Active Directory schema and configure BitLocker-specific Group Policy objects. - ->**Note:**  The account that you use to update the Active Directory schema must be a member of the Schema Admins group. -  -Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. - -**To support Windows 8 and later computers that are managed by a Windows Server 2003 or Windows 2008 domain controller** - -There are two schema extensions that you can copy down and add to your AD DS schema: - -- **TpmSchemaExtension.ldf** - - This schema extension brings parity with the Windows Server 2012 schema. With this change, the TPM owner authorization information is stored in a separate TPM object linked to the corresponding computer object. Only the Computer object that has created the TPM object can update it. This means that any subsequent updates to the TPM objects will not succeed in dual boot scenarios or scenarios where the computer is reimaged resulting in a new AD computer object being created. To support such scenarios, an update to the schema was created. - -- **TpmSchemaExtensionACLChanges.ldf** - - This schema update modifies the ACLs on the TPM object to be less restrictive so that any subsequent operating system which takes ownership of the computer object can update the owner authorization value in AD DS. However, this is less secure as any computer in the domain can now update the OwnerAuth of the TPM object (although it cannot read the OwnerAuth) and DOS attacks can be made from within the enterprise. The recommended mitigation in such a scenario is to do regular backup of TPM objects and enable auditing to track changes for these objects. - -To download the schema extensions, see [AD DS schema extensions to support TPM backup](https://technet.microsoft.com/library/jj635854.aspx). - -If you have a Windows Server 2012 domain controller in your environment, the schema extensions are already in place and do not need to be updated. - ->**Caution:**  To configure Group Policy objects to backup TPM and BitLocker information in AD DS at least one of the domain controllers in your forest must be running at least Windows Server 2008 R2. -If Active Directory backup of the TPM owner authorization value is enabled in an environment without the required schema extensions, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8 and later. -  -**Setting the correct permissions in AD DS** - -To initialize the TPM successfully so that you can turn on BitLocker requires that the correct permissions for the SELF account in be set in AD DS for the **ms-TPMOwnerInformation** attribute. The following steps detail setting these permissions as required by BitLocker: - -1. Open **Active Directory Users and Computers**. -2. Select the organizational unit (OU) which contains the computer accounts that will have BitLocker turned on. -3. Right-click the OU and click **Delegate Control** to open the **Delegation of Control** wizard. -4. Click **Next** to go to the **Users or Groups** page and then click **Add**. -5. In the **Select Users, Computers, or Groups** dialog box, type **SELF** as the object name and then click **OK** Once the object has been validated you will be returned to the **Users or Groups** wizard page and the SELF account will be listed. Click **Next**. -6. On the **Tasks to Delegate** page, choose **Create a custom task to delegate** and then click **Next**. -7. On the **Active Directory Object Type** page, choose **Only the following objects in the folder** and then check **Computer Objects** and then click **Next**. -8. On the **Permissions** page, for **Show these permissions**, check **General**, **Property-specific**, and **Creation/deletion of specific child objects**. Scroll down the **Permissions** list and check both **Write msTPM-OwnerInformation** and **Write msTPM-TpmInformationForComputer** then click **Next**. -9. Click **Finish** to apply the permissions settings. - ## FIPS support for recovery password protector Functionality introduced in Windows Server 2012 R2 and Windows 8.1, allows BitLocker to be fully functional in FIPS mode. From c46d43744ea0cd31c3308b175fc456e52294e424 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 4 Jun 2018 17:23:46 -0700 Subject: [PATCH 2/5] added link to delegation blog post --- ...e-your-organization-for-bitlocker-planning-and-policies.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index f3e5d15248..eed67e922b 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -161,9 +161,9 @@ BitLocker integrates with Active Directory Domain Services (AD DS) to provide ce Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Turn on BitLocker backup to Active Directory Domain Services -By default, only Domain Admins have access to BitLocker recovery information. When you plan your support process, define what parts of your organization need access to BitLocker recovery information. Use this information to define how the appropriate rights will be delegated in your AD DS environment. +By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](https://blogs.technet.microsoft.com/craigf/2011/01/26/delegating-access-in-ad-to-bitlocker-recovery-information/). -The following recovery data will be saved for each computer object: +The following recovery data is saved for each computer object: - **Recovery password** From 1242ef3e64664d429b681730d4be7e0b3b00ea56 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 4 Jun 2018 18:04:19 -0700 Subject: [PATCH 3/5] corrected outbound rule --- ...-advanced-security-administration-with-windows-powershell.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index 8880188072..aa3448684e 100644 --- a/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -218,7 +218,7 @@ Windows PowerShell ``` syntax New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management” -New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management” +New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management” ``` If the group is not specified at rule creation time, the rule can be added to the rule group using dot notation in Windows PowerShell. You cannot specify the group using `Set-NetFirewallRule` since the command allows querying by rule group. From 1c5e849a89dbc02c818b4b80cc28ec967e097669 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Tue, 5 Jun 2018 14:05:37 +0000 Subject: [PATCH 4/5] Merged PR 8779: new Intune kiosk profile instructions --- ...change-history-for-configure-windows-10.md | 8 +++++++- .../lock-down-windows-10-to-specific-apps.md | 20 +++++++++---------- .../setup-kiosk-digital-signage.md | 12 +++++------ 3 files changed, 22 insertions(+), 18 deletions(-) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 95e3da2dff..8b3d74ac3b 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -10,13 +10,19 @@ ms.localizationpriority: high author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 05/31/2018 +ms.date: 06/05/2018 --- # Change history for Configure Windows 10 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## June 2018 + +New or changed topic | Description +--- | --- +[Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) and [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Updated instructions for using Microsoft Intune to configure a kiosk. + ## May 2018 New or changed topic | Description diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index f1cc7e5caa..7610e6fe75 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: high -ms.date: 04/30/2018 +ms.date: 06/05/2018 ms.author: jdecker ms.topic: article --- @@ -38,9 +38,6 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi ## Configure a kiosk in Microsoft Intune -Watch how to use Intune to configure a multi-app kiosk. - ->[!VIDEO https://www.microsoft.com/videoplayer/embed/ce9992ab-9fea-465d-b773-ee960b990c4a?autoplay=false] 1. [Generate the Start layout for the kiosk device.](#startlayout) 2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. @@ -49,14 +46,15 @@ Watch how to use Intune to configure a multi-app kiosk. 5. Select **Create profile**. 6. Enter a friendly name for the profile. 7. Select **Windows 10 and later** for the platform. -8. Select **Device restrictions** for the profile type. -9. Select **Kiosk**. -10. In **Kiosk Mode**, select **Multi app kiosk**. -11. Select **Add** to define a configuration, which specifies the apps that will run and the layout for the Start menu. +8. Select **Kiosk (Preview)** for the profile type. +9. Select **Kiosk - 1 setting available**. +10. Select **Add** to define a configuration, which specifies the apps that will run and the layout for the Start menu. 12. Enter a friendly name for the configuration. -13. Select an app type, either **Win32 App** for a classic desktop application or **UWP App** for a Universal Windows Platform app. - - For **Win32 App**, enter the fully qualified pathname of the executable, with respect to the device. - - For **UWP App**, enter the Application User Model ID for an installed app. +10. In **Kiosk Mode**, select **Multi app kiosk**. +13. Select an app type. + - For **Add Win32 app**, enter the **App Name** and **Identifier**. + - For **Add managed apps**, select an app that you manage through Intune. + - For **Add app by AUMID**, enter the Application User Model ID (AUMID) for an installed UWP app. 14. Select whether to enable the taskbar. 15. Browse to and select the Start layout XML file that you generated in step 1. 16. Add one or more accounts. When the account signs in, only the apps defined in the configuration will be available. diff --git a/windows/configuration/setup-kiosk-digital-signage.md b/windows/configuration/setup-kiosk-digital-signage.md index a2b8efc53b..36581a3438 100644 --- a/windows/configuration/setup-kiosk-digital-signage.md +++ b/windows/configuration/setup-kiosk-digital-signage.md @@ -10,7 +10,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: high -ms.date: 05/25/2018 +ms.date: 06/05/2018 --- # Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education @@ -268,11 +268,11 @@ The following steps explain how to configure a kiosk in Microsoft Intune. For ot 5. Select **Create profile**. 6. Enter a friendly name for the profile. 7. Select **Windows 10 and later** for the platform. -8. Select **Device restrictions** for the profile type. -9. Select **Kiosk**. -10. In **Kiosk Mode**, select **Single app kiosk**. -1. Enter the user account (Azure AD or a local standard user account). -11. Enter the Application User Model ID for an installed app. +8. Select **Kiosk (Preview)** for the profile type. +9. Enter a friendly name for the kiosk configuration. +10. In **Kiosk Mode**, select **Single full-screen app kiosk**. +10. Select either **Select a managed app** to choose a kiosk app that is managed by Intune, or **Enter UWP app AUMID** to specify the kiosk app by AUMID, and then select the app or enter the AUMID as appropriate. +1. For the user account, select either **Autologon** to create a user account for the kiosk that will sign in automatically, or **Local user account** to configure an existing user account to run the kiosk. **Local user account** can be a local standard user account on the device or an Azure Active Directory account. 14. Select **OK**, and then select **Create**. 18. Assign the profile to a device group to configure the devices in that group as kiosks. From 78dc002c7659e2ccaeb996844f9812b5db5e7813 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Tue, 5 Jun 2018 16:15:04 +0000 Subject: [PATCH 5/5] Merged PR 8783: privacy - change tile on landing page --- windows/privacy/index.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml index 8c3307e588..b600667ee2 100644 --- a/windows/privacy/index.yml +++ b/windows/privacy/index.yml @@ -46,7 +46,7 @@ sections: items: - - href: \windows\privacy\gdpr-win10-whitepaper + - href: \windows\privacy\gdpr-it-guidance html:

Learn about GDPR and how Microsoft helps you get started towards compliance

@@ -54,7 +54,7 @@ sections: src: https://docs.microsoft.com/media/common/i_advanced.svg - title: Begin your GDPR journey + title: Start with GDPR basics - href: \windows\privacy\configure-windows-diagnostic-data-in-your-organization