diff --git a/.gitignore b/.gitignore index 60755bf9e7..604950802e 100644 --- a/.gitignore +++ b/.gitignore @@ -10,8 +10,6 @@ Tools/NuGet/ .openpublishing.build.mdproj .openpublishing.buildcore.ps1 packages.config -windows/keep-secure/index.md # User-specific files -.vs/ -*.png \ No newline at end of file +.vs/ \ No newline at end of file diff --git a/atp-mdm-onboarding-package.png b/atp-mdm-onboarding-package.png deleted file mode 100644 index 23b9c49490..0000000000 Binary files a/atp-mdm-onboarding-package.png and /dev/null differ diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index ee3fbbd2b8..0ce34a2dfe 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -13,6 +13,7 @@ ### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) ### [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md) ### [Surface Dock Updater](surface-dock-updater.md) +### [Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) ## [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md) ## [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md) ## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 5c29629a05..a6195be9e0 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -11,13 +11,18 @@ author: jdeckerMS This topic lists new and updated topics in the Surface documentation library. +## January 2017 + +|New or changed topic | Description | +| --- | --- | +|[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | New | + ## December 2016 |New or changed topic | Description | | --- | --- | |[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added driver info for Surface Studio; updated info for Surface Book and Surface Pro 4 (Windows 10 .zip cumulative update), Surface Pro 3 (Windows8.1-KB2969817-x64.msu), and Surface 3 (UEFI Asset Tag management tool)| - ## November 2016 |New or changed topic | Description | diff --git a/devices/surface/update.md b/devices/surface/update.md index 3e00c77e71..46d1f3b6bd 100644 --- a/devices/surface/update.md +++ b/devices/surface/update.md @@ -16,6 +16,7 @@ Find out how to download and manage the latest firmware and driver updates for y | Topic | Description | | --- | --- | +|[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | See how you can use Wake On LAN to remotely wake up devices to perform management or maintenance tasks, or to enable management solutions automatically. | | [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)| Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.| | [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)| Explore the available options to manage firmware and driver updates for Surface devices.| | [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)| Read about the different methods you can use to manage the process of Surface Dock firmware updates.| diff --git a/devices/surface/wake-on-lan-for-surface-devices.md b/devices/surface/wake-on-lan-for-surface-devices.md new file mode 100644 index 0000000000..cee0c58856 --- /dev/null +++ b/devices/surface/wake-on-lan-for-surface-devices.md @@ -0,0 +1,56 @@ +--- +title: Wake On LAN for Surface devices (Surface) +description: See how you can use Wake On LAN to remotely wake up devices to perform management or maintenance tasks, or to enable management solutions automatically – even if the devices are powered down. +keywords: update, deploy, driver, wol, wake-on-lan +ms.prod: w10 +ms.mktglfcycl: manage +ms.pagetype: surface, devices +ms.sitesec: library +author: jobotto +--- + +# Wake On LAN for Surface devices + +Surface devices that run Windows 10, version 1607 (also known as Windows 10 Anniversary Update) or later and use a Surface Ethernet adapter to connect to a wired network, are capable of Wake On LAN (WOL) from Connected Standby. With WOL, you can remotely wake up devices to perform management or maintenance tasks or enable management solutions (such as System Center Configuration Manager) automatically – even if the devices are powered down. For example, you can deploy applications to Surface devices left docked with a Surface Dock or Surface Pro 3 Docking Station by using System Center Configuration Manager during a window in the middle of the night, when the office is empty. + +>[!NOTE] +>Surface devices must be connected to AC power to support WOL. + +## Supported devices + +The following devices are supported for WOL: + +* Surface Book +* Surface Pro 4 +* Surface Pro 3 +* Surface 3 +* Surface Ethernet adapter +* Surface Dock +* Surface Docking Station for Surface Pro 3 + +## WOL driver + +To enable WOL support on Surface devices, a specific driver for the Surface Ethernet adapter is required. This driver is not included in the standard driver and firmware pack for Surface devices – you must download and install it separately. You can download the Surface WOL driver (SurfaceWOL.msi) from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center. + +You can run this Microsoft Windows Installer (.msi) file on a Surface device to install the Surface WOL driver, or you can distribute it to Surface devices with an application deployment solution, such as System Center Configuration Manager. To include the Surface WOL driver during deployment, you can install the .msi file as an application during the deployment process. You can also extract the Surface WOL driver files to include them in the deployment process. For example, you can include them in your Microsoft Deployment Toolkit (MDT) deployment share. You can read more about Surface deployment with MDT in [Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/surface/deploy-windows-10-to-surface-devices-with-mdt). + +>[!NOTE] +>During the installation of SurfaceWOL.msi, the following registry key is set to a value of 1, which allows easy identification of systems where the WOL driver has been installed. If you chose to extract and install these drivers separately during deployment, this registry key will not be configured and must be configured manually or with a script. + +>**HKLM\SYSTEM\CurrentControlSet\Control\Power AllowSystemRequiredPowerRequests** + +To extract the contents of SurfaceWOL.msi, use the MSIExec administrative installation option (**/a**), as shown in the following example, to extract the contents to the C:\WOL\ folder: + + `msiexec /a surfacewol.msi targetdir=C:\WOL /qn` + +## Using Surface WOL + +The Surface WOL driver conforms to the WOL standard, whereby the device is woken by a special network communication known as a magic packet. The magic packet consists of 6 bytes of 255 (or FF in hexadecimal) followed by 16 repetitions of the target computer’s MAC address. You can read more about the magic packet and the WOL standard on [Wikipedia](https://wikipedia.org/wiki/Wake-on-LAN#Magic_packet). + +>[!NOTE] +>To send a magic packet and wake up a device by using WOL, you must know the MAC address of the target device and Ethernet adapter. Because the magic packet does not use the IP network protocol, it is not possible to use the IP address or DNS name of the device. + +Many management solutions, such as System Center Configuration Manager, provide built-in support for WOL. There are also many solutions, including Windows Store apps, PowerShell modules, third-party applications, and third-party management solutions that allow you to send a magic packet to wake up a device. For example, you can use the [Wake On LAN PowerShell module](https://gallery.technet.microsoft.com/scriptcenter/Wake-On-Lan-815424c4) from the TechNet Script Center. + +>[!NOTE] +>After a device has been woken up with a magic packet, the device will return to sleep if an application is not actively preventing sleep on the system or if the AllowSystemRequiredPowerRequests registry key is not configured to 1, which allows applications to prevent sleep. See the [WOL driver](#wol-driver) section of this article for more information about this registry key. diff --git a/windows/deploy/images/icd-multi-target-true.png b/windows/deploy/images/icd-multi-target-true.png new file mode 100644 index 0000000000..5fec405fd6 Binary files /dev/null and b/windows/deploy/images/icd-multi-target-true.png differ diff --git a/windows/deploy/images/icd-multi-targetstate-true.png b/windows/deploy/images/icd-multi-targetstate-true.png new file mode 100644 index 0000000000..7733b9c400 Binary files /dev/null and b/windows/deploy/images/icd-multi-targetstate-true.png differ diff --git a/windows/deploy/images/multi-target.png b/windows/deploy/images/multi-target.png new file mode 100644 index 0000000000..fb6ddd7a2d Binary files /dev/null and b/windows/deploy/images/multi-target.png differ diff --git a/windows/deploy/index.md b/windows/deploy/index.md index 6beda342c0..b2d4ab858c 100644 --- a/windows/deploy/index.md +++ b/windows/deploy/index.md @@ -5,6 +5,7 @@ ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +localizationpriority: high author: greg-lindsay --- diff --git a/windows/deploy/windows-10-poc.md b/windows/deploy/windows-10-poc.md index fceb199fec..74b8d0f352 100644 --- a/windows/deploy/windows-10-poc.md +++ b/windows/deploy/windows-10-poc.md @@ -844,15 +844,16 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to ![ISE](images/ISE.png) 19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host. -20. In the (lower) terminal input window, type the following command to copy the script to PC1 using integration services: +20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1: 
+    Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
     Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1"  –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
- >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not installed, you can try updating integration services on the VM. This can be done by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server operating systems that are running the Hyper-V role service. + >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service. - If the copy-vmfile command does not work and you cannot properly upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file. + If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file. 21. On PC1, type the following commands at an elevated Windows PowerShell prompt: @@ -863,7 +864,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer. 22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section. - >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all use accounts, or only other specific accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing. + >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing. 23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services. 24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands: diff --git a/windows/index.md b/windows/index.md index d5e7f92b8a..31050c6bd6 100644 --- a/windows/index.md +++ b/windows/index.md @@ -3,6 +3,7 @@ title: Windows 10 and Windows 10 Mobile (Windows 10) description: This library provides the core content that IT pros need to evaluate, plan, deploy, and manage devices running Windows 10 or Windows 10 Mobile. ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60 ms.prod: w10 +localizationpriority: high author: brianlic-msft --- diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 7662302c08..d687114889 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -197,7 +197,7 @@ ###### [Monitor claim types](monitor-claim-types.md) ##### [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) ###### [Audit Credential Validation](audit-credential-validation.md) -####### [Event 4774 S: An account was mapped for logon.](event-4774.md) +####### [Event 4774 S, F: An account was mapped for logon.](event-4774.md) ####### [Event 4775 F: An account could not be mapped for logon.](event-4775.md) ####### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](event-4776.md) ####### [Event 4777 F: The domain controller failed to validate the credentials for an account.](event-4777.md) diff --git a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md index 1c6c64a34a..241eadd7f7 100644 --- a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md +++ b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md @@ -64,7 +64,7 @@ Tables 1 and 2 summarize the recommended mitigations for different types of atta -**Table 1.**  How to choose the best countermeasures for Windows 8.1 +**Table 1.**  How to choose the best countermeasures for Windows 8.1

diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md index a682992574..a5cd3f4bf4 100644 --- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -79,8 +79,8 @@ The following steps assume that you have completed all the required steps in [Be - + diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md index ee6c76e9b7..8dc36252d3 100644 --- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md @@ -56,7 +56,7 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler - diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 350d5e1f54..49801ae337 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -436,11 +436,11 @@ There are no default locations included with WIP, you must add each of your netw ![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-sccm-optsettings.png) - - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option. + - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option. - - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option. + - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option. - - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option. + - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option. 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 27813be3bc..c038a4d588 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -48,7 +48,7 @@ The following tables provide more information about the hardware, firmware, and > [!NOTE] > For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
-> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx).
+> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
> Starting in Widows 10, 1607, TPM 2.0 is required. @@ -61,7 +61,7 @@ The following tables provide more information about the hardware, firmware, and | Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.

**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).

**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT

Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT

Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | > [!IMPORTANT] > The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide. diff --git a/windows/keep-secure/event-4774.md b/windows/keep-secure/event-4774.md index 2b626f9576..5d919fd37b 100644 --- a/windows/keep-secure/event-4774.md +++ b/windows/keep-secure/event-4774.md @@ -1,6 +1,6 @@ --- title: 4774(S) An account was mapped for logon. (Windows 10) -description: Describes security event 4774(S) An account was mapped for logon. +description: Describes security event 4774(S, F) An account was mapped for logon. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy @@ -8,14 +8,13 @@ ms.sitesec: library author: Mir0sh --- -# 4774(S): An account was mapped for logon. +# 4774(S, F): An account was mapped for logon. **Applies to** - Windows 10 - Windows Server 2016 - -It appears that this event never occurs. +Success events do not appear to occur. Failure event [has been reported](http://forum.ultimatewindowssecurity.com/Topic7313-282-1.aspx). ***Subcategory:*** [Audit Credential Validation](audit-credential-validation.md) @@ -23,7 +22,7 @@ It appears that this event never occurs. *An account was mapped for logon.* -*Authentication Package:%1* +*Authentication Package:Schannel* *Account UPN:%2* diff --git a/windows/keep-secure/how-to-configure-security-policy-settings.md b/windows/keep-secure/how-to-configure-security-policy-settings.md index 6a307acac3..2731ce37e8 100644 --- a/windows/keep-secure/how-to-configure-security-policy-settings.md +++ b/windows/keep-secure/how-to-configure-security-policy-settings.md @@ -31,9 +31,9 @@ When a local setting is inaccessible, it indicates that a GPO currently controls 3. When you find the policy setting in the details pane, double-click the security policy that you want to modify. 4. Modify the security policy setting, and then click **OK**. - **Note**   - - Some security policy settings require that the device be restarted before the setting takes effect. - - Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + > [!NOTE] + > - Some security policy settings require that the device be restarted before the setting takes effect. + > - Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.   ## To configure a security policy setting using the Local Group Policy Editor console @@ -48,11 +48,13 @@ You must have the appropriate permissions to install and use the Microsoft Manag 4. In the details pane, double-click the security policy setting that you want to modify. - >**Note:**  If this security policy has not yet been defined, select the **Define these policy settings** check box. + > [!NOTE] + > If this security policy has not yet been defined, select the **Define these policy settings** check box.   5. Modify the security policy setting, and then click **OK**. ->**Note:**  If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console. +> [!NOTE] +> If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console.   ## To configure a setting for a domain controller @@ -65,13 +67,15 @@ The following procedure describes how to configure a security policy setting for - Click **Local Policies** to edit the **Audit Policy**, a **User Rights Assignment**, or **Security Options**. 3. In the details pane, double-click the security policy that you want to modify. - >**Note**  If this security policy has not yet been defined, select the **Define these policy settings** check box. + + > [!NOTE] + > If this security policy has not yet been defined, select the **Define these policy settings** check box.   4. Modify the security policy setting, and then click **OK**. -**Important**   -- Always test a newly created policy in a test organizational unit before you apply it to your network. -- When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings. +> [!IMPORTANT]   +> - Always test a newly created policy in a test organizational unit before you apply it to your network. +> - When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.   ## Related topics diff --git a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index 032e04c1ad..c3595ae774 100644 --- a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -22,8 +22,8 @@ Credential Manager is a place where credentials in the OS are can be stored for For VPN, the VPN stack saves its credential as the session default. For WiFi, EAP does it. -The credentials are put in Credential Manager as a "`*Session`" credential. -A "`*Session`" credential implies that it is valid for the current user session. +The credentials are put in Credential Manager as a "\*Session" credential. +A "\*Session" credential implies that it is valid for the current user session. The credentials are also cleaned up when the WiFi or VPN connection is disconnected. When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it. diff --git a/windows/keep-secure/images/atp-intune-add-policy.png b/windows/keep-secure/images/atp-intune-add-policy.png new file mode 100644 index 0000000000..570ab0a688 Binary files /dev/null and b/windows/keep-secure/images/atp-intune-add-policy.png differ diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md index 1307bc7110..aee90f46a5 100644 --- a/windows/keep-secure/index.md +++ b/windows/keep-secure/index.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +localizationpriority: high author: brianlic-msft --- # Keep Windows 10 secure diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index 5de3da4f21..fad266b5ee 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -54,7 +54,7 @@ The following tables provide more information about the hardware, firmware, and | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).

**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | | Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).

**Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT

Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT

Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | > **Important**  The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide. diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md index ac8772f7b7..3730d58e83 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md +++ b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md @@ -2222,7 +2222,20 @@ Description of the error. - + + + + + + + + +
Type in the name of the client property file. It must match the client property file.
Events URLDepending on the location of your datacenter, select either the EU or the US URL:

**For EU**: https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME -
**For US:** https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME		Depending on the location of your datacenter, select either the EU or the US URL:

**For EU**: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME +
**For US:** https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
Authentication Type OAuth 2
Endpoint URLDepending on the location of your datacenter, select either the EU or the US URL:

**For EU**: https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts
**For US:** https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts + 		Depending on the location of your datacenter, select either the EU or the US URL:

**For EU**: https://wdatp-alertexporter-eu.windows.com/api/alerts
**For US:** https://wdatp-alertexporter-us.windows.com/api/alerts

The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.

Event ID: 2050

Symbolic name:

MALWAREPROTECTION_SAMPLESUBMISSION_UPLOADED

Message:

The antimalware engine has uploaded a file for further analysis.
Filename <uploaded filename>
Sha256: <file SHA>

Description:

A file was uploaded to the Windows Defender Antimalware cloud for further analysis or processing.

Event ID: 2050

Symbolic name:

MALWAREPROTECTION_SAMPLESUBMISSION_UPLOAD

Message:

The antimalware engine has uploaded a file for further analysis.
Filename <uploaded filename>
Sha256: <file SHA>

Description:

A file was uploaded to the Windows Defender Antimalware cloud for further analysis or processing.

Event ID: 2051

Symbolic name:

MALWAREPROTECTION_SAMPLESUBMISSION_UPLOADED_FAILED

Message:

The antimalware engine has encountered an error trying to upload a suspicious file for further analysis.
+Filename: <uploaded filename>
+Sha256: <file SHA>
+Current Signature Version: <signature version number>
+Current Engine Version: <engine version number>
+Error code: <error code>

Description:

A file could not be uploaded to the Windows Defender Antimalware cloud.

User action:

You can attempt to manually submit the file.

Event ID: 3002 diff --git a/windows/keep-secure/using-owa-with-wip.md b/windows/keep-secure/using-owa-with-wip.md index f4046b30a6..f99f10fb6f 100644 --- a/windows/keep-secure/using-owa-with-wip.md +++ b/windows/keep-secure/using-owa-with-wip.md @@ -23,7 +23,6 @@ Because Outlook Web Access (OWA) can be used both personally and as part of your |-------|-------------| |Disable OWA. Employees can only use Microsoft Outlook 2016 or the Office 365 Mail app. | Disabled. | |Don't configure outlook.office.com in any of your networking settings. |All mailboxes are automatically marked as personal. This means employees attempting to copy work content into OWA receive prompts and that files downloaded from OWA aren't automatically protected as corporate data. | -|Do all of the following:
  • Create a domain (such as mail.contoso.com, redirecting to outlook.office.com) that can be used by your employees to access work email.
  • Add the new domain to the Enterprise Cloud Resources network element in your WIP policy.
  • Add the following URLs to the Neutral Resources network element in your WIP policy:
    • outlook.office365.com
    • outlook.office.com
    • outlook-sdf.office.com
    • attachment.outlook.office.net
|Inbox content accessed through the new domain is automatically marked as corporate data, while content accessed through personal email is automatically marked as personal. | |Add outlook.office.com to the Enterprise Cloud Resources network element in your WIP policy. |All mailboxes are automatically marked as corporate. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data. | >[!NOTE] diff --git a/windows/manage/index.md b/windows/manage/index.md index e9e8ac3329..73e961d01d 100644 --- a/windows/manage/index.md +++ b/windows/manage/index.md @@ -7,6 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security +localizationpriority: high author: jdeckerMS --- diff --git a/windows/manage/stop-employees-from-using-the-windows-store.md b/windows/manage/stop-employees-from-using-the-windows-store.md index 8f2d26753c..d09e5ae2be 100644 --- a/windows/manage/stop-employees-from-using-the-windows-store.md +++ b/windows/manage/stop-employees-from-using-the-windows-store.md @@ -29,8 +29,8 @@ You can use these tools to configure access to Windows Store: AppLocker or Group ## Block Windows Store using AppLocker +Applies to: Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile -Applies to: Windows 10 Enterprise, Windows 10 Mobile AppLocker provides policy-based access control management for applications. You can block access to Windows Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Windows Store app as the packaged app that you want to block from client computers. @@ -59,7 +59,10 @@ For more information on AppLocker, see [What is AppLocker?](../keep-secure/what- ## Block Windows Store using Group Policy -Applies to: Windows 10 Enterprise, version 1511 +Applies to: Windows 10 Enterprise, version 1511, Windows 10 Education + +> [!Note] +> Not supported on Windows 10 Pro. You can also use Group Policy to manage access to Windows Store. @@ -89,7 +92,7 @@ When your MDM tool supports Windows Store for Business, the MDM can use these CS For more information, see [Configure an MDM provider](configure-mdm-provider-windows-store-for-business.md). ## Show private store only using Group Policy -Applies to Windows 10 Enterprise, version 1607. +Applies to Windows 10 Enterprise, version 1607, Windows 10 Education If you're using Windows Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store. diff --git a/windows/manage/waas-restart.md b/windows/manage/waas-restart.md index e8a8394d2d..33371c4c5f 100644 --- a/windows/manage/waas-restart.md +++ b/windows/manage/waas-restart.md @@ -18,33 +18,67 @@ localizationpriority: high > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -You can use Group Policy settings or mobile device management (MDM) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both. +You can use Group Policy settings, mobile device management (MDM) or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both. ## Schedule update installation -When you set the **Configure Automatic Updates** policy to **Auto download and schedule the install**, you also configure the day and time for installation or you specify that installation will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**). +In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified instllation time. -When **Configure Automatic Updates** is enabled, you can enable one of the following additional policies to manage device restart: +To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the instal**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installtion will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**). + +**Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur. + +While not recommended, the same result can be achieved through Registry. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4**, set the install time with **ScheduledInstallTime**, enable **AlwaysAutoRebootAtScheduledTime** and specify the delay in minutes through **AlwaysAutoRebootAtScheduledTimeMinutes**. Similar to Group Policy, **AlwaysAutoRebootAtScheduledTimeMinutes** sets the timer to warn a signed-in user that a restart is going to occur. + +For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart). + +## Delay automatic reboot + +When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installtion: - **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours. -- **Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur. To set the time, you need to go **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. - **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. +You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting. + +For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart). + ## Configure active hours -You can configure active hours for devices without setting the **Configure Automatic Updates** policy. *Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours. +*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours. -By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually. Additionally, administrators can use Group Policy or MDM to set active hours for managed devices. +By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually. + +Administrators can use multiple ways to set active hours for managed devices: + +- You can use Group Policy, as described in the procedure that follows. +- You can use MDM, as described in [Configuring active hours with MDM](#configuring-active-hours-with-mdm). +- While not recommended, you can also configure active hours, as descrbied in [Configuring active hours through Registry](#configuring-active-hours-through-registry). + +### Configuring active hours with Group Policy To configure active hours using Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours. ![Use Group Policy to configure active hours](images/waas-active-hours-policy.png) +### Configuring active hours with MDM + MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours. -To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**. +### Configuring active hours through Registry -![Change active hours](images/waas-active-hours.png) +This method is not recommended, and should only be used when neither Group Policy or MDM are available. +Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above. + +You should set a combination of the following registry values, in order to configure active hours. +Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart**,**ActiveHoursEnd** to specify the range of active hours. + +For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart). + +>[!NOTE] +>To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**. +> +>![Change active hours](images/waas-active-hours.png) ## Limit restart delays @@ -65,11 +99,36 @@ In the Group Policy editor, you will see a number of policy settings that pertai | Reschedule Automatic Updates scheduled installations | ![no](images/crossmark.png) | | >[!NOTE] ->If you set conflicting restart policies, the actual restart behavior may not be what you expected. +>You can only choose one path for restart behavior. +> +>If you set conflicting restart policies, the actual restart behavior may not be what you expected. +## Registry keys used to manage restart +The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10. +**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** +| Registry key | Key type | Value | +| --- | --- | --- | +| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hour
starts with 12 AM (0) and ends with 11 PM (23) | +| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour
starts with 12 AM (0) and ends with 11 PM (23) | +| SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours
1: enable automatic restart after updates outside of active hours | +**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** + +| Registry key | Key type | Value | +| --- | --- | --- | +| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time
1: enable automatic reboot after update installation at ascheduled time | +| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes | +| AUOptions | REG_DWORD | 2: notify for download and automatically install updates
3: automatically download and notify for instllation of updates
4: Automatically download and schedule installation of updates
5: allow the local admin to configure these settings
**Note:** To configure restart behavior, set this value to **4** | +| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on
1: do not reboot after an update installation if a user is logged on
**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restarts in 5 minutes to complete the installation | +| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour
starts with 12 AM (0) and ends with 11 PM (23) | + +There are 3 different registry combination for controlling restart: + +- To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range. +- To schedule a specific instllation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting. +- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**. ## Related topics diff --git a/windows/plan/index.md b/windows/plan/index.md index 8dd569303a..dfa19e4252 100644 --- a/windows/plan/index.md +++ b/windows/plan/index.md @@ -6,6 +6,7 @@ keywords: deploy, upgrade, update, configure ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library +localizationpriority: high author: TrudyHa ---