deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into live

Browse Source
This commit is contained in:
LizRoss
2016-08-24 10:16:02 -07:00
parent 07b3fcc9ea cb32364c9d
commit 3632914755
6 changed files with 56 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md
View File

@ -79,11 +79,6 @@ File rule levels allow administrators to specify the level at which they want to
Each file rule level has its benefit and disadvantage. Use Table 3 to select the appropriate protection level for your available administrative resources and Device Guard deployment scenario.
<!-- Need to confirm these updated table rows:
| **SignedVersion** | This combines the publisher rule with a version number. This option allows anything from the specified publisher, with a version at or above the specified version number, to run. |
| **FilePublisher** | This is a combination of the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
-->
Table 3. Code integrity policy - file rule levels
| Rule level | Description |
@ -100,7 +95,7 @@ Table 3. Code integrity policy - file rule levels
| **WHQLPublisher** | This is a combination of the WHQL and the CN on the leaf certificate and is primarily for kernel binaries. |
| **WHQLFilePublisher** | Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This is primarily for kernel binaries. |
> **Note**&nbsp;&nbsp;When you create code integrity policies with the [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) cmdlet, you can specify a primary file rule level by including the **Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
> **Note**&nbsp;&nbsp;When you create code integrity policies with the [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) cmdlet, you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
## Related topics

14
windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
View File

@ -31,13 +31,13 @@ These applications can increase the risk of your network being infected with mal
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in SCCM and Intune
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager (SCCM) or Intune in their infrastructure.
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in SCCM
###Configure PUA in System Center Configuration Manager
For SCCM users, PUA is enabled by default. See the following topics for configuration details:
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
@ -45,7 +45,7 @@ System Center Configuration Manager (current branch) version 1606 | [Create a ne
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in SCCM
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
@ -62,7 +62,7 @@ You can use PowerShell to detect PUA without blocking them. In fact, you can run
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in SCCM.
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
###Configure PUA in Intune
@ -91,7 +91,7 @@ You can use PowerShell to detect PUA without blocking them. In fact, you can run
##View PUA events
PUA events are reported in the Windows Event Viewer and not in SCCM or Intune. To view PUA events:
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.

31
windows/keep-secure/protect-enterprise-data-using-wip.md
View File

@ -28,6 +28,31 @@ Youll need this software to run WIP in your enterprise:
|-----------------|---------------------|
|Windows 10, version 1607 | Microsoft Intune<br>-OR-<br>System Center Configuration Manager<br>-OR-<br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
## What is enterprise data control?
Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people cant share anything and its all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure.
As an admin, you can address the question of who gets access to your data by using access controls, such as employee credentials. However, just because someone has the right to access your data doesnt guarantee that the data will remain within the secured locations of the enterprise. This means that while access controls are a great start, theyre not enough.
In the end, all of these security measures have one thing in common: employees will tolerate only so much inconvenience before looking for ways around the security restrictions. For example, if you dont allow employees to share files through a protected system, employees will turn to an outside app that more than likely lacks security controls.
### Using data loss prevention systems
To help address this security insufficiency, companys developed data loss prevention (also known as DLP) systems. Data loss prevention systems require:
- **A set of rules about how the system can identify and categorize the data that needs to be protected.** For example, a rule set might contain a rule that identifies credit card numbers and another rule that identifies Social Security numbers.
- **A way to scan company data to see whether it matches any of your defined rules.** Currently, Microsoft Exchange Server and Exchange Online provide this service for email in transit, while Microsoft SharePoint and SharePoint Online provide this service for content stored in document libraries.
- **The ability to specify what happens when data matches a rule, including whether employees can bypass enforcement.** For example, in Microsoft SharePoint and SharePoint Online, the Microsoft data loss prevention system lets you warn your employees that shared data includes sensitive info, and to share it anyway (with an optional audit log entry).
Unfortunately, data loss prevention systems have their own problems. For example, the more detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss preventions systems is that it provides a jarring experience that interrupts the employees natural workflow by blocking some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesnt see and cant understand.
### Using information rights management systems
To help address the potential data loss prevention system problems, companys developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on.
After the type of protection is set, the creating app encrypts the document so that only authorized people can open it, and even then, only in compatible apps. After an employee opens the document, the app becomes responsible for enforcing the specified protections. Because protection travels with the document, if an authorized person sends it to an unauthorized person, the unauthorized person wont be able to read or change it. However, for this to work effectively information rights management systems require you to deploy and set up both a server and client environment. And, because only compatible clients can work with protected documents, an employees work might be unexpectedly interrupted if he or she attempts to use a non-compatible app.
### And what about when an employee leaves the company or unenrolls a device?
Finally, theres the risk of data leaking from your company when an employee leaves or unenrolls a device. Previously, you would simply erase all of the corporate data from the device, along with any other personal data on the device.
## Benefits of WIP
WIP provides:
- Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
@ -62,7 +87,11 @@ WIP currently addresses these enterprise scenarios:
- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isnt required.
### WIP-protection modes
You can set WIP to 1 of 4 protection and management modes:
Enterprise data is automatically encrypted after its loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
Your WIP policy includes a list of trusted apps that are allowed to access and process corporate data. This list of apps is implemented through the [AppLocker](applocker-overview.md) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list dont have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if its personally owned.
You can set your WIP policy to use 1 of 4 protection and management modes:
|Mode|Description|
|----|-----------|

10
windows/manage/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
View File

@ -81,16 +81,6 @@ Type the following cmdlet in a Windows PowerShell window:
3. Enter your existing App-V publishing servers details in **Options** and then click or press **Apply**.
<!-- For the following three items, we're looking for more detail from Chintan -->
Ensure newly added machine/ user is entitled to receive packages from the server configure in step #2.
Sync and verify packages and/or connection groups pushed by the App-V server function correctly.
Validate other package management commands (unpublish, remove etc.).
<!-- ++++++++++++++++++++++++++++++ -->
## Verify that the in-box App-V client can receive and launch .appv packages
1. Add and publish a package using the following Windows PowerShell cmdlets:

12
windows/manage/uev-security-considerations.md
View File

@ -217,6 +217,18 @@ We strongly recommend that you do not pre-create folders. Instead, let the UE-V
If you redirect UE-V settings to a users home directory or a custom Active Directory (AD) directory, ensure that the permissions on the directory are set appropriately for your organization.
### Review the contents of settings location templates and control access to them as needed
When creating a settings location template, the UE-V generator uses a Lightweight Directory Access Protocol (LDAP) query to get username and email address of the current logged in user. This information is stored in the template as the template author name and template author email. (None of this information is sent to Microsoft.)
If you plan to share settings location templates with anyone outside your organization you should review all the settings locations and ensure the settings location templates do not contain any personal or company information. You can view the contents by opening the settings location template files using any XML viewer. The following are ways you can view and remove any personal or company information from the settings location template files before sharing with anyone outside your company:
- **Template Author Name** Specify a general, non-identifying name for the template author name or exclude this data from the template.
- **Template Author Email** Specify a general, non-identifying template author email or exclude this data from the template.
To remove the template author name or template author email, you can use the UE-V generator application. From the generator, select **Edit a Settings Location Template**. Select the settings location template to edit from the recently used templates or Browse to the settings template file. Select **Next** to continue. On the Properties page, remove the data from the Template author name or Template author email text fields. Save the settings location template.
## Have a suggestion for UE-V?

54
windows/manage/uev-troubleshooting.md
View File

@ -14,47 +14,17 @@ ms.prod: w10
**Applies to**
- Windows 10, version 1607
Troubleshooting content is not included in the Administrator's Guide for this product. Instead, you can find troubleshooting information for this product on the [TechNet Wiki](http://go.microsoft.com/fwlink/p/?LinkId=224905).
For information that can help with troubleshooting UE-V for Windows 10, see:
## Find troubleshooting information
- [UE-V: List of Microsoft Support Knowledge Base Articles](http://social.technet.microsoft.com/wiki/contents/articles/14271.ue-v-list-of-microsoft-support-knowledge-base-articles.aspx)
- [User Experience Virtualization Release Notes](uev-release-notes-1607.md)
You can use the following information to find troubleshooting content or additional technical content for this product.
- [Technical Reference for UE-V](uev-technical-reference.md)
- [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc)
**To search the TechNet Wiki**
1. Open a web browser and browse to the [TechNet Wiki](http://go.microsoft.com/fwlink/p/?LinkId=224905) home page.
2. Locate the **Search TechNet Wiki** search box and enter your search term.
3. Review the search results for assistance.
## Create a troubleshooting article
If you have a troubleshooting tip or a best practice to share that is not already included in TechNet Wiki, you can create your own TechNet Wiki article.
**To create a TechNet Wiki troubleshooting or best practices article**
1. Open a web browser and browse to the [TechNet Wiki](http://go.microsoft.com/fwlink/p/?LinkId=224905) home page.
2. Sign in with your Microsoft account.
3. Review the **Getting Started** section to learn the basics of the TechNet Wiki and its articles.
4. Select **Post an article** in the **Getting Started** section.
5. On the Wiki article **Add Page** page, select **Insert Template** from the toolbar, select the troubleshooting article template, which is named **Troubleshooting.html**, and then click **Insert**.
6. Give the article a descriptive title, and then overwrite the template information as needed to create your article.
7. After you review your article, add a tag that is named **Troubleshooting** and another tag for the product name. To add tags help other users find your content.
8. Click **Save** to publish the article to the TechNet Wiki.
## Other resources for this feature
## Other resources
- [User Experience Virtualization overview](uev-for-windows.md)
@ -64,18 +34,6 @@ If you have a troubleshooting tip or a best practice to share that is not alread
- [Administering UE-V](uev-administering-uev.md)
- [Technical reference for UE-V](uev-technical-reference.md)
## Have a suggestion for UE-V?
Add or vote on suggestions on the [User Experience Virtualization feedback site](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization).<br>For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).