deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into rs3

Browse Source
This commit is contained in:
jdeckerMS 2017-09-25 08:02:27 -07:00
commit 31b13fa097
24 changed files with 600 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
bcs/index.md
View File

@ -3,6 +3,7 @@ layout: HubPage
hide_bc: true
author: CelesteDG
ms.author: celested
keywords: Microsoft 365 Business, Microsoft 365, business, Microsoft 365 Business documentation, docs, documentation
ms.topic: hub-page
ms.localizationpriority: high
audience: microsoft-business 

3
bcs/support/microsoft-365-business-faqs.md
View File

@ -1,4 +1,4 @@
--- 
---
title: Microsoft 365 Business Frequently Asked Questions 
description: Find answers to the most frequently asked questions about Microsoft 365 Business, a new solution designed for small and midsize businesses (SMB). 
author: CelesteDG 
@ -11,6 +11,7 @@ keywords: Microsoft 365 Business, Microsoft 365, SMB, FAQ, frequently asked ques
ms.date: 08/04/2017
---
# Microsoft 365 Business Frequently Asked Questions
## Introduction

7
microsoft-365/index.md
View File

@ -1,11 +1,12 @@
---
layout: HubPage
hide_bc: true
author: v-kents
author: CelesteDG
ms.author: celested
ms.topic: hub-page
keywords: Microsoft 365, Microsoft 365 documentation, Microsoft 365 for business, Microsoft 365 for enterprise, enterprise, business, docs, documentation
title: Microsoft 365 Documentation
description: Microsoft 365 is a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely.
description: Find documentation and resources for Microsoft 365--a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely.
---
<div id="main" class="v2">
<div class="container">
@ -52,7 +53,7 @@ description: Microsoft 365 is a complete, intelligent solution, including Office
<div class="cardText">
<br />
<h3>Microsoft 365 Business</h3>
<p>Microsoft 365 Business is designed for small- to medium-sized businesses with up to 300 users and integrates Office 365 Business Premium with tailored security and management features from Windows 10, and Enterprise Mobility + Security. </p>
<p>Microsoft 365 Business is a new solution designed for small and midsize businesses (SMB), bringing together the best-in-class productivity and collaboration capabilities of Office 365 with device management and security solutions to safeguard business data.</p>
</div>
</div>
</div>

4
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/27/2017
ms.date: 09/19/2017
---
# AssignedAccess CSP
@ -19,7 +19,7 @@ The AssignedAccess configuration service provider (CSP) is used set the device t
For step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211)
> **Note**  The AssignedAccess CSP is only supported in Windows 10 Enterprise and Windows 10 Education.
> **Note**  The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting in Windows 10, version 1709 it is also supported in Windows 10 Pro.
The following diagram shows the AssignedAccess configuration service provider in tree format

4
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/27/2017
ms.date: 09/19/2017
---
# Configuration service provider reference
@ -164,7 +164,7 @@ Footnotes:
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>

145
windows/client-management/mdm/enterpriseapn-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 09/19/2017
---
# EnterpriseAPN CSP
@ -128,6 +128,149 @@ The following image shows the EnterpriseAPN configuration service provider in tr
<p style="margin-left: 20px">Supported operations are Get and Replace.</p>
## Examples
``` syntax
<!--
Copyright (c) Microsoft Corporation. All rights reserved.
-->
<!--
Use of this source code is subject to the terms of the Microsoft
premium shared source license agreement under which you licensed
this source code. If you did not accept the terms of the license
agreement, you are not authorized to use this source code.
For the terms of the license, please see the license agreement
signed by you and Microsoft.
THE SOURCE CODE IS PROVIDED "AS IS", WITH NO WARRANTIES OR INDEMNITIES.
-->
<SyncML>
<SyncBody>
<Atomic>
<CmdID>8000</CmdID>
<!-- Sub-tree 1 -->
<add>
<CmdID>8001</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAPN/E_APN1/APNName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>enterprise_apn1</Data>
</Item>
</add>
<add>
<CmdID>8002</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAPN/E_APN1/IPType</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>IPv4</Data>
</Item>
</add>
<add>
<CmdID>8003</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAPN/E_APN1/IsAttachAPN</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>false</Data>
</Item>
</add>
<add>
<CmdID>8004</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAPN/E_APN1/ClassId</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA</Data>
</Item>
</add>
<add>
<CmdID>8005</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAPN/E_APN1/AuthType</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>CHAP</Data>
</Item>
</add>
<add>
<CmdID>8006</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAPN/E_APN1/UserName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>myusername</Data>
</Item>
</add>
<add>
<CmdID>8007</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAPN/E_APN1/Password</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>mypassword</Data>
</Item>
</add>
<add>
<CmdID>8008</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAPN/E_APN1/IccId</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>FFFFFFFFFFFFFFFFFFFF</Data>
</Item>
</add>
</Atomic>
<Final/>
</SyncBody>
<!--
===============================================================================
atomicA
add chr EnterpriseAPN/E_APN1/APNName enterprise_apn1
add chr EnterpriseAPN/E_APN1/IPType IPv4
add bool EnterpriseAPN/E_APN1/IsAttachAPN false
add chr EnterpriseAPN/E_APN1/ClassId AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA
add chr EnterpriseAPN/E_APN1/AuthType CHAP
add chr EnterpriseAPN/E_APN1/UserName myusername
add chr EnterpriseAPN/E_APN1/Password mypassword
add chr EnterpriseAPN/E_APN1/IccId FFFFFFFFFFFFFFFFFFFF
atomicZ
===============================================================================
-->
</SyncML>
```
## Related topics

11
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/12/2017
ms.date: 09/19/2017
---
# What's new in MDM enrollment and management
@ -974,6 +974,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<ul>
<li>Configuration</li>
</ul>
<p>Starting in Windows 10, version 1709, AssignedAccess CSP is supported in Windows 10 Pro.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[DeviceManageability CSP](devicemanageability-csp.md)</td>
@ -1378,6 +1379,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</ul>
<p>Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.</p>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[AssignedAccess CSP](assignedaccess-csp.md)</td>
<td style="vertical-align:top"><p>Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">Microsoft Store for Business</td>
<td style="vertical-align:top"><p>Windows Store for Business name changed to Microsoft Store for Business.</p>
@ -1393,6 +1398,9 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<p>For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[EntepriseAPN CSP](enterpriseapn-csp.md)</td>
<td style="vertical-align:top"><p>Added a SyncML example.</p>
</td></tr>
<td style="vertical-align:top">[VPNv2 CSP](vpnv2-csp.md)</td>
<td style="vertical-align:top"><p>Added RegisterDNS setting in Windows 10, version 1709.</p>
</td></tr>
@ -1617,6 +1625,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<ul>
<li>Added Configuration node</li>
</ul>
<p>Starting in Windows 10, version 1709, AssignedAccess CSP is supported in Windows 10 Pro.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[SurfaceHub CSP](surfacehub-csp.md)</td>

23
windows/client-management/mdm/policy-csp-system.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/20/2017
---
# Policy CSP - System
@ -303,7 +303,13 @@ ms.date: 08/30/2017
<p style="margin-left: 20px">The following tables describe the supported values:
<table style="margin-left: 20px">
Windows 8.1 Values:
- 0 - Not allowed.
- 1 Allowed, except for Secondary Data Requests.
- 2 (default) Allowed.
<!--<table style="margin-left: 20px">
<colgroup>
<col width="100%" />
</colgroup>
@ -324,10 +330,17 @@ ms.date: 08/30/2017
<td style="vertical-align:top"><p>2 (default) Allowed.</p></td>
</tr>
</tbody>
</table>
</table>-->
Windows 10 Values:
<table style="margin-left: 20px">
- 0 Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
- 1 Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.
- 2 Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.
- 3 Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.
<!--<table style="margin-left: 20px">
<colgroup>
<col width="100%" />
</colgroup>
@ -354,7 +367,7 @@ ms.date: 08/30/2017
<td style="vertical-align:top"><p>3 Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.</p></td>
</tr>
</tbody>
</table>
</table>-->
> [!IMPORTANT]

33
windows/client-management/mdm/policy-csp-update.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/20/2017
---
# Policy CSP - Update
@ -595,7 +595,34 @@ This policy is accessible through the Update setting in the user interface or Gr
<p style="margin-left: 20px">If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
<table style="margin-left: 20px">
OS upgrade:
- Maximum deferral: 8 months
- Deferral increment: 1 month
- Update type/notes:
- Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5
Update:
- Maximum deferral: 1 month
- Deferral increment: 1 week
- Update type/notes:
If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
- Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
- Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4
- Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F
- Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828
- Tools - B4832BD8-E735-4761-8DAF-37F882276DAB
- Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F
- Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
- Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
Other/cannot defer:
- Maximum deferral: No deferral
- Deferral increment: No deferral
- Update type/notes:
Any update category not specifically enumerated above falls into this category.
- Definition Update - E0789628-CE08-4437-BE74-2495B842F43B
<!--<table style="margin-left: 20px">
<colgroup>
<col width="25%" />
<col width="25%" />
@ -644,7 +671,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<p>Definition Update - E0789628-CE08-4437-BE74-2495B842F43B</p></td>
</tr>
</tbody>
</table>
</table>-->
<!--EndDescription-->
<!--EndPolicy-->

1
windows/configuration/TOC.md
View File

@ -2,6 +2,7 @@
## [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
## [Basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
## [Windows 10, version 1703 diagnostic data](windows-diagnostic-data.md)
## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)
## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md)

15
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -8,6 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jdeckerms
ms.date: 09/25/2017
---
# Change history for Configure Windows 10
@ -23,18 +24,18 @@ The topics in this library have been updated for Windows 10, version 1709 (also
- [Multi-app kiosk XML reference](multi-app-kiosk-xml.md)
## September 2017
New or changed topic | Description
--- | ---
[Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added that Windows Spotlight can be managed by the Experience/AllowWindowsSpotlight MDM policy.
|New or changed topic | Description|
|--- | ---|
|[Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)|New conceptual info about Windows 10 and the upcoming GDPR-compliance requirements.|
|[Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added that Windows Spotlight can be managed by the Experience/AllowWindowsSpotlight MDM policy. |
## August 2017
New or changed topic | Description
--- | ---
[Windows Configuration Designer provisioning settings (reference)](wcd/wcd.md) | New section; reference content from [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx) is being relocated here from MSDN.
|New or changed topic | Description|
|--- | ---|
|[Windows Configuration Designer provisioning settings (reference)](wcd/wcd.md) | New section; reference content from [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx) is being relocated here from MSDN. |
## July 2017

335
windows/configuration/gdpr-win10-whitepaper.md Normal file
View File

@ -0,0 +1,335 @@
---
title: Beginning your General Data Protection Regulation (GDPR) journey for Windows 10 (Windows 10)
description: Use this article to understand what GDPR is and about the products Microsoft provides to help you get started towards compliance.
keywords: privacy, GDPR
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: pwiglemsft
ms.author: pwigle
ms.date: 09/25/2017
---
# Beginning your General Data Protection Regulation (GDPR) journey for Windows 10
This article provides info about the GDPR, including what it is, and the products Microsoft provides to help you to become compliant.
## Introduction
On May 25, 2018, a European privacy law is due to take effect that sets a new global bar for privacy rights, security, and compliance.
The General Data Protection Regulation, or GDPR, is fundamentally about protecting and enabling the privacy rights of individuals. The GDPR establishes strict global privacy requirements governing how you manage and protect personal data while respecting individual choice — no matter where data is sent, processed, or stored.
Microsoft and our customers are now on a journey to achieve the privacy goals of the GDPR. At Microsoft, we believe privacy is a fundamental right, and we believe that the GDPR is an important step forward for clarifying and enabling individual privacy rights. But we also recognize that the GDPR will require significant changes by organizations all over the world.
We have outlined our commitment to the GDPR and how we are supporting our customers within the [Get GDPR compliant with the Microsoft Cloud](https://blogs.microsoft.com/on-the-issues/2017/02/15/get-gdpr-compliant-with-the-microsoft-cloud/#hv52B68OZTwhUj2c.99) blog post by our Chief Privacy Officer [Brendon Lynch](https://blogs.microsoft.com/on-the-issues/author/brendonlynch/) and the [Earning your trust with contractual commitments to the General Data Protection Regulation](https://blogs.microsoft.com/on-the-issues/2017/04/17/earning-trust-contractual-commitments-general-data-protection-regulation/#6QbqoGWXCLavGM63.99)” blog post by [Rich Sauer](https://blogs.microsoft.com/on-the-issues/author/rsauer/) - Microsoft Corporate Vice President & Deputy General Counsel.
Although your journey to GDPR-compliance may seem challenging, we're here to help you. For specific information about the GDPR, our commitments and how to begin your journey, please visit the [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/privacy/gdpr).
## GDPR and its implications
The GDPR is a complex regulation that may require significant changes in how you gather, use and manage personal data. Microsoft has a long history of helping our customers comply with complex regulations, and when it comes to preparing for the GDPR, we are your partner on this journey.
The GDPR imposes rules on organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents, no matter where those businesses are located. Among the key elements of the GDPR are the following:
- **Enhanced personal privacy rights.** Strengthened data protection for residents of EU by ensuring they have the right to access to their personal data, to correct inaccuracies in that data, to erase that data, to object to processing of their personal data, and to move it.
- **Increased duty for protecting personal data.** Reinforced accountability of organizations that process personal data, providing increased clarity of responsibility in ensuring compliance.
- **Mandatory personal data breach reporting.** Organizations that control personal data are required to report personal data breaches that pose a risk to the rights and freedoms of individuals to their supervisory authorities without undue delay, and, where feasible, no later than 72 hours once they become aware of the breach.
As you might anticipate, the GDPR can have a significant impact on your business, potentially requiring you to update privacy policies, implement and strengthen data protection controls and breach notification procedures, deploy highly transparent policies, and further invest in IT and training. Microsoft Windows 10 can help you effectively and efficiently address some of these requirements.
## Personal and sensitive data
As part of your effort to comply with the GDPR, you will need to understand how the regulation defines personal and sensitive data and how those definitions relate to data held by your organization.
The GDPR considers personal data to be any information related to an identified or identifiable natural person. That can include both direct identification (such as, your legal name) and indirect identification (such as, specific information that makes it clear it is you the data references). The GDPR also makes clear that the concept of personal data includes online identifiers (such as, IP addresses, mobile device IDs) and location data.
The GDPR introduces specific definitions for genetic data (such as, an individuals gene sequence) and biometric data. Genetic data and biometric data along with other sub categories of personal data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership: data concerning health; or data concerning a persons sex life or sexual orientation) are treated as sensitive personal data under the GDPR. Sensitive personal data is afforded enhanced protections and generally requires an individuals explicit consent where these data are to be processed.
### Examples of info relating to an identified or identifiable natural person (data subject)
This list provides examples of several types of info that will be regulated through GDPR. This is not an exhaustive list.
- Name
- Identification number (such as, SSN)
- Location data (such as, home address)
- Online identifier (such as, e-mail address, screen names, IP address, device IDs)
- Pseudonymous data (such as, using a key to identify individuals)
- Genetic data (such as, biological samples from an individual)
- Biometric data (such as, fingerprints, facial recognition)
## Getting started on the journey towards GDPR compliance
Given how much is involved to become GDPR-compliant, we strongly recommend that you don't wait to prepare until enforcement begins. You should review your privacy and data management practices now. We recommend that you begin your journey to GDPR compliance by focusing on four key steps:
- **Discover.** Identify what personal data you have and where it resides.
- **Manage.** Govern how personal data is used and accessed.
- **Protect.** Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches.
- **Report.** Act on data requests, report data breaches, and keep required documentation.
![Diagram about how the 4 key GDPR steps work together](images/gdpr-steps-diagram.png)
For each of the steps, we've outlined example tools, resources, and features in various Microsoft solutions, which can be used to help you address the requirements of that step. While this article isn't a comprehensive “how to,” we've included links for you to find out more details, and more information is available in the [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/privacy/gdpr).
## Windows 10 security and privacy
As you work to comply with the GDPR, understanding the role of your desktop and laptop client machines in creating, accessing, processing, storing and managing data that may qualify as personal and potentially sensitive data under the GDPR is important. Windows 10 provides capabilities that will help you comply with the GDPR requirements to implement appropriate technical and organizational security measures to protect personal data.
With Windows 10, your ability to protect, detect and defend against the types of attacks that can lead to data breaches is greatly improved. Given the stringent requirements around breach notification within the GDPR, ensuring that your desktop and laptop systems are well defended will lower the risks you face that could result in costly breach analysis and notification.
In this section, we'll talk about how Windows 10 provides capabilities that fit squarely in the **Protect** stage of your journey, including these 4 scenarios:
- **Threat protection: Pre-breach threat resistance.** Disrupt the malware and hacking industry by moving the playing field to one where they lose the attack vectors that they depend on.
- **Threat protection: Post-breach detection and response.** Detect, investigate, and respond to advanced threats and data breaches on your networks.
- **Identity protection.** Next generation technology to help protect your users identities from abuse.
- **Information protection.** Comprehensive data protection while meeting compliance requirements and maintaining user productivity.
These capabilities, discussed in more detail below with references to specific GDPR requirements, are built on top of advanced device protection that maintains the integrity and security of the operating system and data.
A key provision within the GDPR is data protection by design and by default, and helping with your ability to meet this provision are features within Windows 10 such as the Trusted Platform Module (TPM) technology designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations.
The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
- Generate, store, and limit the use of cryptographic keys.
- Use TPM technology for platform device authentication by using the TPMs unique RSA key, which is burned into itself.
- Help to ensure platform integrity by taking and storing security measurements.
Additional advanced device protection relevant to your operating without data breaches include Windows Trusted Boot to help maintain the integrity of the system by ensuring malware is unable to start before system defenses.
### Threat protection: Pre-breach threat resistance
The GDPR requires you to implement appropriate technical and organizational security measures to protect personal data.
Your ability to meet this requirement to implement appropriate technical security measures should reflect the threats you face in todays increasingly hostile IT environment. Todays security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks or the thrill of temporarily taking a system offline. Since then, attackers motives have shifted toward making money, including holding devices and data hostage until the owner pays the demanded ransom.
Modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets and seemingly unlimited human resources. Threats like these require an approach that can meet this challenge.
Not only are these threats a risk to your ability to maintain control of any personal or sensitive data you may have, but they are a material risk to your overall business as well. Consider recent data from Ponemon Institute, Verizon, and Microsoft:
- The average cost of the type of data breach the GDPR will expect you to report is $3.5M. (Ponemon Institute).
- 63% of these breaches involve weak or stolen passwords that the GDPR expects you to address. (2016 Data Breach Investigations Report, Verizon Enterprise).
- Over 300,000 new malware samples are created and spread every day making your task to address data protection even more challenging. (Microsoft Malware Protection Center, Microsoft).
As seen with recent ransomware attacks, once called the "black plague" of the Internet, attackers are going after bigger targets that can afford to pay more, with potentially catastrophic consequences. Desktops and laptops, that contain personal and sensitive data, are commonly targeted where control over data might be lost.
In response to these threats and as a part of your mechanisms to resist these types of breaches so that you remain in compliance with the GDPR, Windows 10 provides built in technology, detailed below including the following:
- Windows Defender Antivirus to respond to emerging threats on data.
- Microsoft Edge to systemically disrupt phishing, malware, and hacking attacks.
- Windows Defender Device Guard to block all unwanted applications on client machines.
#### Responding to emerging data threats
Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. In Windows 10, it uses a multi-pronged approach to improve antimalware:
- **Cloud-delivered protection.** Helps to detect and block new malware within seconds, even if the malware has never been seen before.
- **Rich local context.** Improves how malware is identified. Windows 10 informs Windows Defender Antivirus not only about content like files and processes, but also where the content came from, where it's been stored, and more.
- **Extensive global sensors.** Help to keep Windows Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data.
- **Tamper proofing.** Helps to guard Windows Defender Antivirus itself against malware attacks. For example, Windows Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Windows Defender Antivirus components, its registry keys, and so on.
- **Enterprise-level features.** Give IT pros the tools and configuration options necessary to make Windows Defender Antivirus an enterprise-class antimalware solution.
#### Systemically disrupting phishing, malware, and hacking attacks
In todays threat landscape, your ability to provide those mechanisms should be tied to the specific data-focused attacks you face through phishing, malware and hacking due to the browser-related attacks.
As part of Windows 10, Microsoft has brought you Microsoft Edge, our safest and most secure browser to-date. Over the past two years, we have been continuously innovating, and were proud of the progress weve made. This quality of engineering is reflected by the reduction of Common Vulnerabilities and Exposures (CVE) when comparing Microsoft Edge with Internet Explorer over the past year. Browser-related attacks on personal and sensitive data that you will need to protect under the GDPR means this innovation in Windows 10 is important.
While no modern browser — or any complex application — is free of vulnerabilities, many of the vulnerabilities for Microsoft Edge have been responsibly reported by professional security researchers who work with the Microsoft Security Response Center (MSRC) and the Microsoft Edge team to ensure customers are protected well before any attacker might use these vulnerabilities in the wild. Even better, there is no evidence that any vulnerabilities have been exploited in the wild as zero-day attacks.
![Graph of the Common Vulnerabilities and Exposures (CVE) in the National Vulnerability Database](images/gdpr-cve-graph.png)
However, many businesses worldwide have come under increasing threat of targeted attacks, where attackers are crafting specialized attacks against a specific business, attempting to take control of corporate networks and data.
#### Blocking all unwanted apps
Application Control is your best defense in a world where there are more than 300,000 new malware samples each day. As part of Windows 10, Windows Defender Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isnt trusted it cant run, period.
With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate hardware, Windows Defender Device Guard can use the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
Windows Defender Device Guard protects threats that can expose personal or sensitive data to attack, including:
- Exposure to new malware, for which the "signature" is not yet known
- Exposure to unsigned code (most malware is unsigned)
- Malware that gains access to the kernel and then, from within the kernel, captures sensitive information or damages the system
- DMA-based attacks, for example, attacks launched from a malicious device that read secrets from memory, making the enterprise more vulnerable to attack; and
- Exposure to boot kits or to a physically present attacker at boot time.
### Threat protection: Post-breach detection and response
The GDPR includes explicit requirements for breach notification where a personal data breach means, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
As noted in the Windows Security Center white paper, [Post Breach: Dealing with Advanced Threats](http://wincom.blob.core.windows.net/documents/Post_Breach_Dealing_with_Advanced_Threats_Whitepaper.pdf), “_Unlike pre-breach, post-breach assumes a breach has already occurred acting as a flight recorder and Crime Scene Investigator (CSI). Post-breach provides security teams the information and toolset needed to identify, investigate, and respond to attacks that otherwise will stay undetected and below the radar._”
#### Insightful security telemetry
For nearly two decades, Microsoft has been turning threats into useful intelligence that can help fortify our platform and protect customers. Today, with the immense computing advantages afforded by the cloud, we are finding new ways to use our rich analytics engines driven by threat intelligence to protect our customers.
By applying a combination of automated and manual processes, machine learning and human experts, we can create an Intelligent Security Graph that learns from itself and evolves in real-time, reducing our collective time to detect and respond to new incidents across our products.
![Diagram of Microsoft's Intelligent Security Graph](images/gdpr-intelligent-security-graph.png)
The scope of Microsofts threat intelligence spans, literally, billions of data points: 35 billion messages scanned monthly, 1 billion customers across enterprise and consumer segments accessing 200+ cloud services, and 14 billion authentications performed daily. All this data is pulled together on your behalf by Microsoft to create the Intelligent Security Graph that can help you protect your front door dynamically to stay secure, remain productive, and meet the requirements of the GDPR.
#### Detecting attacks and forensic investigation
Even the best endpoint defenses may be breached eventually, as cyberattacks become more sophisticated and targeted.
Windows Defender Advanced Threat Protection (ATP) helps you detect, investigate, and respond to advanced attacks and data breaches on your networks. GDPR expects you to protect against attacks and breaches through technical security measures to ensure the ongoing confidentiality, integrity, and availability of personal data.
Among the key benefits of ATP are the following:
- Detecting the undetectable - sensors built deep into the operating system kernel, Windows security experts, and unique optics from over 1 billion machines and signals across all Microsoft services.
- Built in, not bolted on - agentless with high performance and low impact, cloud-powered; easy management with no deployment.
- Single pane of glass for Windows security - explore 6 months of rich machine timeline that unifies security events from Windows Defender ATP, Windows Defender Antivirus.
- Power of the Microsoft graph - leverages the Microsoft Intelligence Security Graph to integrate detection and exploration with Office 365 ATP subscription, to track back and respond to attacks.
Read more at [Whats new in the Windows Defender ATP Creators Update preview](https://blogs.microsoft.com/microsoftsecure/2017/03/13/whats-new-in-the-windows-defender-atp-creators-update-preview/).
To provide Detection capabilities, Windows 10 improves our OS memory and kernel sensors to enable detection of attackers who are employing in-memory and kernel-level attacks shining a light into previously dark spaces where attackers hid from conventional detection tools. Weve already successfully leveraged this new technology against zero-days attacks on Windows.
![Windows Defender Security Center](images/gdpr-security-center.png)
We continue to upgrade our detections of ransomware and other advanced attacks, applying our behavioral and machine-learning detection library to counter changing attacks trends. Our historical detection capability ensures new detection rules apply to up to six months of stored data to detect attacks that previously went unnoticed. Customers can also add customized detection rules or IOCs to augment the detection dictionary.
Customers asked us for a single pane of glass across the entire Windows security stack. Windows Defender Antivirus detections and Windows Defender Device Guard blocks are the first to surface in the Windows Defender ATP portal interleaved with Windows Defender ATP detections. The new user entity adds identity as a pivot, providing insight into actions, relationships, and alerts that span machines and allow us to track attackers moving laterally across the network.
Our alert page now includes a new process tree visualization that aggregates multiple detections and related events into a single view that helps security teams reduce the time to resolve cases by providing the information required to understand and resolve incidents without leaving the alert page.
Security Operations (SecOps) can hunt for evidence of attacks, such as file names or hashes, IP addresses or URLs, behaviors, machines, or users. They can do this immediately by searching the organizations cloud inventory, across all machines and going back up to 6 months in time even if machines are offline, have been reimaged, or no longer exist.
![Windows Defender Security Center - User screen](images/gdpr-security-center2.png)
When detecting an attack, security teams can now take immediate action: isolate machines, ban files from the network, kill or quarantine running processes or files, or retrieve an investigation package from a machine to provide forensic evidence with a click of a button. Because while detecting advanced attacks is important shutting them down is even more so.
![Windows Defender Security Center - Machine screen](images/gdpr-security-center3.png)
### Identity Protection
Identify and access management is another area where the GDPR has placed special emphasis by calling for mechanisms to grant and restrict access to data subject personal data (for example, role-based access, segregation of duties).
#### Multi-factor protection
Biometric authentication using your face, iris, or fingerprint to unlock your devices is much safer than traditional passwords. You uniquely you plus your device are the keys to your apps, data, and even websites and services not a random assortment of letters and numbers that are easily forgotten, hacked, or written down and pinned to a bulletin board.
Your ability to protect personal and sensitive data, that may be stored or accessed through desktop or laptops will be further enhanced by adopting advanced authentication capabilities such as Windows Hello for Business and Windows Hello companion devices. Windows Hello for Business, part of Windows 10, gives users a personal, secured experience where the device is authenticated based on their presence. Users can log in with a look or a touch, with no need for a password.
In conjunction with Windows Hello for Business, biometric authentication uses fingerprints or facial recognition and is more secure, more personal, and more convenient. If an application supports Hello, Windows 10 enables you to authenticate applications, enterprise content, and even certain online experiences without a password being stored on your device or in a network server at all.
Windows Hello for Business works with the Companion Device Framework to enhance the user authentication experience. Using the Windows Hello Companion Device Framework, a companion device can provide a rich experience for Windows Hello even when biometrics are not available (for example, if the Windows 10 desktop lacks a camera for face authentication or fingerprint reader device).
There are numerous ways one can use the Windows Hello Companion Device Framework to build a great Windows unlock experience with a companion device. For example, users can:
- Work offline (for example, while traveling on a plane)
- Attach their companion device to PC via USB, touch the button on the companion device, and automatically unlock their PC.
- Carry a phone in their pocket that is already paired with their PC over Bluetooth. Upon hitting the spacebar on their PC, their phone receives a notification. Approve it and the PC simply unlocks.
- Tap their companion device to an NFC reader to quickly unlock their PC.
- Wear a fitness band that has already authenticated the wearer. Upon approaching PC, and by performing a special gesture (like clapping), the PC unlocks.
#### Protection against attacks by isolating user credentials
As noted in the [Windows 10 Credential Theft Mitigation Guide](https://www.microsoft.com/en-us/download/confirmation.aspx?id=54095), “_the tools and techniques criminals use to carry out credential theft and reuse attacks improve, malicious attackers are finding it easier to achieve their goals. Credential theft often relies on operational practices or user credential exposure, so effective mitigations require a holistic approach that addresses people, processes, and technology. In addition, these attacks rely on the attacker stealing credentials after compromising a system to expand or persist access, so organizations must contain breaches rapidly by implementing strategies that prevent attackers from moving freely and undetected in a compromised network._”
An important design consideration for Windows 10 was mitigating credential theft — in particular, derived credentials. Windows Defender Credential Guard provides significantly improved security against derived credential theft and reuse by implementing a significant architectural change in Windows designed to help eliminate hardware-based isolation attacks rather than simply trying to defend against them.
When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges can't extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Windows Defender Device Guard, as described above, and other security strategies and architectures.
### Information Protection
The GDPR is focused on information protection regarding data that is considered as personal or sensitive in relation to a natural person, or data subject. Device protection, protection against threats, and identity protection are all important elements of a Defense in Depth strategy surrounding a layer of information protection in your laptop and desktop systems.
As to the protection of data, the GDPR recognizes that in assessing data security risk, consideration should be given to the risks that are presented such as accidental loss, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. It also recommends that measures taken to maintain an appropriate level of security should consider the state-of-the-art and the costs of implementation in relation to the risks among other factors.
Windows 10 provides built in risk mitigation capabilities for todays threat landscape. In this section, we will look at the types of technologies that will help your journey toward GDPR compliance and at the same time provide you with solid overall data protection as part of a comprehensive information protection strategy.
![Diagram of Microsoft's comprehensive information protection strategy](images/gdpr-comp-info-protection.png)
#### Encryption for lost or stolen devices
The GDPR calls for mechanisms that implement appropriate technical security measures to confirm the ongoing confidentiality, integrity, and availability of both personal data and processing systems. BitLocker Encryption, first introduced as part of Microsoft's Next-Generation Secure Computing Base architecture in 2004 and made available with Windows Vista, is a built-in data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to protect user data and to ensure that a computer has not been tampered with while the system was offline.
Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.
Related to BitLocker are Encrypted Hard Drives, a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. Encrypted Hard Drives use the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
Some of the benefits of Encrypted Hard Drives include:
- **Better performance.** Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
- **Strong security based in hardware.** Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system
- **Ease of use.** Encryption is transparent to the user because it is on by default. There is no user interaction needed to enable encryption. Encrypted Hard Drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive.
- **Lower cost of ownership.** There is no need for new infrastructure to manage encryption keys, since BitLocker leverages your Active Directory Domain Services infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process.
#### Preventing accidental data leaks to unauthorized users
Part of the reality of your operating in a mobile-first, cloud-first world is the notion that some laptops will have multiple purposes both business and personal. Yet that data that is considered as personal and sensitive regarding EU residents considered as “data subjects” must be protected in line with the requirements of the GDPR.
Windows Information Protection helps people separate their work and personal data and keeps data encrypted wherever its stored. Your employees can safely use both work and personal data on the same device without switching applications. Windows Information Protection helps end users avoid inadvertent data leaks by sending a warning when copy/pasting information in non-corporate applications end users can still proceed but the action will be logged centrally.
For example, employees cant send protected work files from a personal email account instead of their work account. They also cant accidently post personal or sensitive data from a corporate site into a tweet. Windows Information Protection also helps ensure that they arent saving personal or sensitive data in a public cloud storage location.
#### Capabilities to classify, assign permissions and share data
Windows Information Protection is designed to coexist with advanced data loss prevention (DLP) capabilities found in Office 365 ProPlus, Azure Information Protection, and Azure Rights Management. Advanced DLP prevents printing, for example, or protects work data that is emailed outside your company.
To continously protect your data, regardless of where it is stored, with whom it is shared, or if the device is running iOS, Android or Windows, the classification and protection needs to be built into the file itself, so this protection can travel with the data wherever it goes. Microsoft Azure Information Protection (AIP) is designed to provide this persistent data protection both on-premises and in the cloud.
Data classification is an important part of any data governance plan. Adopting a classification scheme that applies throughout your business can be particularly helpful in responding to what the GDPR calls data subject (for example, your EU employee or customer) requests, because it enables enterprises to identify more readily and process personal data requests.
Azure Information Protection can be used to help you classify and label your data at the time of creation or modification. Protection in the form of encryption, which the GDPR recognizes may be appropriate at times, or visual markings can then be applied to data needing protection.
With Azure Information Protection, you can either query for data marked with a sensitivity label or intelligently identify sensitive data when a file or email is created or modified. Once identified, you can automatically classify and label the data all based on the companys desired policy.
Azure Information Protection also helps your users share sensitive data in a secure manner. In the example below, information about a sensitive acquisition was encrypted and restricted to a group of people who were granted only a limited set of permissions on the information they could modify the content but could not copy or print it.
![Azure Information Protection screen with limitations](images/gdpr-azure-info-protection.png)
## Related content for associated Windows 10 solutions
- **Windows Hello for Business:** https://www.youtube.com/watch?v=WOvoXQdj-9E and https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-identity-verification
- **Windows Defender Antivirus:** https://www.youtube.com/watch?v=P1aNEy09NaI and https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10
- **Windows Defender Advanced Threat Protection:** https://www.youtube.com/watch?v=qxeGa3pxIwg and https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection
- **Windows Defender Device Guard:** https://www.youtube.com/watch?v=F-pTkesjkhI and https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide
- **Windows Defender Credential Guard:** https://www.youtube.com/watch?v=F-pTkesjkhI and https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard
- **Windows Information Protection:** https://www.youtube.com/watch?v=wLkQOmK7-Jg and https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip
- Windows 10 Security Guide: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-10-security-guide
## Disclaimer
This article is a commentary on the GDPR, as Microsoft interprets it, as of the date of publication. Weve spent a lot of time with GDPR and like to think weve been thoughtful about its intent and meaning. But the application of GDPR is highly fact-specific, and not all aspects and interpretations of GDPR are well-settled.
As a result, this article is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organization. We encourage you to work with a legally-qualified professional to discuss GDPR, how it applies specifically to your organization, and how best to ensure compliance.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS ARTICLE. This article is provided “as-is.” Information and views expressed in this article, including URL and other Internet website references, may change without notice.
This article does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this article for your internal, reference purposes only.
Published September 2017<br>
Version 1.0<br>
© 2017 Microsoft. All rights reserved.

BIN
windows/configuration/images/gdpr-azure-info-protection.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

BIN
windows/configuration/images/gdpr-comp-info-protection.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/configuration/images/gdpr-cve-graph.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/configuration/images/gdpr-intelligent-security-graph.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 529 KiB

BIN
windows/configuration/images/gdpr-security-center.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 123 KiB

BIN
windows/configuration/images/gdpr-security-center2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 220 KiB

BIN
windows/configuration/images/gdpr-security-center3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 162 KiB

BIN
windows/configuration/images/gdpr-steps-diagram.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

1
windows/configuration/index.md
View File

@ -21,6 +21,7 @@ Enterprises often need to apply custom configurations to devices for their users
| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows telemetry in your organization. |
| [Basic level Windows diagnostic data](basic-level-windows-diagnostic-events-and-fields.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703. |
| [Windows 10, version 1703 diagnostic data](windows-diagnostic-data.md) | Learn about the types of data that is collected at the full level in Windows 10, version 1703. |
|[Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)|Learn about Windows 10 and the upcoming GDPR-compliance requirements.|
| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. |
| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. |
| [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | These topics help you configure Windows 10 devices to be shared by multiple users or to run as a kiosk device that runs a single app. |

2
windows/deployment/TOC.md
View File

@ -245,3 +245,5 @@
#### [Using Device Health](update/device-health-using.md)
## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md)
## [Architectural planning posters for Windows 10](windows-10-architecture-posters.md)

25
windows/deployment/windows-10-architecture-posters.md Normal file
View File

@ -0,0 +1,25 @@
---
title: Deploy Windows 10 - architectural posters
description: Provides architural planning posters for Windows 10 in the enterprise
ms.prod: w10
ms.author: elizapo
author: lizap
ms.date: 09/22/2017
ms.tgt_pltfrm: na
ms.topic: article
ms.localizationpriority: low
---
# Architectural planning posters for Windows 10
You can download the following posters for architectural information about deploying Windows 10 in the enterprise.
- [Deploy Windows 10 - Clean installation](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/Deploy-CleanInstallation.pdf)
Learn about the options and steps for a new installation of Windows 10.
- [Deploy Windows 10 - In-place upgrade](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf)
Learn about the steps to upgrade from a previous version of Windows.
- [Deploy Windows 10 - Windows AutoPilot](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf)
Learn how you can set up and pre-configure Windows 10 devices.
- [Deploy Windows 10 - Windows servicing](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/WindowsServicing.pdf)
Learn how to keep Windows up to date.
- [Deploy Windows 10 - Protection solutions](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/WindowsServicing.pdf)
Learn about the two tiers of protection available for Windows 10 devices.

29
windows/device-security/tpm/tpm-recommendations.md
View File

@ -12,8 +12,6 @@ author: brianlic-msft
# TPM recommendations
**Applies to**
**Applies to**
- Windows 10
- Windows Server 2016
@ -98,20 +96,19 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u
The following table defines which Windows features require TPM support.
| Windows Features | Windows 10 TPM 1.2 | Windows 10 TPM 2.0 | Details |
|-------------------------|----------------------|----------------------|----------|
| Measured Boot | Required | Required | Measured boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. |
| Bitlocker | Required | Required | TPM 1.2 or later required or a removable USB memory device such as a flash drive. Please note that TPM 2.0 requires UEFI Secure Boot in order for BitLocker to work properly. |
| Passport: Domain AADJ Join | Required | Required | Supports both versions of TPM, but requires TPM with HMAC and EK certificate for key attestation support. |
| Passport: MSA or Local Account | Required | Required | TPM 2.0 is required with HMAC and EK certificate for key attestation support. |
| Device Encryption | Not Applicable | Required | TPM 2.0 is required for all InstantGo devices. |
| Credential Guard | Required | Required | For Windows 10, version 1511, TPM 1.2 or 2.0 is highly recommended. If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM. |
| Device Health Attestation | Required | Required | |
| Windows Hello / Windows Hello for Business | Not Required | Recommended | Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. [How keys are protected](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-how-it-works#how-keys-are-protected) |
| UEFI Secure Boot | Not Required | Recommended | |
| Platform Key Storage provider | Required | Required | |
| Virtual Smart Card | Required | Required | |
| Certificate storage (TPM bound) | Required | Required | |
| Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
|-------------------------|--------------|--------------------|--------------------|----------|
| Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot |
| BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required |
| Device Encryption | Yes | N/A | Yes | Device Encryption requires InstantGo/Connected Standby certification, which requires TPM 2.0. |
| Device Guard | No | Yes | Yes | |
| Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. |
| Device Health Attestation| Yes | Yes | Yes | |
| Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. |
| UEFI Secure Boot | No | Yes | Yes | |
| TPM Platform Crypto Provider Key Storage Provider| Yes | Yes| Yes | |
| Virtual Smart Card | Yes | Yes | Yes | |
| Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM. |
## OEM Status on TPM 2.0 system availability and certified parts