deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into dh-sandbox

Browse Source
This commit is contained in:
Dani Halfin 2017-01-26 20:44:44 -08:00
commit 54dde90edf
47 changed files with 430 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -10,7 +10,6 @@ Tools/NuGet/
.openpublishing.build.mdproj
.openpublishing.buildcore.ps1
packages.config
windows/keep-secure/index.md
# User-specific files
.vs/

2
browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
View File

@ -17,7 +17,7 @@ If youre having problems launching your legacy apps while running Internet Ex
1. **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
2. **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
2. **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page.

4
browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
View File

@ -41,8 +41,8 @@ In IE, press **ALT+V** to show the **View** menu, press **T** to enter the **Too
## Where did the search box go?
IE11 uses the **One Box** feature, which lets users type search terms directly into the **Address bar**. Any text entered into the **Address bar** that doesn't appear to be a URL is automatically sent to the currently selected search provider.
**Note**<br>
Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md).
>[!NOTE]
>Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md).
 

2
devices/hololens/hololens-provisioning.md
View File

@ -101,7 +101,7 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D
Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
In Windows ICD, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://msdn.microsoft.co/library/windows/hardware/dn920025.aspx#HoloLens). The following table describes settings that you might want to configure for HoloLens.
In Windows ICD, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens). The following table describes settings that you might want to configure for HoloLens.
![Common runtime settings for HoloLens](images/icd-settings.png)

1
devices/surface/TOC.md
View File

@ -13,6 +13,7 @@
### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
### [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
### [Surface Dock Updater](surface-dock-updater.md)
### [Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md)
## [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md)
## [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)
## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)

7
devices/surface/change-history-for-surface.md
View File

@ -11,13 +11,18 @@ author: jdeckerMS
This topic lists new and updated topics in the Surface documentation library.
## January 2017
|New or changed topic | Description |
| --- | --- |
|[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | New |
## December 2016
|New or changed topic | Description |
| --- | --- |
|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added driver info for Surface Studio; updated info for Surface Book and Surface Pro 4 (Windows 10 .zip cumulative update), Surface Pro 3 (Windows8.1-KB2969817-x64.msu), and Surface 3 (UEFI Asset Tag management tool)|
## November 2016
|New or changed topic | Description |

2
devices/surface/index.md
View File

@ -33,7 +33,9 @@ For more information on planning for, deploying, and managing Surface devices in
| [Change history for Surface documentation](change-history-for-surface.md) | This topic lists new and updated topics in the Surface documentation library. |
## Learn more
[Certifying Surface Pro 4 and Surface Book as standard devices at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/849/Certifying-Surface-Pro-4-and-Surface-Book-as-standard-devices-at-Microsoft)

1
devices/surface/update.md
View File

@ -16,6 +16,7 @@ Find out how to download and manage the latest firmware and driver updates for y
| Topic | Description |
| --- | --- |
|[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | See how you can use Wake On LAN to remotely wake up devices to perform management or maintenance tasks, or to enable management solutions automatically. |
| [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)| Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.|
| [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)| Explore the available options to manage firmware and driver updates for Surface devices.|
| [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)| Read about the different methods you can use to manage the process of Surface Dock firmware updates.|

56
devices/surface/wake-on-lan-for-surface-devices.md Normal file
View File

@ -0,0 +1,56 @@
---
title: Wake On LAN for Surface devices (Surface)
description: See how you can use Wake On LAN to remotely wake up devices to perform management or maintenance tasks, or to enable management solutions automatically even if the devices are powered down.
keywords: update, deploy, driver, wol, wake-on-lan
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: jobotto
---
# Wake On LAN for Surface devices
Surface devices that run Windows 10, version 1607 (also known as Windows 10 Anniversary Update) or later and use a Surface Ethernet adapter to connect to a wired network, are capable of Wake On LAN (WOL) from Connected Standby. With WOL, you can remotely wake up devices to perform management or maintenance tasks or enable management solutions (such as System Center Configuration Manager) automatically even if the devices are powered down. For example, you can deploy applications to Surface devices left docked with a Surface Dock or Surface Pro 3 Docking Station by using System Center Configuration Manager during a window in the middle of the night, when the office is empty.
>[!NOTE]
>Surface devices must be connected to AC power to support WOL.
## Supported devices
The following devices are supported for WOL:
* Surface Book
* Surface Pro 4
* Surface Pro 3
* Surface 3
* Surface Ethernet adapter
* Surface Dock
* Surface Docking Station for Surface Pro 3
## WOL driver
To enable WOL support on Surface devices, a specific driver for the Surface Ethernet adapter is required. This driver is not included in the standard driver and firmware pack for Surface devices you must download and install it separately. You can download the Surface WOL driver (SurfaceWOL.msi) from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center.
You can run this Microsoft Windows Installer (.msi) file on a Surface device to install the Surface WOL driver, or you can distribute it to Surface devices with an application deployment solution, such as System Center Configuration Manager. To include the Surface WOL driver during deployment, you can install the .msi file as an application during the deployment process. You can also extract the Surface WOL driver files to include them in the deployment process. For example, you can include them in your Microsoft Deployment Toolkit (MDT) deployment share. You can read more about Surface deployment with MDT in [Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/surface/deploy-windows-10-to-surface-devices-with-mdt).
>[!NOTE]
>During the installation of SurfaceWOL.msi, the following registry key is set to a value of 1, which allows easy identification of systems where the WOL driver has been installed. If you chose to extract and install these drivers separately during deployment, this registry key will not be configured and must be configured manually or with a script.
>**HKLM\SYSTEM\CurrentControlSet\Control\Power AllowSystemRequiredPowerRequests**
To extract the contents of SurfaceWOL.msi, use the MSIExec administrative installation option (**/a**), as shown in the following example, to extract the contents to the C:\WOL\ folder:
`msiexec /a surfacewol.msi targetdir=C:\WOL /qn`
## Using Surface WOL
The Surface WOL driver conforms to the WOL standard, whereby the device is woken by a special network communication known as a magic packet. The magic packet consists of 6 bytes of 255 (or FF in hexadecimal) followed by 16 repetitions of the target computers MAC address. You can read more about the magic packet and the WOL standard on [Wikipedia](https://wikipedia.org/wiki/Wake-on-LAN#Magic_packet).
>[!NOTE]
>To send a magic packet and wake up a device by using WOL, you must know the MAC address of the target device and Ethernet adapter. Because the magic packet does not use the IP network protocol, it is not possible to use the IP address or DNS name of the device.
Many management solutions, such as System Center Configuration Manager, provide built-in support for WOL. There are also many solutions, including Windows Store apps, PowerShell modules, third-party applications, and third-party management solutions that allow you to send a magic packet to wake up a device. For example, you can use the [Wake On LAN PowerShell module](https://gallery.technet.microsoft.com/scriptcenter/Wake-On-Lan-815424c4) from the TechNet Script Center.
>[!NOTE]
>After a device has been woken up with a magic packet, the device will return to sleep if an application is not actively preventing sleep on the system or if the AllowSystemRequiredPowerRequests registry key is not configured to 1, which allows applications to prevent sleep. See the [WOL driver](#wol-driver) section of this article for more information about this registry key.

BIN
windows/deploy/images/icd-multi-target-true.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/deploy/images/icd-multi-targetstate-true.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
windows/deploy/images/multi-target.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

BIN
windows/deploy/images/upgrade-analytics-unsubscribe.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

1
windows/deploy/index.md
View File

@ -5,6 +5,7 @@ ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
localizationpriority: high
author: greg-lindsay
---

15
windows/deploy/troubleshoot-upgrade-analytics.md
View File

@ -1,4 +1,4 @@
---
---
title: Troubleshoot Upgrade Analytics (Windows 10)
description: Provides troubleshooting information for Upgrade Analytics.
ms.prod: w10
@ -7,7 +7,7 @@ author: MaggiePucciEvans
# Troubleshoot Upgrade Analytics
If youre having issues seeing data in Upgrade Analytics after running the Upgrade Analytics Deployment script, make sure it completes successfully without any errors. Check the output of the script in the command window and/or log UA_dateTime_machineName.txt to ensure all steps were completed successfully. In addition, we recommend that you wait at least 48 hours before checking OMS for data after the script first completes without reporting any error.
If youre having issues seeing data in Upgrade Analytics after running the Upgrade Analytics Deployment script, make sure it completes successfully without any errors. Check the output of the script in the command window and/or log UA_dateTime_machineName.txt to ensure all steps were completed successfully. In addition, we recommend that you wait at least 48 hours before checking OMS for data after the script first completes without reporting any error.
If you still dont see data in Upgrade Analytics, follow these steps:
@ -25,9 +25,14 @@ If you still dont see data in Upgrade Analytics, follow these steps:
If you want to stop using Upgrade Analytics and stop sending telemetry data to Microsoft, follow these steps:
1. Unsubscribe from the Upgrade Analytics solution in the OMS portal.
1. Unsubscribe from the Upgrade Analytics solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option.
2. Disable the Customer Experience Improvement Program on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the telemetry level to Security.
![Upgrade Analytics unsubscribe](images/upgrade-analytics-unsubscribe.png)
3. Delete the CommercialDataOptin key in *HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection*
2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the telemetry level to **Security**:
**Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*
**Windows 10**: Follow the instructions in the [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#enterprise-management) topic.
3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*.
4. You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". **This is an optional step**.

36
windows/deploy/windows-10-poc.md
View File

@ -153,7 +153,7 @@ The lab architecture is summarized in the following diagram:
[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)<BR>
[Download VHD and ISO files](#download-vhd-and-iso-files)<BR>
[Convert PC to VHD](#convert-pc-to-vhd)<BR>
[Convert PC to VM](#convert-pc-to-vm)<BR>
[Resize VHD](#resize-vhd)<BR>
[Configure Hyper-V](#configure-hyper-v)<BR>
[Configure VMs](#configure-vms)<BR>
@ -201,7 +201,9 @@ Starting with Windows 8, the host computers microprocessor must support secon
<pre style="overflow-y: visible">Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V All</pre>
This command works on all operating systems that support Hyper-V.
This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command:
<pre style="overflow-y: visible">Install-WindowsFeature -Name Hyper-V -IncludeManagementTools</pre>
When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt.
@ -211,7 +213,7 @@ Starting with Windows 8, the host computers microprocessor must support secon
![hyper-v](images/svr_mgr2.png)
<P>If you choose to install Hyper-V using Server Manager, accept all default selections.
<P>If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under **Role Administration Tools\Hyper-V Management Tools**.
### Download VHD and ISO files
@ -505,9 +507,18 @@ Notes:<BR>
### Resize VHD
**Important**: You should take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste <U>files</U> directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
<HR size=4>
**<I>Enhanced session mode</I>**
As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste <U>files</U> directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
To verify that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt:
<pre style="overflow-y: visible">Set-VMhost -EnableEnhancedSessionMode $TRUE</pre>
>If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
<HR size=4>
The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images.
@ -826,20 +837,23 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Restart-Computer
</pre>
>If you do not see the script pane, click **View** and then click **Show Script Pane Top**.
>If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**.
See the following example:
![ISE](images/ISE.png)
19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
20. In the (lower) terminal input window, type the following command to copy the script to PC1 using integration services:
20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
<pre style="overflow-y: visible">
Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
Copy-VMFile "PC1" SourcePath "C:\VHD\pc1.ps1" DestinationPath "C:\pc1.ps1" CreateFullPath FileSource Host
</pre>
>In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not installed, you can try updating integration services on the VM. This can be done by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server operating systems that are running the Hyper-V role service. Otherwise, just create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. Be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file.
>In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file.
21. On PC1, type the following commands at an elevated Windows PowerShell prompt:
@ -850,7 +864,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
>The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer.
22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section.
>**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all use accounts, or only other specific accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing.
>**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing.
23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services.
24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands:
@ -954,7 +968,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
<pre style="overflow-y: visible">
runas /noprofile /env /user:administrator@contoso.com "cmd slmgr -rearm"
runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
Restart-Computer
</pre>
@ -979,6 +993,8 @@ Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
</pre>
This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides.
## Appendix A: Verify the configuration
Use the following procedures to verify that the PoC environment is configured properly and working as expected.

1
windows/index.md
View File

@ -3,6 +3,7 @@ title: Windows 10 and Windows 10 Mobile (Windows 10)
description: This library provides the core content that IT pros need to evaluate, plan, deploy, and manage devices running Windows 10 or Windows 10 Mobile.
ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60
ms.prod: w10
localizationpriority: high
author: brianlic-msft
---

3
windows/keep-secure/TOC.md
View File

@ -31,6 +31,7 @@
##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md)
#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)
#### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md)
### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
@ -196,7 +197,7 @@
###### [Monitor claim types](monitor-claim-types.md)
##### [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
###### [Audit Credential Validation](audit-credential-validation.md)
####### [Event 4774 S: An account was mapped for logon.](event-4774.md)
####### [Event 4774 S, F: An account was mapped for logon.](event-4774.md)
####### [Event 4775 F: An account could not be mapped for logon.](event-4775.md)
####### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](event-4776.md)
####### [Event 4777 F: The domain controller failed to validate the credentials for an account.](event-4777.md)

2
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -15,6 +15,8 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
## January 2017
|New or changed topic |Description |
|---------------------|------------|
|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |New |
|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Updated to include info about USB drives and Azure RMS (Windows Insider Program only) and to add more info about Work Folders and Offline files. |
|[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |New |
|[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |New |

105
windows/keep-secure/choose-the-right-bitlocker-countermeasure.md
View File

@ -17,20 +17,105 @@ author: brianlic-msft
This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks.
You can use BitLocker to protect your Windows 10 PCs. Whichever operating system youre using, Microsoft and Windows-certified devices provide countermeasures to address attacks and improve your data security. In most cases, this protection can be implemented without the need for pre-boot authentication.
Figures 2, 3, and 4 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default
settings.
Tables 1 and 2 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default settings.
![how to choose best countermeasures for windows 7](images/bitlockerprebootprotection-counterwin7.jpg)
<table>
<colgroup>
<col width="20%" />
<col width="25%" />
<col width="55%" />
</colgroup>
<tr>
<td></td>
<td BGCOLOR="#01BCF3">
<p><font color="#FFFFFF"><strong>Windows 8.1<br>without TPM</strong></font></p></td>
<td BGCOLOR="#01BCF3">
<p><font color="#FFFFFF"><strong>Windows 8.1 Certified<br>(with TPM)</strong></font></p></td>
</tr>
<tr class="odd">
<td BGCOLOR="#FF8C01">
<p><font color="#FFFFFF">Bootkits and<br>Rootkits</p></font></td>
<td BGCOLOR="#FED198"><p>Without TPM, boot integrity checking is not available</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings</p></td>
</tr>
<tr class="even">
<td BGCOLOR="FF8C01">
<p><font color="#FFFFFF">Brute Force<br>Sign-in</font></p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default, and can be improved with account lockout Group Policy</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default, and can be improved with account lockout and device lockout Group Policy settings</p></td>
</tr>
<tr class="odd">
<td BGCOLOR="#FF8C01">
<p><font color="#FFFFFF">DMA<br>Attacks</p></font></td>
<td BGCOLOR="#99E4FB"><p>If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in</p></td>
<td BGCOLOR="#99E4FB"><p>If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in</p></td>
</tr>
<tr class="even">
<td BGCOLOR="FF8C01">
<p><font color="#FFFFFF">Hyberfil.sys<br>Attacks</font></p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default; hyberfil.sys secured on encrypted volume</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default; hyberfil.sys secured on encrypted volume</p></td>
</tr>
<tr class="odd">
<td BGCOLOR="#FF8C01">
<p><font color="#FFFFFF">Memory<br>Remanence<br>Attacks</p></font></td>
<td BGCOLOR="#FED198"><p>Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication</p></td>
<td BGCOLOR="#99E4FB"><p>Password protect the firmware and ensure Secure Boot is enabled. If an attack is viable, consider pre-boot authentication</p></td>
</tr>
</table>
**Figure 2.** How to choose the best countermeasures for Windows 7
**Table 1.**&nbsp;&nbsp;How to choose the best countermeasures for Windows 8.1<br><br>
![how to choose countermeasures for windows 8](images/bitlockerprebootprotection-counterwin8.jpg)
<table>
<colgroup>
<col width="20%" />
<col width="25%" />
<col width="55%" />
</colgroup>
<tr>
<td></td>
<td BGCOLOR="#01BCF3">
<p><font color="#FFFFFF"><strong>Windows 10<br>without TPM</strong></font></p></td>
<td BGCOLOR="#01BCF3">
<p><font color="#FFFFFF"><strong>Windows 10 Certified<br>(with TPM)</strong></font></p></td>
</tr>
<tr class="odd">
<td BGCOLOR="#FF8C01">
<p><font color="#FFFFFF">Bootkits and<br>Rootkits</p></font></td>
<td BGCOLOR="#FED198"><p>Without TPM, boot integrity checking is not available</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings</p></td>
</tr>
<tr class="even">
<td BGCOLOR="FF8C01">
<p><font color="#FFFFFF">Brute Force<br>Sign-in</font></p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default, and can be improved with account lockout Group Policy</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default, and can be improved with account lockout and device lockout Group Policy settings</p></td>
</tr>
<tr class="odd">
<td BGCOLOR="#FF8C01">
<p><font color="#FFFFFF">DMA<br>Attacks</p></font></td>
<td BGCOLOR="#99E4FB"><p>If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default; certified devices do not expose vulnerable DMA busses.<br>Can be additionally secured by deploying policy to restrict DMA devices:</p>
<ul>
<li><p><a href="https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#DataProtection_AllowDirectMemoryAccess">DataProtection/AllowDirectMemoryAccess</a></p></li>
<li><p><a href="https://support.microsoft.com/en-us/kb/2516445">Block 1394 and Thunderbolt</a></p></li></ul>
</td>
</tr>
<tr class="even">
<td BGCOLOR="FF8C01">
<p><font color="#FFFFFF">Hyberfil.sys<br>Attacks</font></p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default; hyberfil.sys secured on encrypted volume</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default; hyberfil.sys secured on encrypted volume</p></td>
</tr>
<tr class="odd">
<td BGCOLOR="#FF8C01">
<p><font color="#FFFFFF">Memory<br>Remanence<br>Attacks</p></font></td>
<td BGCOLOR="#FED198"><p>Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication</p></td>
<td BGCOLOR="#99E4FB"><p>Password protect the firmware and ensure Secure Boot is enabled.<br>The most effective mitigation, which we advise for high-security devices, is to configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.</p></td>
</tr>
</table>
**Figure 3.** How to choose the best countermeasures for Windows 8
![how to choose countermeasures for windows 8.1](images/bitlockerprebootprotection-counterwin81.jpg)
**Figure 4.** How to choose the best countermeasures for Windows 8.1
**Table 2.**&nbsp;&nbsp;How to choose the best countermeasures for Windows 10
The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be, too. DMA portbased attacks, which represent the attack vector of choice, are not possible on InstantGo devices, because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case DMA ports can be disabled entirely, which is an increasingly popular option because the use of
DMA ports is infrequent in the non-developer space.

3
windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
View File

@ -79,7 +79,8 @@ The following steps assume that you have completed all the required steps in [Be
<td>Type in the name of the client property file. It must match the client property file.</td>
</tr>
<td>Events URL</td>
<td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**: https://<i></i>wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts </br>**For US:** https://<i></i>wdatp-alertexporter-us.securitycenter.windows.com/api/alerts</td>
<td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**: https://<i></i>wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
</br>**For US:** https://<i></i>wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME</td>
<tr>
<td>Authentication Type</td>
<td>OAuth 2</td>

6
windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
View File

@ -37,14 +37,14 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
![Endpoint onboarding](images/atp-onboard-mdm.png)
![Endpoint onboarding](images/atp-mdm-onboarding-package.png)
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
a. Select **Policy** > **Configuration Policies** > **Add**.
![Microsoft Intune Configuration Policies](images/atp-intune-add-policy.png)
![Microsoft Intune Configuration Policies](images/atp-add-intune-policy.png)
b. Under **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)** > **Create and Deploy a Custom Policy** > **Create Policy**.
![Microsoft Intune Configuration Policies](images/atp-intune-new-policy.png)
@ -56,7 +56,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
![Microsoft Intune add OMC-URI](images/atp-intune-add-oma.png)
e. Type the following values then select **OK**:
![Microsoft Intune save policy](images/atp-intune-oma-uri-setting.png)
- **Setting name**: Type a name for the setting.

2
windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
View File

@ -56,7 +56,7 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
</tr>
<tr>
<td>Endpoint URL</td>
<td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**: https://<i></i>wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts </br>**For US:** https://<i></i>wdatp-alertexporter-us.securitycenter.windows.com/api/alerts
<td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**: https://<i></i>wdatp-alertexporter-eu.windows.com/api/alerts </br>**For US:** https://<i></i>wdatp-alertexporter-us.windows.com/api/alerts
</tr>
<tr>

6
windows/keep-secure/create-wip-policy-using-sccm.md
View File

@ -436,11 +436,11 @@ There are no default locations included with WIP, you must add each of your netw
![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-sccm-optsettings.png)
- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option.
- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option.
- **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option.
- **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option.
5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.

5
windows/keep-secure/credential-guard.md
View File

@ -48,7 +48,7 @@ The following tables provide more information about the hardware, firmware, and
> [!NOTE]
> For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.<br>
> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx).<br>
> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).<br>
> Starting in Widows 10, 1607, TPM 2.0 is required.
@ -61,7 +61,7 @@ The following tables provide more information about the hardware, firmware, and
| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.<br><br>**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)<br><br>**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).<br><br>**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT<br><br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
> [!IMPORTANT]
> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide.
@ -917,6 +917,7 @@ write-host $tmp -Foreground Red
- [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)](http://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-with-Logan-Gabriel)
- [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/More-on-Processes-and-Features-in-Windows-10-Isolated-User-Mode-with-Dave-Probert)
- [Mitigating Credential Theft using the Windows 10 Isolated User Mode (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Mitigating-Credential-Theft-using-the-Windows-10-Isolated-User-Mode)
- [Protecting network passwords with Windows 10 Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard)
- [Enabling Strict KDC Validation in Windows Kerberos](http://www.microsoft.com/download/details.aspx?id=6382)
- [What's New in Kerberos Authentication for Windows Server 2012](http://technet.microsoft.com/library/hh831747.aspx)
- [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](http://technet.microsoft.com/library/dd378897.aspx)

9
windows/keep-secure/event-4774.md
View File

@ -1,6 +1,6 @@
---
title: 4774(S) An account was mapped for logon. (Windows 10)
description: Describes security event 4774(S) An account was mapped for logon.
description: Describes security event 4774(S, F) An account was mapped for logon.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@ -8,14 +8,13 @@ ms.sitesec: library
author: Mir0sh
---
# 4774(S): An account was mapped for logon.
# 4774(S, F): An account was mapped for logon.
**Applies to**
- Windows 10
- Windows Server 2016
It appears that this event never occurs.
Success events do not appear to occur. Failure event [has been reported](http://forum.ultimatewindowssecurity.com/Topic7313-282-1.aspx).
***Subcategory:***&nbsp;[Audit Credential Validation](audit-credential-validation.md)
@ -23,7 +22,7 @@ It appears that this event never occurs.
*An account was mapped for logon.*
*Authentication Package:%1*
*Authentication Package:Schannel*
*Account UPN:%2*

22
windows/keep-secure/how-to-configure-security-policy-settings.md
View File

@ -31,9 +31,9 @@ When a local setting is inaccessible, it indicates that a GPO currently controls
3. When you find the policy setting in the details pane, double-click the security policy that you want to modify.
4. Modify the security policy setting, and then click **OK**.
**Note**  
- Some security policy settings require that the device be restarted before the setting takes effect.
- Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
> [!NOTE]
> - Some security policy settings require that the device be restarted before the setting takes effect.
> - Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
 
## <a href="" id="bkmk-domain"></a>To configure a security policy setting using the Local Group Policy Editor console
@ -48,11 +48,13 @@ You must have the appropriate permissions to install and use the Microsoft Manag
4. In the details pane, double-click the security policy setting that you want to modify.
>**Note:**  If this security policy has not yet been defined, select the **Define these policy settings** check box.
> [!NOTE]
> If this security policy has not yet been defined, select the **Define these policy settings** check box.
 
5. Modify the security policy setting, and then click **OK**.
>**Note:**  If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console.
> [!NOTE]
> If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console.
 
## <a href="" id="bkmk-dc"></a>To configure a setting for a domain controller
@ -65,13 +67,15 @@ The following procedure describes how to configure a security policy setting for
- Click **Local Policies** to edit the **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
3. In the details pane, double-click the security policy that you want to modify.
>**Note**  If this security policy has not yet been defined, select the **Define these policy settings** check box.
> [!NOTE]
> If this security policy has not yet been defined, select the **Define these policy settings** check box.
 
4. Modify the security policy setting, and then click **OK**.
**Important**  
- Always test a newly created policy in a test organizational unit before you apply it to your network.
- When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.
> [!IMPORTANT]  
> - Always test a newly created policy in a test organizational unit before you apply it to your network.
> - When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.
 
## Related topics

34
windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
View File

@ -22,17 +22,18 @@ Credential Manager is a place where credentials in the OS are can be stored for
For VPN, the VPN stack saves its credential as the session default.
For WiFi, EAP does it.
The credentials are put in Credential Manager as a "`*Session`" credential.
A "`*Session`" credential implies that it is valid for the current user session.
The credentials are put in Credential Manager as a "\*Session" credential.
A "\*Session" credential implies that it is valid for the current user session.
The credentials are also cleaned up when the WiFi or VPN connection is disconnected.
When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so WinInit.exe can release the credentials that it gets from the Credential Manager to the SSP that is requesting it.
When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it.
For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations).
WinInit.exe will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability.
The local security authority will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability.
If the app is not UWP, it does not matter.
But if it is a UWP app, it will look at the device capability for Enterprise Authentication.
If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released.
If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released.
This behavior helps prevent credentials from being misused by untrusted third parties.
## Intranet zone
@ -68,9 +69,26 @@ The username should also include a domain that can be reached over the connectio
If the credentials are certificate-based, then the elements in the following table need to be configured for the certificate templates to ensure they can also be used for Kerberos client authentication.
| TEmplate element | Configuration |
| Template element | Configuration |
|------------------|---------------|
| SubjectName | The users distinguished name (DN) where the domain components of the distinguished name reflects the internal DNS namespace when the SubjectAlternativeName does not have the fully qualified UPN required to find the domain controller. </br>This requirement is particularly relevant in multi-forest environments as it ensures a domain controller can be located. |
| SubjectAlternativeName | The users fully qualified UPN where a domain name component of the users UPN matches the organizations internal domains DNS namespace.</br>This requirement is particularly relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. |
| Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. This certificate must be issued using the PassportForWork CSP. |
| EnhancedKeyUsage | One or more of the following EKUs is required: </br>- Client Authentication (for the VPN) </br>- EAP Filtering OID (for PassportForWork)</br>- SmartCardLogon (for Azure AD joined devices)</br>If the domain controllers require smart card EKU either:</br>- SmartCardLogon</br>- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)</br>Otherwise:</br>- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) |
| Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. |
| EnhancedKeyUsage | One or more of the following EKUs is required: </br>- Client Authentication (for the VPN) </br>- EAP Filtering OID (for Windows Hello for Business)</br>- SmartCardLogon (for Azure AD joined devices)</br>If the domain controllers require smart card EKU either:</br>- SmartCardLogon</br>- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)</br>Otherwise:</br>- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) |
## NDES server configuration
The NDES server is required to be configured so that incoming SCEP requests can be mapped to the correct template to be used.
For more information, see [Configure certificate infrastructure for SCEP](https://docs.microsoft.com/en-us/intune/deploy-use/Configure-certificate-infrastructure-for-scep).
## Active Directory requirements
You need IP connectivity to a DNS server and domain controller over the network interface so that authentication can succeed as well.
The domain controllers will need to have appropriate KDC certificates for the client to trust them as domain controllers, and since phones are not domain-joined, the root CA of the KDCs certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store.
The domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication.
This is because Windows 10 Mobile requires strict KDC validation to be enabled.
This requires that all authenticating domain controllers run Windows Server 2016, or you'll need to enable strict KDC validation on domain controllers that run previous versions of Windows Server.
For more information, see [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382).

BIN
windows/keep-secure/images/atp-add-intune-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 66 KiB

BIN
windows/keep-secure/images/atp-mdm-onboarding-package.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 75 KiB

BIN
windows/keep-secure/images/wip-select-column.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.7 KiB

BIN
windows/keep-secure/images/wip-taskmgr.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

1
windows/keep-secure/index.md
View File

@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
---
# Keep Windows 10 secure

1
windows/keep-secure/overview-create-wip-policy.md
View File

@ -24,6 +24,7 @@ Microsoft Intune and System Center Configuration Manager helps you create and de
|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

2
windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
View File

@ -54,7 +54,7 @@ The following tables provide more information about the hardware, firmware, and
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)<br><br>**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).<br><br>**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
| Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).<br><br>**Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT<br><br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. |
> **Important**&nbsp;&nbsp;The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide.

15
windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
View File

@ -2222,7 +2222,20 @@ Description of the error. </dt>
<td colspan="2">
<p>The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.</p>
</td>
</tr><tr><th rowspan="3">Event ID: 2050</th><td><p>Symbolic name:</p></td><td colspan="2"><p><b>MALWAREPROTECTION_SAMPLESUBMISSION_UPLOADED</b></p></td></tr><tr><td><p>Message:</p></td><td colspan="2"><p><b>The antimalware engine has uploaded a file for further analysis.<br />Filename &lt;uploaded filename&gt;<br />Sha256: &lt;file SHA&gt;</b></p></td></tr><tr><td><p>Description:</p></td><td colspan="2"><p>A file was uploaded to the Windows Defender Antimalware cloud for further analysis or processing.</p></td></tr>
</tr>
<tr><th rowspan="3">Event ID: 2050</th><td><p>Symbolic name:</p></td><td colspan="2"><p><b>MALWAREPROTECTION_SAMPLESUBMISSION_UPLOAD</b></p></td></tr><tr><td><p>Message:</p></td><td colspan="2"><p><b>The antimalware engine has uploaded a file for further analysis.<br />Filename &lt;uploaded filename&gt;<br />Sha256: &lt;file SHA&gt;</b></p></td></tr><tr><td><p>Description:</p></td><td colspan="2"><p>A file was uploaded to the Windows Defender Antimalware cloud for further analysis or processing.</p></td></tr>
<tr><th rowspan="4">Event ID: 2051</th><td><p>Symbolic name:</p></td><td colspan="2"><p><b>MALWAREPROTECTION_SAMPLESUBMISSION_UPLOADED_FAILED</b></p></td></tr><tr><td><p>Message:</p></td><td colspan="2"><p><b>The antimalware engine has encountered an error trying to upload a suspicious file for further analysis.<br />
Filename: &lt;uploaded filename&gt;<br />
Sha256: &lt;file SHA&gt;<br />
Current Signature Version: &lt;signature version number&gt;<br/>
Current Engine Version: &lt;engine version number&gt;<br />
Error code: &lt;error code&gt;</b></p></td></tr><tr><td><p>Description:</p></td><td colspan="2"><p>A file could not be uploaded to the Windows Defender Antimalware cloud.</p></td></tr><tr><td><p>User action:</p></td><td colspan="2"><p>You can attempt to manually submit the file.</p></td></tr>
<tr>
<th rowspan="4">Event ID: 3002</th>
<td>

1
windows/keep-secure/using-owa-with-wip.md
View File

@ -23,7 +23,6 @@ Because Outlook Web Access (OWA) can be used both personally and as part of your
|-------|-------------|
|Disable OWA. Employees can only use Microsoft Outlook 2016 or the Office 365 Mail app. | Disabled. |
|Don't configure outlook.office.com in any of your networking settings. |All mailboxes are automatically marked as personal. This means employees attempting to copy work content into OWA receive prompts and that files downloaded from OWA aren't automatically protected as corporate data. |
|Do all of the following:<ul><li>Create a domain (such as mail.contoso.com, redirecting to outlook.office.com) that can be used by your employees to access work email.</li><li>Add the new domain to the Enterprise Cloud Resources network element in your WIP policy.</li><li>Add the following URLs to the Neutral Resources network element in your WIP policy:<ul><li>outlook.office365.com</li><li>outlook.office.com</li><li>outlook-sdf.office.com</li><li>attachment.outlook.office.net</li></ul></li></ul> |Inbox content accessed through the new domain is automatically marked as corporate data, while content accessed through personal email is automatically marked as personal. |
|Add outlook.office.com to the Enterprise Cloud Resources network element in your WIP policy. |All mailboxes are automatically marked as corporate. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data. |
>[!NOTE]

3
windows/keep-secure/windows-defender-advanced-threat-protection.md
View File

@ -93,3 +93,6 @@ Topic | Description
[Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP.
[Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)| Review events and errors associated with event IDs to determine if further troubleshooting steps are required.
[Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) | Learn about how Windows Defender works in conjunction with Windows Defender ATP.
## Related topic
[Windows Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats)

2
windows/keep-secure/windows-defender-in-windows-10.md
View File

@ -18,7 +18,7 @@ author: jasesso
Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
This topic provides an overview of Windows Defender, including a list of system requirements and new features.
For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx).
For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server).
Take advantage of Windows Defender by configuring settings and definitions using the following tools:
- Microsoft Active Directory *Group Policy* for settings

55
windows/keep-secure/wip-app-enterprise-context.md Normal file
View File

@ -0,0 +1,55 @@
---
title: Determine the Enterprise Context of an app running in Windows Information Protection (WIP) (Windows 10)
description: Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP).
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Task Manager, app context, enterprise context
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
---
# Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
**Applies to:**
- Windows 10, version 1607
- Windows 10 Mobile
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
Use Task Manager to check the context of your apps while running in Windows Information Protection (WIP) to make sure that your organization's policies are applied and running correctly.
## Viewing the Enterprise Context column in Task Manager
You need to add the Enterprise Context column to the **Details** tab of the Task Manager.
1. Make sure that you have an active WIP policy deployed and turned on in your organization.
2. Open the Task Manager (taskmgr.exe), click the **Details** tab, right-click in the column heading area, and click **Select columns**.
The **Select columns** box appears.
![Task Manager, Select column box with Enterprise Context option selected](images/wip-select-column.png)
3. Scroll down and check the **Enterprise Context** option, and then click **OK** to close the box.
The **Enterprise Context** column should now be available in Task Manager.
![Task Manager, Enterprise Context column highlighted](images/wip-taskmgr.png)
## Review the Enterprise Context
The **Enterprise Context** column shows you what each app can do with your enterprise data:
- **Domain.** Shows the employee's work domain (such as, corp.contoso.com). This app is considered work-related and can freely touch and open work data and resources.
- **Personal.** Shows the text, *Personal*. This app is considered non-work-related and can't touch any work data or resources.
- **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components).
>[!IMPORTANT]
>Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials.

20
windows/manage/configure-windows-10-taskbar.md
View File

@ -17,14 +17,14 @@ Starting in Windows 10, version 1607, administrators can pin additional apps to
You can specify different taskbar configurations based on device locale and region. There is no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](https://go.microsoft.com/fwlink/p/?LinkId=614867) or Desktop Application Link Path (the local path to the application).
If you specify an app to be pinned that is not installed on the computer, it won't appear on the taskbar.
If you specify an app to be pinned that is not provisioned for the user on the computer, the pinned icon won't appear on the taskbar.
The order of apps in the xml file dictates order of apps on taskbar from left to right, to the right of any existing apps pinned by user.
The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, to the right of any existing apps pinned by the user.
> [!NOTE]
> In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square).
The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square).
![Windows left, user center, enterprise to the right](images/taskbar-generic.png)
@ -41,21 +41,21 @@ To configure the taskbar:
3. Apply the layout modification XML file to devices using [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md).
>[!IMPORTANT]
>If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
>If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy.
### Tips for finding AUMID and Desktop Application Link Path
In the layout modification XML file, you will need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path.
The easiest way to find this data for an application is to:
1. Pin the application to the Start menu
1. Pin the application to the Start menu on a reference or testing PC.
2. Open Windows PowerShell and run the `Export-StartLayout` cmdlet.
3. Open the generated XML file.
4. Look for an entry corresponding to the app you pinned .
4. Look for an entry corresponding to the app you pinned.
5. Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath`.
### Sample taskbar configuration XML
### Sample taskbar configuration XML file
```xml
<?xml version="1.0" encoding="utf-8"?>
@ -75,7 +75,7 @@ The easiest way to find this data for an application is to:
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
```
### Sample taskbar configuration added to Start layout XML
### Sample taskbar configuration added to Start layout XML file
```xml
<?xml version="1.0" encoding="utf-8"?>
@ -139,7 +139,7 @@ The `<CustomTaskbarLayoutCollection>` section will append listed apps to the tas
![additional apps pinned to taskbar](images/taskbar-default-plus.png)
##Remove default apps and add your own
## Remove default apps and add your own
By adding `PinListPlacement="Replace"` to `<CustomTaskbarLayoutCollection>`, you remove all default pinned apps; only the apps that you specify will be pinned to the taskbar.
@ -218,7 +218,7 @@ The following example shows you how to configure taskbars by country or region.
```
When the preceding example XML is applied, the resulting taskbar for computers in the US or UK:
When the preceding example XML file is applied, the resulting taskbar for computers in the US or UK:
![taskbar for US and UK locale](images/taskbar-region-usuk.png)

1
windows/manage/index.md
View File

@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: jdeckerMS
---

1
windows/manage/start-layout-xml-desktop.md
View File

@ -183,6 +183,7 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap
Row="0"
Column="2"/>
```
You can also use the **start:DesktopApplicationTile** tag as one of the methods for pinning a Web link to Start. The other method is to use a Microsoft Edge secondary tile.

9
windows/manage/stop-employees-from-using-the-windows-store.md
View File

@ -29,8 +29,8 @@ You can use these tools to configure access to Windows Store: AppLocker or Group
## <a href="" id="block-store-applocker"></a>Block Windows Store using AppLocker
Applies to: Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile
Applies to: Windows 10 Enterprise, Windows 10 Mobile
AppLocker provides policy-based access control management for applications. You can block access to Windows Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Windows Store app as the packaged app that you want to block from client computers.
@ -59,7 +59,10 @@ For more information on AppLocker, see [What is AppLocker?](../keep-secure/what-
## <a href="" id="block-store-group-policy"></a>Block Windows Store using Group Policy
Applies to: Windows 10 Enterprise, version 1511
Applies to: Windows 10 Enterprise, version 1511, Windows 10 Education
> [!Note]
> Not supported on Windows 10 Pro.
You can also use Group Policy to manage access to Windows Store.
@ -89,7 +92,7 @@ When your MDM tool supports Windows Store for Business, the MDM can use these CS
For more information, see [Configure an MDM provider](configure-mdm-provider-windows-store-for-business.md).
## Show private store only using Group Policy
Applies to Windows 10 Enterprise, version 1607.
Applies to Windows 10 Enterprise, version 1607, Windows 10 Education
If you're using Windows Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.

6
windows/manage/waas-quick-start.md
View File

@ -54,7 +54,11 @@ See [Build deployment rings for Windows 10 updates](waas-deployment-rings-window
## Video: An overview of Windows as a service
<iframe width="560" height="315" src="https://www.youtube.com/embed/MLc4-Suv0LU" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" src="https://www.youtube.com/embed/MLc4-Suv0LU" frameborder="0" allowfullscreen></iframe>
## Learn more
[Adopting Windows as a service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft)
## Related topics

77
windows/manage/waas-restart.md
View File

@ -18,33 +18,67 @@ localizationpriority: high
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
You can use Group Policy settings or mobile device management (MDM) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
You can use Group Policy settings, mobile device management (MDM) or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
## Schedule update installation
When you set the **Configure Automatic Updates** policy to **Auto download and schedule the install**, you also configure the day and time for installation or you specify that installation will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified instllation time.
When **Configure Automatic Updates** is enabled, you can enable one of the following additional policies to manage device restart:
To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the instal**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installtion will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
**Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur.
While not recommended, the same result can be achieved through Registry. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4**, set the install time with **ScheduledInstallTime**, enable **AlwaysAutoRebootAtScheduledTime** and specify the delay in minutes through **AlwaysAutoRebootAtScheduledTimeMinutes**. Similar to Group Policy, **AlwaysAutoRebootAtScheduledTimeMinutes** sets the timer to warn a signed-in user that a restart is going to occur.
For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
## Delay automatic reboot
When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installtion:
- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
- **Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur. To set the time, you need to go **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown.
- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting.
For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
## Configure active hours
You can configure active hours for devices without setting the **Configure Automatic Updates** policy. *Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours.
*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours.
By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually. Additionally, administrators can use Group Policy or MDM to set active hours for managed devices.
By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually.
Administrators can use multiple ways to set active hours for managed devices:
- You can use Group Policy, as described in the procedure that follows.
- You can use MDM, as described in [Configuring active hours with MDM](#configuring-active-hours-with-mdm).
- While not recommended, you can also configure active hours, as descrbied in [Configuring active hours through Registry](#configuring-active-hours-through-registry).
### Configuring active hours with Group Policy
To configure active hours using Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours.
![Use Group Policy to configure active hours](images/waas-active-hours-policy.png)
### Configuring active hours with MDM
MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours.
To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**.
### Configuring active hours through Registry
![Change active hours](images/waas-active-hours.png)
This method is not recommended, and should only be used when neither Group Policy or MDM are available.
Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above.
You should set a combination of the following registry values, in order to configure active hours.
Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart**,**ActiveHoursEnd** to specify the range of active hours.
For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
>[!NOTE]
>To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**.
>
>![Change active hours](images/waas-active-hours.png)
## Limit restart delays
@ -65,11 +99,36 @@ In the Group Policy editor, you will see a number of policy settings that pertai
| Reschedule Automatic Updates scheduled installations | ![no](images/crossmark.png) | |
>[!NOTE]
>If you set conflicting restart policies, the actual restart behavior may not be what you expected.
>You can only choose one path for restart behavior.
>
>If you set conflicting restart policies, the actual restart behavior may not be what you expected.
## Registry keys used to manage restart
The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10.
**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
| Registry key | Key type | Value |
| --- | --- | --- |
| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |
| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |
| SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours</br>1: enable automatic restart after updates outside of active hours |
**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**
| Registry key | Key type | Value |
| --- | --- | --- |
| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time</br>1: enable automatic reboot after update installation at ascheduled time |
| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes |
| AUOptions | REG_DWORD | 2: notify for download and automatically install updates</br>3: automatically download and notify for instllation of updates</br>4: Automatically download and schedule installation of updates</br>5: allow the local admin to configure these settings</br>**Note:** To configure restart behavior, set this value to **4** |
| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on</br>1: do not reboot after an update installation if a user is logged on</br>**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restarts in 5 minutes to complete the installation |
| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |
There are 3 different registry combination for controlling restart:
- To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range.
- To schedule a specific instllation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**.
## Related topics

1
windows/plan/index.md
View File

@ -6,6 +6,7 @@ keywords: deploy, upgrade, update, configure
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
localizationpriority: high
author: TrudyHa
---