`If you disable or don’t configure this setting, your default Start page is the webpage specified in App settings.|**Enabled:** Configure your Start pages. If you use this option, you must also include site URLs.
**Disabled or not configured (default):** Uses the Home pages and URLs specified in the App settings.|
-|Configure the Adobe Flash Click-to-Run setting|Windows 10, Windows Insider Program|This policy setting lets you decide whether employees must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
If you enable or don’t configure the Adobe Flash Click-to-Run setting, an employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
**Important**
Sites are put on the auto-allowed list based on how frequently employees load and run the content.
If you disable this setting, Adobe Flash content is automatically loaded and run by Microsoft Edge.|**Enabled or not configured:** An employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
**Disabled:** Adobe Flash content is automatically loaded and run by Microsoft Edge.|
-|Configure the Enterprise Mode Site List|Windows 10 or later|This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps.
If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file. This file includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode.
If you disable or don’t configure this setting, Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps.
**Note**
If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.|**Enabled:** Lets you use the Enterprise Mode Site List to address common compatibility problems with legacy apps, if it’s configured.
If you use this option, you must also add the location to your site list in the `{URI}` box. When configured, any site on the list will always open in Internet Explorer 11.
**Disabled or not configured (default):** You won't be able to use the Enterprise Mode Site List.|
-|Configure Windows Defender SmartScreen|Windows 10 or later|This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on.
If you enable this setting, Windows Defender SmartScreen is turned on and employees can’t turn it off.
If you disable this setting, Windows Defender SmartScreen is turned off and employees can’t turn it on.
If you don’t configure this setting, employees can choose whether to use Windows Defender SmartScreen.|**Not configured (default):** Employees can choose whether to use Windows Defender SmartScreen.
**Enabled:** Turns on SmartScreen Filter, providing warning messages to your employees about potential phishing scams and malicious software.
**Disabled:** Turns off Windows Defender SmartScreen.|
-|Disable lockdown of Start pages|Windows 10, Windows Insider Program|This policy setting lets you disable the lock down of Start pages, letting employees modify the Start pages when the "Configure Start pages" setting is in effect.
**Note**
This setting only applies when you're using the “Configure Start pages" setting.
**Important**
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
If you enable this setting, you can't lock down any Start pages that are configured using the "Configure Start pages" setting, which means that employees can modify them.
If you disable or don't configure this setting, employees can't change any Start pages configured using the "Configure Start pages" setting, thereby locking down the Start pages.|**Enabled:** You’re unable to lock down any Start pages that are configured using the "Configure Start pages" setting, which means that your employees can modify them.
**Disabled or not configured (default):** Employees can't change any Start pages configured using the "Configure Start pages" setting.|
-|Keep favorites in sync between Internet Explorer and Microsoft Edge|Windows 10, Windows Insider Program|This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge.
If you enable this setting, employees can sync their favorites between Internet Explorer and Microsoft Edge.
If you disable or don't configure this setting, employees can’t sync their favorites between Internet Explorer and Microsoft Edge.|**Enabled:** Employees can sync their Favorites between Internet Explorer and Microsoft Edge.
**Disabled or not configured (default):** Employees can’t sync their Favorites between Internet Explorer and Microsoft Edge.|
-|Prevent access to the about:flags page|Windows 10, Version 1607 or later|This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features.
If you enable this policy setting, employees can’t access the about:flags page.
If you disable or don’t configure this setting, employees can access the about:flags page.|**Enabled:** Stops employees from using the about:flags page.
**Disabled or not configured (default):** Lets employees use the about:flags page.|
-|Prevent bypassing Windows Defender SmartScreen prompts for files|Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files.
If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from downloading the unverified files.
If you disable or don’t configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue the download process.|**Enabled:** Stops employees from ignoring the Windows Defender SmartScreen warnings about unverified files.
**Disabled or not configured (default):** Lets employees ignore the Windows Defender SmartScreen warnings about unverified files and lets them continue the download process.|
-|Prevent bypassing Windows Defender SmartScreen prompts for sites|Windows 10, Version 1511 or later|This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites.
If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from continuing to the site.
If you disable or don’t configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue to the site.|**Enabled:** Stops employees from ignoring the Windows Defender SmartScreen warnings about potentially malicious sites.
**Disabled or not configured (default):** Lets employees ignore the Windows Defender SmartScreen warnings about potentially malicious sites and continue to the site.|
-|Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start|Windows 10, Windows Insider Program|This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.
If you enable this setting, Microsoft Edge won't gather the Live Tile metadata, providing a minimal experience when a user pins a Live Tile to the Start menu.
If you disable or don't configure this setting, Microsoft Edge gathers the Live Tile metadata, providing a fuller and more complete experience when a user pins a Live Tile to the Start menu.|**Enabled:** Microsoft Edge won't gather the Live Tile metadata, providing a minimal experience when a user pins a Live Tile to the Start menu.
**Disabled or not configured (default):** Microsoft Edge gathers the Live Tile metadata, providing a fuller and more complete experience when a user pins a Live Tile to the Start menu.|
-|Prevent the First Run webpage from opening on Microsoft Edge|Windows 10, Windows Insider Program|This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the first time.
If you enable this setting, employees won't see the First Run page when opening Microsoft Edge for the first time.
If you disable or don't configure this setting, employees will see the First Run page when opening Microsoft Edge for the first time.|**Enabled:** Employees won't see the First Run page when opening Microsoft Edge for the first time.
**Disabled or not configured (default):** Employees will see the First Run page when opening Microsoft Edge for the first time.|
-|Prevent using Localhost IP address for WebRTC|Windows 10, Version 1511 or later|This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off.
If you enable this setting, Localhost IP addresses are hidden while making calls using the WebRTC protocol.
If you disable or don’t configure this setting, Localhost IP addresses are shown while making calls using the WebRTC protocol.|**Enabled:** Hides the Localhost IP address during calls using the WebRTC protocol.
**Disabled or not configured (default):** Shows the Localhost IP address during phone calls using the WebRTC protocol.|
-|Send all intranet sites to Internet Explorer 11|Windows 10 or later|This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge.
If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11.
If you disable or don’t configure this setting, all websites, including intranet sites, are automatically opened using Microsoft Edge.|**Enabled:** Automatically opens all intranet sites using Internet Explorer 11.
**Disabled or not configured (default):** Automatically opens all websites, including intranet sites, using Microsoft Edge.|
-|Set default search engine|Windows 10, Windows Insider Program|This policy setting lets you configure the default search engine for your employees. Employees can change the default search engine at any time unless you disable the "Allow search engine customization" setting, which restricts any changes.
**Important**
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
If you enable this setting, you can choose a default search engine for your employees. If this setting is enabled, you must also add the default engine to the “Set default search engine” setting, by adding a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine. For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. Use this format to specify the link you wish to add:
`https://fabrikam.com/opensearch.xml`
**Note**
If you'd like your employees to use the default Microsoft Edge settings for each market, you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING.
If you disable this setting, the policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market.
If you don't configure this setting, the default search engine is set to the one specified in App settings.|**Enabled:** You can choose a default search engine for your employees.
**Disabled:** The policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market.
**Not configured (default):** The default search engine is set to the one specified in App settings.|
-|Show message when opening sites in Internet Explorer|Windows 10, Version 1607 and later|This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
If you enable this setting, employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
If you disable or don’t configure this setting, the default app behavior occurs and no additional page appears.|**Enabled:** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
**Disabled or not configured (default):** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.|
+### Allow Address bar drop-down list suggestions
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Description:** This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
+
+ - If you enable or don't configure this setting (default), employees can see the Address bar drop-down functionality in Microsoft Edge.
+
+ - If you disable this setting, employees won't see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type".
+
+ > [!Note]
+ > Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting.
+
+### Allow Adobe Flash
+- **Supported versions:** Windows 10 or later
+
+- **Description:** This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.
+
+ - If you enable or don't configure this setting (default), employees can use Adobe Flash.
+
+ - If you disable this setting, employees can't use Adobe Flash.
+
+### Allow clearing browsing data on exit
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Description:** This policy setting allows the automatic clearing of browsing data when Microsoft Edge closes.
+
+ - If you enable this policy setting, clearing browsing history on exit is turned on.
+
+ - If you disable or don't configure this policy setting (default), it can be turned on and configured by the employee in the Clear browsing data options area, under Settings.
+
+### Allow Developer Tools
+- **Supported versions:** Windows 10, Version 1511 or later
+
+- **Description:** This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge.
+ - If you enable or don’t configure this setting (default), the F12 Developer Tools are available in Microsoft Edge.
+
+ - If you disable this setting, the F12 Developer Tools aren’t available in Microsoft Edge.
+
+### Allow Extensions
+- **Supported versions:** Windows 10, Version 1607 or later
+
+- **Description:** This policy setting lets you decide whether employees can use Edge Extensions.
+
+ - If you enable or don’t configure this setting, employees can use Edge Extensions.
+
+ - If you disable this setting, employees can’t use Edge Extensions.
+
+### Allow InPrivate browsing
+- **Supported versions:** Windows 10, Version 1511 or later
+
+- **Description:** This policy setting lets you decide whether employees can browse using InPrivate website browsing.
+
+ - If you enable or don’t configure this setting (default), employees can use InPrivate website browsing.
+
+ - If you disable this setting, employees can’t use InPrivate website browsing.
+
+### Allow Microsoft Compatibility List
+- **Supported versions:** Windows 10, Version 1607 or later
+
+- **Description:** This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat.
+
+ - If you enable or don’t configure this setting (default), Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site is automatically rendered as though it’s in whatever version of IE is necessary for it to appear properly.
+
+ - If you disable this setting, the Microsoft Compatibility List isn’t used during browser navigation.
+
+### Allow search engine customization
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Description:** This policy setting lets you decide whether users can change their search engine.
+
+ >[!Important]
+ >This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
+
+ - If you enable or don't configure this policy (default), users can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings.
+
+ - If you disable this setting, users can't add search engines or change the default used in the address bar.
+
+### Allow web content on New Tab page
+- **Supported versions:** Windows 10 or later
+
+- **Description:** This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees can’t change it.
+
+ - If you enable this setting, Microsoft Edge opens a new tab with the New Tab page.
+
+ - If you disable this setting, Microsoft Edge opens a new tab with a blank page.
+
+ - If you don’t configure this setting (default), employees can choose how new tabs appears.
+
+### Configure additional search engines
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Description:** This policy setting lets you add up to 5 additional search engines, which can't be removed by your employees, but can be made a personal default engine. This setting doesn't set the default search engine. For that, you must use the "Set default search engine" setting.
+
+ > [!Important]
+ > This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
+
+ - If you enable this setting, you can add up to 5 additional search engines. For each additional engine, you must also add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine, using this format:
+
+ https://www.contoso.com/opensearch.xml
+
+ For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic.
+
+ - If you disable this setting (default), any added search engines are removed from your employee's devices.
+
+ - If you don't configure this setting, the search engine list is set to what is specified in App settings.
+
+### Configure Autofill
+- **Supported versions:** Windows 10 or later
+
+- **Description:** This policy setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. By default, employees can choose whether to use Autofill.
+
+ - If you enable this setting, employees can use Autofill to automatically fill in forms while using Microsoft Edge.
+
+ - If you disable this setting, employees can’t use Autofill to automatically fill in forms while using Microsoft Edge.
+
+ - If you don’t configure this setting (default), employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge.
+
+### Configure cookies
+- **Supported versions:** Windows 10 or later
+
+- **Description:** This setting lets you configure how to work with cookies.
+
+ - If you enable this setting, you must also decide whether to:
+ - **Allow all cookies (default):** Allows all cookies from all websites.
+
+ - **Block all cookies:** Blocks all cookies from all websites.
+
+ - **Block only 3rd-party cookies:** Blocks only cookies from 3rd-party websites.
+
+ - If you disable or don't configure this setting, all cookies are allowed from all sites.
+
+### Configure Do Not Track
+- **Supported versions:** Windows 10 or later
+
+- **Description:** This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests aren’t sent, but employees can choose to turn on and send requests.
+
+ - If you enable this setting, Do Not Track requests are always sent to websites asking for tracking info.
+
+ - If you disable this setting, Do Not Track requests are never sent to websites asking for tracking info.
+
+ - If you don’t configure this setting (default), employees can choose whether to send Do Not Track requests to websites asking for tracking info.
+
+### Configure Favorites
+- **Supported versions:** Windows 10, Version 1511 or later
+
+- **Description:** This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time.
+
+ - If you enable this setting, you can configure what default Favorites appear for your employees. If this setting is enabled, you must also provide a list of Favorites in the Options section. This list is imported after your policy is deployed.
+
+ - If you disable or don’t configure this setting, employees will see the Favorites that they set in the Favorites hub.
+
+### Configure Password Manager
+- **Supported versions:** Windows 10 or later
+
+- **Description:** This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on.
+
+ - If you enable this setting (default), employees can use Password Manager to save their passwords locally.
+
+ - If you disable this setting, employees can’t use Password Manager to save their passwords locally.
+
+ - If you don’t configure this setting, employees can choose whether to use Password Manager to save their passwords locally.
+
+### Configure Pop-up Blocker
+- **Supported versions:** Windows 10 or later
+
+- **Description:** This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.
+
+ - If you enable this setting (default), Pop-up Blocker is turned on, stopping pop-up windows from appearing.
+
+ - If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear.
+
+ - If you don’t configure this setting, employees can choose whether to use Pop-up Blocker.
+
+### Configure search suggestions in Address bar
+- **Supported versions:** Windows 10 or later
+
+- **Description:** This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.
+
+ - If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge.
+
+ - If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge.
+
+ - If you don’t configure this setting (default), employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.
+
+### Configure Start pages
+- **Supported versions:** Windows 10, Version 1511 or later
+
+- **Description:** This policy setting lets you configure one or more Start pages, for domain-joined devices. Your employees won't be able to change this after you set it.
+
+ - If you enable this setting, you can configure one or more Start pages. If this setting is enabled, you must also include URLs to the pages, separating multiple pages by using angle brackets in this format:
+
+
+
+ - If you disable or don’t configure this setting (default), your default Start page is the webpage specified in App settings.
+
+### Configure the Adobe Flash Click-to-Run setting
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Description:** This policy setting lets you decide whether employees must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
+
+ >[!Important]
+ >Sites are put on the auto-allowed list based on how frequently employees load and run the content.
+
+ - If you enable or don’t configure the Adobe Flash Click-to-Run setting, an employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
+
+ - If you disable this setting, Adobe Flash content is automatically loaded and run by Microsoft Edge.
+
+### Configure the Enterprise Mode Site List
+- **Supported versions:** Windows 10 or later
+
+- **Description:** This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps.
+
+ - If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file, which includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. If you use this option, you must also add the location to your site list in the **{URI}** box. When configured, any site on the list will always open in Internet Explorer 11.
+
+ - If you disable or don’t configure this setting (default), Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps.
+
+ >[!Note]
+ >If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
+ >If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
+
+### Configure Windows Defender SmartScreen
+- **Supported versions:** Windows 10 or later
+
+- **Description:** This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on.
+
+ - If you enable this setting, Windows Defender SmartScreen is turned on and employees can’t turn it off.
+
+ - If you disable this setting, Windows Defender SmartScreen is turned off and employees can’t turn it on.
+
+ - If you don’t configure this setting (default), employees can choose whether to use Windows Defender SmartScreen.
+
+### Disable lockdown of Start pages
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Description:** This policy setting lets you disable the lock down of Start pages, letting employees modify the Start pages when the "Configure Start pages" setting is in effect.
+
+ >[!Important]
+ >This setting only applies when you're using the “Configure Start pages" setting and can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
+
+ - If you enable this setting, you can't lock down any Start pages that are configured using the "Configure Start pages" setting, which means that employees can modify them.
+
+ - If you disable or don't configure this setting (default), employees can't change any Start pages configured using the "Configure Start pages" setting, thereby locking down the Start pages.
+
+### Keep favorites in sync between Internet Explorer and Microsoft Edge
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Description:** This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge.
+
+ - If you enable this setting, employees can sync their favorites between Internet Explorer and Microsoft Edge.
+
+ - If you disable or don't configure this setting (default), employees can’t sync their favorites between Internet Explorer and Microsoft Edge.
+
+### Prevent access to the about:flags page
+- **Supported versions:** Windows 10, Version 1607 or later
+
+- **Description:** This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features.
+
+ - If you enable this policy setting, employees can’t access the about:flags page.
+
+ - If you disable or don’t configure this setting (default), employees can access the about:flags page.
+
+### Prevent bypassing Windows Defender SmartScreen prompts for files
+- **Supported versions:** Windows 10, Version 1511 or later
+
+- **Description:** This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files.
+
+ - If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from downloading the unverified files.
+
+ - If you disable or don’t configure this setting (default), employees can ignore Windows Defender SmartScreen warnings and continue the download process.
+
+### Prevent bypassing Windows Defender SmartScreen prompts for sites
+- **Supported versions:** Windows 10, Version 1511 or later
+
+- **Description:** This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites.
+
+ - If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from continuing to the site.
+
+ - If you disable or don’t configure this setting (default), employees can ignore Windows Defender SmartScreen warnings and continue to the site.
+
+### Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Description:** This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.
+
+ - If you enable this setting, Microsoft Edge won't gather the Live Tile metadata, providing a minimal experience when a user pins a Live Tile to the Start menu.
+
+ - If you disable or don't configure this setting (default), Microsoft Edge gathers the Live Tile metadata, providing a fuller and more complete experience when a user pins a Live Tile to the Start menu.
+
+### Prevent the First Run webpage from opening on Microsoft Edge
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Description:** This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the first time.
+
+ - If you enable this setting, employees won't see the First Run page when opening Microsoft Edge for the first time.
+
+ - If you disable or don't configure this setting (default), employees will see the First Run page when opening Microsoft Edge for the first time.
+
+### Prevent using Localhost IP address for WebRTC
+- **Supported versions:** Windows 10, Version 1511 or later
+
+- **Description:** This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off.
+
+ - If you enable this setting, Localhost IP addresses are hidden while making calls using the WebRTC protocol.
+
+ - If you disable or don’t configure this setting (default), Localhost IP addresses are shown while making calls using the WebRTC protocol.
+
+### Send all intranet sites to Internet Explorer 11
+- **Supported versions:** Windows 10 or later
+
+- **Description:** This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge.
+
+ - If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11.
+
+ - If you disable or don’t configure this setting (default), all websites, including intranet sites, are automatically opened using Microsoft Edge.
+
+### Set default search engine
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Description:** This policy setting lets you configure the default search engine for your employees. Employees can change the default search engine at any time unless you disable the "Allow search engine customization" setting, which restricts any changes.
+
+ >[!Important]
+ >This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
+ >If you'd like your employees to use the default Microsoft Edge settings for each market, you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING.
+
+ - If you enable this setting, you can choose a default search engine for your employees. To choose the default engine, you must add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine, using this format:
+
+ https://fabrikam.com/opensearch.xml
+
+ - If you disable this setting, the policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market.
If you don't configure this setting, the default search engine is set to the one specified in App settings.
+
+ - If you don't configure this setting (default), the default search engine is set to the one specified in App settings.
+
+### Show message when opening sites in Internet Explorer
+- **Supported versions:** Windows 10, Version 1607 and later
+
+- **Description:** This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
+
+ - If you enable this setting, employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
+
+ - If you disable or don’t configure this setting (default), the default app behavior occurs and no additional page appears.
## Using Microsoft Intune to manage your Mobile Data Management (MDM) settings for Microsoft Edge
If you manage your policies using Intune, you'll want to use these MDM policy settings. You can see the full list of available policies, on the [Policy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=722885) page.
> [!NOTE]
-> The **Supports** column uses these options:
+> **Supported Devices** uses these options:
> - **Desktop.** Supports Windows 10 Pro and Windows 10 Enterprise computers that are enrolled with Intune only.
> - **Mobile.** Supports Windows 10 Mobile devices only.
> - **Both.** Supports both desktop and mobile devices.
All devices must be enrolled with Intune if you want to use the Windows Custom URI Policy.
-|Policy name|Supported versions|Supported device|Details|
-|-------------|-------------------|-----------------|--------|
-|AllowAddressBarDropdown|Windows 10, Windows Insider Program|Desktop|
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown
- **Data type.** Integer
- **Allowed values:**
- **0.** Not allowed. Address bar drop-down is disabled, which also disables the user-defined setting, "Show search and site suggestions as I type."
- **1 (default).** Allowed. Address bar drop-down is enabled.
|
-|AllowAutofill|Windows 10 or later|Desktop|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowAutofill
- **Data type.** Integer
- **Allowed values:**
- **0.** Employees can’t use Autofill to complete form fields.
- **1 (default).** Employees can use Autofill to complete form fields.
|
-|AllowBrowser|Windows 10 or later|Mobile|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowBrowser
- **Data type.** Integer
- **Allowed values:**
- **0.** Employees can’t use Microsoft Edge.
- **1 (default).** Employees can use Microsoft Edge.
|
-|AllowCookies|Windows 10 or later|Both|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowCookies
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Allows all cookies from all sites.
- **1.** Blocks only cookies from 3rd party websites
- **2.** Blocks all cookies from all sites.
|
-|AllowDeveloperTools|Windows 10, Version 1511 or later|Desktop|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools
- **Data type:** Integer
- **Allowed values:**
- **0.** Employees can't use the F12 Developer Tools
- **1 (default).** Employees can use the F12 Developer Tools
|
-|AllowDoNotTrack|Windows 10 or later|Both|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Stops employees from sending Do Not Track headers to websites requesting tracking info.
- **1.** Employees can send Do Not Track headers to websites requesting tracking info.
|
-|AllowExtensions|Windows 10, Version 1607 and later|Desktop|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowExtensions
- **Data type.** Integer
- **Allowed values:**
- **0.** Employees can’t use Edge Extensions.
- **1 (default).** Employees can use Edge Extensions.
|
-|AllowFlash|Windows 10 or later|Desktop|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowFlash
- **Data type.** Integer
- **Allowed values:**
- **0.** Not allowed. Employees can’t use Adobe Flash
- **1 (default).** Allowed. Employees can use Adobe Flash.
|
-|AllowFlashClickToRun|Windows 10, Windows Insider Program|Desktop|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowFlashClickToRun
- **Data type.** Integer
- **Allowed values:**
- **0.** Adobe Flash content is automatically loaded and run by Microsoft Edge
- **1 (default).** An employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
|
-|AllowInPrivate|Windows 10, Version 1511 or later|Both|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate
- **Data type.** Integer
- **Allowed values:**
- **0.** Employees can’t use InPrivate browsing.
- **1 (default).** Employees can use InPrivate browsing.
|
-|AllowMicrosoftCompatibilityList|Windows 10, Windows Insider Program|Both|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList
- **Data type.** Integer
- **Allowed values:**
- **0.** Additional search engines aren't allowed and the default can’t be changed in the Address bar.
- **1 (default).** Additional search engines are allowed and the default can be changed in the Address bar.
|
-|AllowPasswordManager|Windows 10 or later|Both|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Employees can't use Password Manager to save passwords locally.
- **1.** Employees can use Password Manager to save passwords locally.
|
-|AllowPopups|Windows 10 or later|Desktop|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowPopups
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Turns off Pop-up Blocker, allowing pop-up windows.
- **1.** Turns on Pop-up Blocker, stopping pop-up windows.
|
-|AllowSearchEngineCustomization|Windows 10, Windows Insider Program|Both|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization
- **Data type.** Integer
- **Allowed values:**
- **0.** Additional search engines are not allowed and the default can’t be changed in the Address bar.
- **1 (default).** Additional search engines are allowed and the default can be changed in the Address bar.
|
-|AllowSearchSuggestions
inAddressBar|Windows 10 or later|Both|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Employees can’t see search suggestions in the Address bar of Microsoft Edge.
- **1.** Employees can see search suggestions in the Address bar of Microsoft Edge.
|
-|AllowSmartScreen|Windows 10 or later|Both|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Turns off Windows Defender SmartScreen.
- **1.** Turns on Windows Defender SmartScreen, providing warning messages to your employees about potential phishing scams and malicious software.
|
-|ClearBrowsingDataOnExit|Windows 10, Windows Insider Program|Both|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings.
- **1.** Browsing data is cleared on exit.
|
-|ConfigureAdditionalSearchEngines|Windows 10, Windows Insider Program|Both|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Additional search engines are not allowed.
- **1.** Additional search engines are allowed.
|
-|DisableLockdownOfStartPages|Windows 10, Windows Insider Program|Desktop|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages.
- **1.** Disable lockdown of the Start pages and allow users to modify them.
|
-|EnterpriseModeSiteList|Windows 10 or later|Desktop|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList
- **Data type.** String
- **Allowed values:**
- Not configured.
- **1 (default).** Use the Enterprise Mode Site List, if configured.
- **2.** Specify the location to the site list.
**Note**
If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
|
-|Favorites|Windows 10, Version 1511 or later|Both|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/Favorites
- **Data type.** String
- **Allowed values:**|
-|FirstRunURL|Windows 10, Version 1511 or later|Mobile|
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/FirstRunURL
- **Data type.** String
- **Allowed values:**
- Configure the first run URL for your employees.
**Example:**
``
|
-|HomePages|Windows 10, Version 1511 or later|Desktop|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/HomePages
- **Data type.** String
- **Allowed values:**
- Configure the Start page (previously known as Home page) URLs for your employees.
**Example:**
``
|
-|PreventAccessToAbout
FlagsInMicrosoftEdge|Windows 10, Version 1607 and later|Desktop|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Employees can access the about:flags page in Microsoft Edge.
- **1.** Employees can't access the about:flags page in Microsoft Edge.
|
-|PreventFirstRunPage|Windows 10, Windows Insider Program|Both|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Employees see the First Run webpage.
- **1.** Employees don't see the First Run webpage.
|
-|PreventLiveTileDataCollection|Windows 10, Windows Insider Program|Both|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Microsoft servers will be contacted if a site is pinned to Start from Microsoft Edge.
- **1.** Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge.
|
-|PreventSmartScreenPromptOverride|Windows 10, Version 1511 or later|Both|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Turns off Windows Defender SmartScreen.
- **1.** Turns on Windows Defender SmartScreen.
|
-|PreventSmartScreenPromptOverrideForFiles|Windows 10, Version 1511 or later|Both|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Lets employees ignore the Windows Defender SmartScreen warnings about unverified files and lets them continue the download process.
- **1.** Stops employees from ignoring the Windows Defender SmartScreen warnings about unverified files.
|
-|PreventUsingLocalHost
IPAddressForWebRTC|Windows 10, Version 1511 or later|Desktop|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Shows an employee's LocalHost IP address while using the WebRTC protocol.
- **1.** Doesn't show an employee's LocalHost IP address while using the WebRTC protocol.
|
-|SendIntranetTraffic
toInternetExplorer|Windows 10 or later|Desktop|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Automatically opens all websites, including intranet sites, using Microsoft Edge.
- **1.** Automatically opens all intranet sites using Internet Explorer 11.
|
-|SetDefaultSearchEngine|Windows 10, Windows Insider Program|Both|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** The default search engine is set to the one specified in App settings.
- **1.** Allows you to configure the default search engine for your employees.
|
-|ShowMessageWhen
OpeningInteretExplorer
Sites|Windows 10, Version 1607 and later|Desktop|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInteretExplorer
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
- **1.** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
|
-|SyncFavoritesBetweenIEAndMicrosoftEdge|Windows 10, Windows Insider Program|Desktop|- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Synchronization is turned off.
- **1.** Synchronization is turned on.
|
+### AllowAddressBarDropdown
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Supported devices:** Desktop
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0.** Not allowed. Address bar drop-down is disabled, which also disables the user-defined setting, "Show search and site suggestions as I type."
+
+ - **1 (default).** Allowed. Address bar drop-down is enabled.
+
+### AllowAutofill
+- **Supported versions:** Windows 10 or later
+
+- **Supported devices:** Desktop
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAutofill
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0.** Employees can’t use Autofill to complete form fields.
+
+ - **1 (default).** Employees can use Autofill to complete form fields.
+
+### AllowBrowser
+- **Supported versions:** Windows 10 or later
+
+- **Supported devices:** Mobile
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowBrowser
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0.** Employees can’t use Microsoft Edge.
+
+ - **1 (default).** Employees can use Microsoft Edge.
+
+### AllowCookies
+- **Supported versions:** Windows 10 or later
+
+- **Supported devices:** Both
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowCookies
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0 (default).** Allows all cookies from all sites.
+
+ - **1.** Blocks only cookies from 3rd party websites.
+
+ - **2.** Blocks all cookies from all sites.
+
+### AllowDeveloperTools
+- **Supported versions:** Windows 10, Version 1511 or later
+
+- **Supported devices:** Desktop
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0.** Employees can't use the F12 Developer Tools.
+
+ - **1 (default).** Employees can use the F12 Developer Tools.
+
+### AllowDoNotTrack
+- **Supported versions:** Windows 10 or later
+
+- **Supported devices:** Both
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0 (default).** Stops employees from sending Do Not Track headers to websites requesting tracking info.
+
+ - **1.** Employees can send Do Not Track headers to websites requesting tracking info.
+
+### AllowExtensions
+- **Supported versions:** Windows 10, Version 1607 and later
+
+- **Supported devices:** Desktop
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowExtensions
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0.** Employees can’t use Edge Extensions.
+
+ - **1 (default).** Employees can use Edge Extensions.
+
+### AllowFlash
+- **Supported versions:** Windows 10 or later
+
+- **Supported devices:** Desktop
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlash
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0.** Not allowed. Employees can’t use Adobe Flash.
+
+ - **1 (default).** Allowed. Employees can use Adobe Flash.
+
+### AllowFlashClickToRun
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Supported devices:** Desktop|
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlashClickToRun
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0.** Adobe Flash content is automatically loaded and run by Microsoft Edge
+
+ - **1 (default).** An employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
+
+### AllowInPrivate
+- **Supported versions:** Windows 10, Version 1511 or later
+
+- **Supported devices:** Both
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0.** Employees can’t use InPrivate browsing.
+
+ - **1 (default).** Employees can use InPrivate browsing.
+
+### AllowMicrosoftCompatibilityList
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Supported devices:** Both
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0.** Additional search engines aren't allowed and the default can’t be changed in the Address bar.
+
+ - **1 (default).** Additional search engines are allowed and the default can be changed in the Address bar.
+
+### AllowPasswordManager
+- **Supported versions:** Windows 10 or later
+
+- **Supported devices:** Both
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0 (default).** Employees can't use Password Manager to save passwords locally.
+
+ - **1.** Employees can use Password Manager to save passwords locally.
+
+### AllowPopups
+- **Supported versions:** Windows 10 or later
+
+- **Supported devices:** Desktop
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPopups
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0 (default).** Turns off Pop-up Blocker, allowing pop-up windows.
+
+ - **1.** Turns on Pop-up Blocker, stopping pop-up windows.
+
+### AllowSearchEngineCustomization
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Supported devices:** Both
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0.** Additional search engines are not allowed and the default can’t be changed in the Address bar.
+
+ - **1 (default).** Additional search engines are allowed and the default can be changed in the Address bar.
+
+
+### AllowSearchSuggestionsinAddressBar
+- **Supported versions:** Windows 10 or later
+
+- **Supported devices:** Both
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0 (default).** Employees can’t see search suggestions in the Address bar of Microsoft Edge.
+
+ - **1.** Employees can see search suggestions in the Address bar of Microsoft Edge.
+
+### AllowSmartScreen
+- **Supported versions:** Windows 10 or later
+
+- **Supported devices:** Both
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0 (default).** Turns off Windows Defender SmartScreen.
+
+ - **1.** Turns on Windows Defender SmartScreen, providing warning messages to your employees about potential phishing scams and malicious software.
+
+### ClearBrowsingDataOnExit
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Supported devices:** Both
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0 (default).** Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings.
+
+ - **1.** Browsing data is cleared on exit.
+
+### ConfigureAdditionalSearchEngines
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Supported devices:** Both
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0 (default).** Additional search engines are not allowed.
+
+ - **1.** Additional search engines are allowed.
+
+### DisableLockdownOfStartPages
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Supported devices:** Desktop
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0 (default).** Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages.
+
+ - **1.** Disable lockdown of the Start pages and allow users to modify them.
+
+### EnterpriseModeSiteList
+- **Supported versions:** Windows 10 or later
+
+- **Supported devices:** Desktop
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList
+
+ - **Data type:** String
+
+ - **Allowed values:**
+
+ - Not configured.
+
+ - **1 (default).** Use the Enterprise Mode Site List, if configured.
+
+ - **2.** Specify the location to the site list.
+
+ >[!NOTE]
+ >If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
+
+### Favorites
+- **Supported versions:** Windows 10, Version 1511 or later
+
+- **Supported devices:** Both
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/Favorites
+
+ - **Data type:** String
+
+ - **Allowed values:**
+
+ - Configure the **Favorite** URLs for your employees.
+
+ **Example:**
+
+
+
+
+ URLs must be on separate lines and aren't shared between Microsoft Edge and Internet Explorer 11.
+
+### FirstRunURL
+- **Supported versions:** Windows 10, Version 1511 or later
+
+- **Supported devices:** Mobile
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/FirstRunURL
+
+ - **Data type:** String
+
+ - **Allowed values:**
+
+ - Configure the first run URL for your employees.
+
+ **Example:**
+
+
+
+### HomePages
+- **Supported versions:** Windows 10, Version 1511 or later
+
+- **Supported devices:** Desktop
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages
+
+ - **Data type:** String
+
+ - **Allowed values:**
+
+ - Configure the Start page (previously known as Home page) URLs for your employees.
+
+ **Example:**
+
+
+
+### PreventAccessToAboutFlagsInMicrosoftEdge
+- **Supported versions:** Windows 10, Version 1607 and later
+
+- **Supported devices:** Desktop
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0 (default).** Employees can access the about:flags page in Microsoft Edge.
+
+ - **1.** Employees can't access the about:flags page in Microsoft Edge.
+
+### PreventFirstRunPage
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Supported devices:** Both
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0 (default).** Employees see the First Run webpage.
+
+ - **1.** Employees don't see the First Run webpage.
+
+### PreventLiveTileDataCollection
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Supported devices:** Both
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0 (default).** Microsoft servers will be contacted if a site is pinned to Start from Microsoft Edge.
+
+ - **1.** Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge.
+
+### PreventSmartScreenPromptOverride
+- **Supported versions:** Windows 10, Version 1511 or later
+
+- **Supported devices:** Both
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0 (default).** Turns off Windows Defender SmartScreen.
+
+ - **1.** Turns on Windows Defender SmartScreen.
+
+### PreventSmartScreenPromptOverrideForFiles
+- **Supported versions:** Windows 10, Version 1511 or later
+
+- **Supported devices:** Both
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0 (default).** Lets employees ignore the Windows Defender SmartScreen warnings about unverified files and lets them continue the download process.
+
+ - **1.** Stops employees from ignoring the Windows Defender SmartScreen warnings about unverified files.
+
+### PreventUsingLocalHostIPAddressForWebRTC
+- **Supported versions:** Windows 10, Version 1511 or later
+
+- **Supported devices:** Desktop
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0 (default).** Shows an employee's LocalHost IP address while using the WebRTC protocol.
+
+ - **1.** Doesn't show an employee's LocalHost IP address while using the WebRTC protocol.
+
+### SendIntranetTraffictoInternetExplorer
+- **Supported versions:** Windows 10 or later
+
+- **Supported devices:** Desktop
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0 (default).** Automatically opens all websites, including intranet sites, using Microsoft Edge.
+
+ - **1.** Automatically opens all intranet sites using Internet Explorer 11.
+
+### SetDefaultSearchEngine
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Supported devices:** Both
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0 (default).** The default search engine is set to the one specified in App settings.
+
+ - **1.** Allows you to configure the default search engine for your employees.
+
+### ShowMessageWhenOpeningInteretExplorerSites
+- **Supported versions:** Windows 10, Version 1607 and later
+
+- **Supported devices:** Desktop
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInteretExplorer
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0 (default).** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
+
+ - **1.** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
+
+### SyncFavoritesBetweenIEAndMicrosoftEdge
+- **Supported versions:** Windows 10, Windows Insider Program
+
+- **Supported devices:** Desktop
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0 (default).** Synchronization is turned off.
+
+ - **1.** Synchronization is turned on.
## Microsoft Edge and Windows 10-specific Group Policy settings
These are additional Windows 10-specific Group Policy settings that work with Microsoft Edge.
-|Group Policy setting|Description|Options|
-|--------------------|--------------|---------|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Whether employees can use Cortana.|**Enabled or not configured:** Employees can use Cortana on their devices.**Disabled:** Stops employees from using Cortana on their devices.
**Note** Employees can still perform searches even with Cortana turned off.|
-|Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync|Whether employees can use the **Sync your Settings** options to sync their settings to and from their device.|**Enabled:** Turns off the **Sync your Settings** options and none of the **Sync your Setting** groups are synced on the device. You can use the **Allow users to turn syncing on** option to turn the feature off by default, but to let the employee change this setting.
**Disabled or not configured (default):** Turns on the **Sync your Settings** area by default, letting employees pick what can sync on their device.|
-|Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync browser settings|Whether a browser group can use the **Sync your Settings** options to sync their info to and from their device. This includes settings and info like **History** and Favorites.|**Enabled:** Turns off the **Sync your Settings** options so that browser groups are unable to sync their settings and info. You can use the **Allow users to turn browser syncing on** option to turn the feature off by default, but to let the employee change this setting.
**Disabled or not configured (default):** Turns on the **Sync your Settings** area by default, letting browser groups pick what can sync on their device.|
+### Allow Cortana
+- **Location:** Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana
+
+- **Description:** This policy settings lets you decide whether employees can use Cortana.
+
+ - If you enable or don't configure this setting, employees can use Cortana on their devices.
+
+ - If you disable this setting, employees won't be able to use Cortana on their devices.
+
+ >[!Note]
+ >Employees can still perform searches even with Cortana turned off.
+
+### Do not sync
+- **Location:** Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync
+
+- **Description:** This policy settings lets you decide whether employees can use the Sync your Settings options to sync their settings to and from their device.
+
+ - If you enable this setting, the Sync your Settings options are turned off and none of the Sync your Setting groups are synced on the device. You can use the Allow users to turn syncing on option to turn the feature off by default, but to let the employee change this setting.
+
+ - If you disable or don't configure this setting (default), the Sync your Settings options are turned on, letting employees pick what can sync on their device.
+
+### Do not sync browser settings
+- **Location:** Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync browser settings
+
+- **Description:** This policy settings lets you decide whether a browser group can use the Sync your Settings options to sync their info to and from their device. This includes settings and info like History and Favorites.
+
+ - If you enable this setting, the Sync your Settings options are turned off so that browser groups are unable to sync their settings and info. You can use the Allow users to turn browser syncing on option to turn the feature off by default, but to let the employee change this setting.
+
+ - If you disable or don't configure this setting (default), the Sync your Settings options are turned on, letting browser groups pick what can sync on their device.
+
## Microsoft Edge and Windows 10-specific MDM policy settings
These are additional Windows 10-specific MDM policy settings that work with Microsoft Edge.
-|MDM Policy name|Supports|Details|
-|----------------|--------------|-------------------|
-|AllowCortana|Both|
- **URI full path.** ./Vendor/MSFT/Policy/Config/Experience/AllowCortana
- **Data type.** Integer
- **Allowed values:**
- **0.** Employees can’t use Cortana on their devices.
- **1 (default).** Employees can use Cortana on their devices.
|
-|AllowSyncMySettings|Desktop|- **URI full path.** ./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings
- **Data type.** Integer
- **Allowed values:**
- **0.** Employees can’t sync settings between PCs.
- **1 (default).** Employees can sync between PCs.
|
+### AllowCortana
+- **Supported devices:** Both
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowCortana
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0.** Employees can’t use Cortana on their devices.
+
+ - **1 (default).** Employees can use Cortana on their devices.
+
+### AllowSyncMySettings
+- **Supported devices:** Desktop
+
+- **Details:**
+
+ - **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings
+
+ - **Data type:** Integer
+
+ - **Allowed values:**
+
+ - **0.** Employees can’t sync settings between PCs.
+
+ - **1 (default).** Employees can sync between PCs.
## Related topics
* [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514)
diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md
index 9501635fa9..ce750be2f7 100644
--- a/browsers/edge/change-history-for-microsoft-edge.md
+++ b/browsers/edge/change-history-for-microsoft-edge.md
@@ -15,7 +15,7 @@ For a detailed feature list of what's in the current Microsoft Edge releases, th
## February 2017
|New or changed topic | Description |
|----------------------|-------------|
-|[Available Group Policy and Mobile Data Management (MDM) settings for Microsoft Edge](available-policies.md) |Added new Group Policy and MDM settings for the Windows Insider Program. |
+|[Available Group Policy and Mobile Data Management (MDM) settings for Microsoft Edge](available-policies.md) |Added new Group Policy and MDM settings for the Windows Insider Program. Reformatted for easier readability outside of scrolling table. |
## November 2016
|New or changed topic | Description |
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index d8661c166c..659e2a6ae5 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -17,7 +17,7 @@ New releases of the Surface Hub operating system are published through Windows U
- **Windows Update for Business** - New in Windows 10, Windows Update for Business is a set of features designed to provide enterprises additional control over how and when Windows Update installs releases, while reducing device management costs. Using this method, Surface Hubs are directly connected to Microsoft’s Windows Update service.
- **Windows Server Update Services (WSUS)** - Set of services that enable IT administrators to obtain the updates that Windows Update determines are applicable to the devices in their enterprise, perform additional testing and evaluation on the updates, and select the updates they want to install. Using this method, Surface Hubs will receive updates from WSUS rather than Windows Update.
-You can also configure Surface Hub to receive updates from both Windows Update for Business and WSUS. See [Integrate Windows Update for Business with Windows Server Update Services](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-integrate-wufb#integrate-windows-update-for-business-with-windows-server-update-services) for details.
+You can also configure Surface Hub to receive updates from both Windows Update for Business and WSUS. See [Integrate Windows Update for Business with Windows Server Update Services](https://technet.microsoft.com/itpro/windows/manage/waas-integrate-wufb#integrate-windows-update-for-business-with-windows-server-update-services) for details.
| Capabilities | Windows Update for Business | Windows Server Update Services (WSUS) |
| ------------ | --------------------------- | ------------------------------------- |
@@ -27,7 +27,7 @@ You can also configure Surface Hub to receive updates from both Windows Update f
| Define maintenance windows for installing updates. | Yes | Yes |
> [!TIP]
-> Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Optimize update delivery for Windows 10 updates](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-optimize-windows-10-updates) for details.
+> Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Optimize update delivery for Windows 10 updates](https://technet.microsoft.com/itpro/windows/manage/waas-optimize-windows-10-updates) for details.
> [!NOTE]
> Surface Hub does not currently support rolling back updates.
@@ -45,11 +45,11 @@ In order to improve release quality and simplify deployments, all new releases t
The Surface Hub operating system is available on **Current Branch (CB)** and **Current Branch for Business (CBB)**. Like other editions of Windows 10, the servicing lifetime of CB or CBB is finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
-For more information on Windows as a Service, see [Overview of Windows as a service](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview).
+For more information on Windows as a Service, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
## Use Windows Update for Business
-Surface Hubs, like all Windows 10 devices, include **Windows Update for Business (WUfB)** to enable you to control how your devices are being updated. Windows Update for Business helps reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. For more information, see [Manage updates using Windows Update for Business](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb).
+Surface Hubs, like all Windows 10 devices, include **Windows Update for Business (WUfB)** to enable you to control how your devices are being updated. Windows Update for Business helps reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. For more information, see [Manage updates using Windows Update for Business](https://technet.microsoft.com/itpro/windows/manage/waas-manage-updates-wufb).
**To set up Windows Update for Business:**
1. [Group Surface Hub into deployment rings](#group-surface-hub-into-deployment-rings)
@@ -58,11 +58,11 @@ Surface Hubs, like all Windows 10 devices, include **Windows Update for Business
> [!NOTE]
-> You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-wufb-intune)
+> You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/itpro/windows/manage/waas-wufb-intune)
### Group Surface Hub into deployment rings
-Use deployment rings to control when updates roll out to your Surface Hubs, giving you time to validate them. For example, you can update a small pool of devices first to verify quality before a broader roll-out to your organization. Depending on who manages Surface Hub in your organization, consider incorporating Surface Hub into the deployment rings that you've built for your other Windows 10 devices. For more information about deployment rings, see [Build deployment rings for Windows 10 updates](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-deployment-rings-windows-10-updates).
+Use deployment rings to control when updates roll out to your Surface Hubs, giving you time to validate them. For example, you can update a small pool of devices first to verify quality before a broader roll-out to your organization. Depending on who manages Surface Hub in your organization, consider incorporating Surface Hub into the deployment rings that you've built for your other Windows 10 devices. For more information about deployment rings, see [Build deployment rings for Windows 10 updates](https://technet.microsoft.com/itpro/windows/manage/waas-deployment-rings-windows-10-updates).
This table gives examples of deployment rings.
@@ -75,22 +75,22 @@ This table gives examples of deployment rings.
### Configure Surface Hub to use Current Branch or Current Branch for Business
-By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches).
+By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/itpro/windows/manage/waas-overview#servicing-branches).
**To manually configure Surface Hub to use CB or CBB:**
1. Open **Settings** > **Update & Security** > **Windows Update**, and then select **Advanced Options**.
2. Select **Defer feature updates**.
-To configure Surface Hub to use CB or CBB remotely using MDM, set an appropriate [Update/BranchReadinessLevel](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) policy.
+To configure Surface Hub to use CB or CBB remotely using MDM, set an appropriate [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) policy.
### Configure when Surface Hub receives updates
Once you've determined deployment rings for your Surface Hubs, configure update deferral policies for each ring:
-- To defer feature updates, set an appropriate [Update/DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) policy for each ring.
-- To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) policy for each ring.
+- To defer feature updates, set an appropriate [Update/DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) policy for each ring.
+- To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) policy for each ring.
> [!NOTE]
-> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).
+> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).
## Use Windows Server Update Services
@@ -103,7 +103,7 @@ You can connect Surface Hub to your Windows Server Update Services (WSUS) server
3. Navigate to **Update & security** > **Windows Update** > **Advanced options** > **Configure Windows Server Update Services (WSUS) server**.
4. Click **Use WSUS Server to download updates** and type the URL of your WSUS server.
-To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/UpdateServiceUrl](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) policy.
+To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) policy.
**If you use a proxy server or other method to block URLs**
@@ -135,7 +135,7 @@ A default maintenance window is set for all new Surface Hubs:
2. Navigate to **Update & security** > **Windows Update** > **Advanced options**.
3. Under **Maintenance hours**, select **Change**.
-To change the maintenance window using MDM, set the **MOMAgent** node in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/en-us/library/windows/hardware/mt608323.aspx). See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for more details.
+To change the maintenance window using MDM, set the **MOMAgent** node in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for more details.
## Related topics
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index 8905e5b36c..6510d41971 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -25,7 +25,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
```PowerShell
Set-ExecutionPolicy Unrestricted
$org='contoso.microsoft.com'
- $cred=Get-Credential $admin@$org
+ $cred=Get-Credential admin@$org
$sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $sess
```
@@ -51,7 +51,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
```PowerShell
- $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
+ $easPolicy = New-MobileDeviceMailboxPolicy -Name "SurfaceHubs" -PasswordEnabled $false -AllowNonProvisionableDevices $True
```
Once you have a compatible policy, then you will need to apply the policy to the device account.
@@ -112,6 +112,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
Get-CsOnlineUser -Identity ‘alice@contoso.com’| fl *registrarpool*
```
OR by setting a variable
+
```PowerShell
$strRegistrarPool = (Get-CsOnlineUser -Identity ‘alice@contoso.com’).RegistrarPool
```
@@ -120,7 +121,11 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
```PowerShell
Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool yourRegistrarPool -SipAddressType EmailAddress
+ ```
+
OR using the $strRegistarPool variable from above
+
+ ```PowerShell
Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool $strRegistrarPool -SipAddressType EmailAddress
```
diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md
index d229e05de5..16fd8c71d1 100644
--- a/devices/surface-hub/use-room-control-system-with-surface-hub.md
+++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md
@@ -267,6 +267,9 @@ The current volume level is a range from 0 to 100.
Changes to volume levels can be sent by a room control system, or other system.
+>[!NOTE]
+>The Volume command will only control the volume for embedded or Replacement PC mode, not from [Guest sources](connect-and-display-with-surface-hub.md).
+
diff --git a/education/windows/index.md b/education/windows/index.md
index f8db1c0562..bf4146606d 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
+localizationpriority: high
author: CelesteDG
---
@@ -29,8 +30,7 @@ author: CelesteDG
- Automate common Windows 10 deployment and configuration tasks
- Deploy a custom Windows 10 Start menu
- Manage Windows 10 updates and upgrades
- - Reprovision devices at the end of the school year
- - Use MDT to deploy Windows 10
+ - Reprovision devices at the end of the school year
- Use MDT to deploy Windows 10
- Use Windows Store for Business
@@ -57,20 +57,16 @@ author: CelesteDG
Try it out: Windows 10 deployment (for education)
Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.
For the best experience, use this guide in tandem with the TechNet Virtual Lab: IT Pro Try-It-Out.
-
+
- ###  Upgrade
+###  Upgrade
[Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)
If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free upgrade to Windows 10 Pro Education.
-<<<<<<< HEAD
-
-
-=======
+
->>>>>>> e04a8c5905ed4bcb1df7b6b60d48146df9095a12
-
+
## Windows 8.1
Follow these links to find step-by-step guidance on how to deploy Windows 8.1 in an academic environment.
diff --git a/windows/deploy/provisioning-multivariant.md b/windows/deploy/provisioning-multivariant.md
index 3bc7652233..d33f1206b5 100644
--- a/windows/deploy/provisioning-multivariant.md
+++ b/windows/deploy/provisioning-multivariant.md
@@ -1,6 +1,6 @@
---
title: Create a provisioning package with multivariant settings (Windows 10)
-description: Create a provisioning package with multivariant settings to customize the provisioned settings.
+description: Create a provisioning package with multivariant settings to customize the provisioned settings for defined conditions.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -16,37 +16,31 @@ localizationpriority: high
- Windows 10
- Windows 10 Mobile
-Multivariant provisioning packages enable you to create a single provisioning package that can work for multiple locales.
-To provision multivariant settings, you must create a provisioning package with defined **Conditions** and **Settings** that are tied to these conditions. When you install this package on a Windows 10 device, the provisioning engine applies the matching condition settings at every event and triggers provisioning.
+In your organization, you might have different configuration requirements for devices that you manage. You can create separate provisioning packages for each group of devices in your organization that have different requirements. Or, you can create a multivariant provisioning package, a single provisioning package that can work for multiple conditions. For example, in a single provisioning package, you can define one set of customization settings that will apply to devices set up for French and a different set of customization settings for devices set up for Japanese.
-The following events trigger provisioning on Windows 10 devices:
+To provision multivariant settings, you use Windows Imaging and Configuration Designer (ICD) to create a provisioning package that contains all of the customization settings that you want to apply to any of your devices. Next, you manually edit the .XML file for that project to define each set of devices (a **Target**). For each **Target**, you specify at least one **Condition** with a value, which identifies the devices to receive the configuration. Finally, for each **Target**, you provide the customization settings to be applied to those devices.
-| Event | Windows 10 Mobile | Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) |
-| --- | --- | --- |
-| System boot | Supported | Supported |
-| Operating system update | Supported | Planned |
-| Package installation during device first run experience | Supported | Supported |
-| Detection of SIM presence or update | Supported | Not supported |
-| Package installation at runtime | Supported | Supported |
-| Roaming detected | Supported | Not supported |
+Let's begin by learning how to define a **Target**.
-## Target, TargetState, Condition, and priorities
-Targets describe keying for a variant and must be described or pre-declared before being referenced by the variant.
+## Define a target
-- You can define multiple **Target** child elements for each **Id** that you need for the customization setting.
+In the XML file, you provide an **Id**, or friendly name, for each **Target**. Each **Target** is defined by at least one **TargetState** which contains at least one **Condition**. A **Condition** element defines the matching type between the condition and the specified value.
-- Within a **Target** you can define multiple **TargetState** elements.
+A **Target** can have more than one **TargetState**, and a **TargetState** can have more than one **Condition**.
-- Within a **TargetState** element you can create multiple **Condition** elements.
+
-- A **Condition** element defines the matching type between the condition and the specified value.
+The following table describes the logic for the target definition.
-The following table shows the conditions supported in Windows 10 provisioning:
+| When all **Condition** elements are TRUE, **TargetState** is TRUE. |  |
+| If any of the **TargetState** elements is TRUE, **Target** is TRUE, and the **Id** can be used for setting customizations. |  |
+
+### Conditions
+
+The following table shows the conditions supported in Windows 10 provisioning for a **TargetState**:
->[!NOTE]
->You can use any of these supported conditions when defining your **TargetState**.
| Condition Name | Condition priority | Windows 10 Mobile | Windows 10 for desktop editions | Value type | Value description |
| --- | --- | --- | --- | --- | --- |
@@ -57,54 +51,47 @@ The following table shows the conditions supported in Windows 10 provisioning:
| GID1 | P0 | Supported | N/A | Digit string | Use to target settings based on the Group Identifier (level 1) value. |
| ICCID | P0 | Supported | N/A | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. |
| Roaming | P0 | Supported | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (non-roaming). |
-| UICC | P0 | Supported | N/A | Enumeration | Use to specify the UICC state. Set the value to one of the following:- 0 - Empty- 1 - Ready- 2 - Locked |
+| UICC | P0 | Supported | N/A | Enumeration | Use to specify the Universal Integrated Circuit Card (UICC) state. Set the value to one of the following:- 0 - Empty- 1 - Ready- 2 - Locked |
| UICCSLOT | P0 | Supported | N/A | Digit string | Use to specify the UICC slot. Set the value one of the following:- 0 - Slot 0- 1 - Slot 1 |
| ProcessorType | P1 | Supported | Supported | String | Use to target settings based on the processor type. |
| ProcessorName | P1 | Supported | Supported | String | Use to target settings based on the processor name. |
-| AoAc | P1 | Supported | Supported | Boolean | Set the value to 0 or 1. |
-| PowerPlatformRole | P1 | Supported | Supported | Enumeration | Indicates the preferred power management profile. Set the value based on the POWER_PLATFORM_ROLE enumeration. |
+| AoAc ("Always On, Always Connected") | P1 | Supported | Supported | Boolean | Set the value to **0** (false) or **1** (true). If this condition is TRUE, the system supports the S0 low power idle model. |
+| PowerPlatformRole | P1 | Supported | Supported | Enumeration | Indicates the preferred power management profile. Set the value based on the [POWER_PLATFORM_ROLE enumeration](https://msdn.microsoft.com/library/windows/desktop/aa373174.aspx). |
| Architecture | P1 | Supported | Supported | String | Matches the PROCESSOR_ARCHITECTURE environment variable. |
-| Server | P1 | Supported | Supported | Boolean | Set the value to 0 or 1. |
-| Region | P1 | Supported | Supported | Enumeration | Use to target settings based on country/region. |
-| Lang | P1 | Supported | Supported | Enumeration | Use to target settings based on language code. |
-| ROMLANG | P1 | Supported | N/A | Digit string | Use to specify the PhoneROMLanguage that's set for DeviceTargeting. This condition is used primarily to detect variants for China. For example, you can use this condition and set the value to "0804". |
+| Server | P1 | Supported | Supported | Boolean | Set the value to **0** (false) or **1** (true) to identify a server. |
+| Region | P1 | Supported | Supported | Enumeration | Use to target settings based on country/region, using the 2-digit alpha ISO code per [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). |
+| Lang | P1 | Supported | Supported | Enumeration | Use to target settings based on language code, using the 2-digit [ISO 639 alpha-2 code](https://en.wikipedia.org/wiki/ISO_639). |
+
The matching types supported in Windows 10 are:
| Matching type | Syntax | Example |
| --- | --- | --- |
| Straight match | Matching type is specified as-is | <Condition Name="ProcessorName" Value="Barton" /> |
-| Regex match | Matching type is prefixed by "Pattern:" | <Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" /> |
+| Regular expression (Regex) match | Matching type is prefixed by "Pattern:" | <Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" /> |
| Numeric range match | Matching type is prefixed by "!Range:" | <Condition Name="MNC" Value="!Range:400, 550" /> |
-- When all **Condition** elements are TRUE, **TargetState** is TRUE (**AND** logic).
+### TargetState priorities
-- If any of the **TargetState** elements is TRUE, **Target** is TRUE (**OR** logic), and **Id** can be used for the setting customization.
+You can define more than one **TargetState** within a provisioning package to apply settings to devices that match device conditions. When the provisioning engine evalues each **TargetState**, more than one **TargetState** may fit current device conditions. To determine the order in which the settings are applied, the system assigns a priority to every **TargetState**.
+A setting that matches a **TargetState** with a lower priority is applied before the setting that matches a **TargetState** with a higher priority. This means that a setting for the **TargetState** with the higher priority can overwrite a setting for the **TargetState** with the lower priority.
-You can define more than one **TargetState** within a provisioning package to apply variant settings that match device conditions. When the provisioning engine evalues each **TargetState**, more than one **TargetState** may fit current device conditions. To determine the order in which the variant settings are applied, the system assigns a priority to every **TargetState**.
+Settings that match more than one **TargetState** with equal priority are applied according to the order that each **TargetState** is defined in the provisioning package.
-A variant setting that matches a **TargetState** with a lower priority is applied before the variant that matches a **TargetState** with a higher priority. Variant settings that match more than one **TargetState** with equal priority are applied according to the order that each **TargetState** is defined in the provisioning package.
+The **TargetState** priority is assigned based on the condition's priority (see the [Conditions table](#conditions) for priorities). The priority evaluation rules are as followed:
-The **TargetState** priority is assigned based on the conditions priority and the priority evaluation rules are as followed:
+1. A **TargetState** with P0 conditions is higher than a **TargetState** without P0 conditions.
-1. **TargetState** with P0 conditions is higher than **TargetState** without P0 conditions.
+2. A **TargetState** with both P0 and P1 conditions is higher than a **TargetState** with only P0 conditions.
+2. A **TargetState** with a greater number of matched P0 conditions is higher than **TargetState** with fewer matched P0 conditions, regardless of the number of P1 conditions matched.
-2. **TargetState** with P1 conditions is higher than **TargetState** without P0 and P1 conditions.
+2. If the number of P0 conditions matched are equivalent, then the **TargetState** with the most matched P1 conditions has higher priority.
+3. If both P0 and P1 conditions are equally matched, then the **TargetState** with the greatest total number of matched conditions has highest priority.
-3. If N₁>N₂>0, the **TargetState** priority with N₁ P0 conditions is higher than the **TargetState** with N₂ P1 conditions.
-
-
-4. For **TargetState** without P0 conditions, if N₁>N₂>0 **TargetState** with N₁ P1 conditions is higher than the **TargetState** with N₂ P1 conditions.
-
-
-5. For **TargetState** without P0 and P1 conditions, if N₁>N₂>0 **TargetState** priority with N₁ P2 conditions is higher than the **TargetState** with N₂ P2 conditions.
-
-
-6. For rules 3, 4, and 5, if N₁=N₂, **TargetState** priorities are considered equal.
## Create a provisioning package with multivariant settings
@@ -112,17 +99,15 @@ The **TargetState** priority is assigned based on the conditions priority and th
Follow these steps to create a provisioning package with multivariant capabilities.
-1. Build a provisioning package and configure the customizations you need to apply during certain conditions. For more information, see [Create a provisioning package](provisioning-create-package.md).
-
+1. Build a provisioning package and configure the customizations you want to apply during certain conditions. For more information, see [Create a provisioning package](provisioning-create-package.md).
2. After you've [configured the settings](provisioning-create-package.md#configure-settings), save the project.
-
-3. Open the project folder and copy the customizations.xml file.
+3. Open the project folder and copy the customizations.xml file to any local location.
4. Use an XML or text editor to open the customizations.xml file.
- The customizations.xml file holds the package metadata (including the package owner and rank) and the settings that you configured when you created your provisioning package. The Customizations node contains a Common section, which contains the customization settings.
+ The customizations.xml file holds the package metadata (including the package owner and rank) and the settings that you configured when you created your provisioning package. The **Customizations** node of the file contains a **Common** section, which contains the customization settings.
The following example shows the contents of a sample customizations.xml file.
@@ -153,7 +138,7 @@ Follow these steps to create a provisioning package with multivariant capabiliti
```
-4. Edit the customizations.xml file and create a **Targets** section to describe the conditions that will handle your multivariant settings.
+4. Edit the customizations.xml file to create a **Targets** section to describe the conditions that will handle your multivariant settings.
The following example shows the customizations.xml, which has been modified to include several conditions including **ProcessorName**, **ProcessorType**, **MCC**, and **MNC**.
@@ -210,10 +195,10 @@ Follow these steps to create a provisioning package with multivariant capabiliti
c. Move compliant settings from the **Common** section to the **Variant** section.
- If any of the TargetRef elements matches the Target, all settings in the Variant are applied (OR logic).
+ If any of the **TargetRef** elements matches the **Target**, all settings in the **Variant** are applied.
>[!NOTE]
- >You can define multiple Variant sections. Settings that reside in the **Common** section are applied unconditionally on every triggering event.
+ >You can define multiple **Variant** sections. Settings that reside in the **Common** section are applied unconditionally on every triggering event.
The following example shows the customizations.xml updated to include a **Variant** section and the moved settings that will be applied if the conditions for the variant are met.
@@ -289,7 +274,20 @@ In this example, the **StoreFile** corresponds to the location of the settings s
+## Events that trigger provisioning
+When you install the multivariant provisioning package on a Windows 10 device, the provisioning engine applies the matching condition settings at every event and triggers provisioning.
+
+The following events trigger provisioning on Windows 10 devices:
+
+| Event | Windows 10 Mobile | Windows 10 for desktop editions |
+| --- | --- | --- |
+| System boot | Supported | Supported |
+| Operating system update | Supported | Planned |
+| Package installation during device first run experience | Supported | Supported |
+| Detection of SIM presence or update | Supported | Supported |
+| Package installation at runtime | Supported | Supported |
+| Roaming detected | Supported | Not supported |
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index 4e77353f2f..1f51ea87b8 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -23,6 +23,13 @@
#### [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md)
### [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
## [Protect derived domain credentials with Credential Guard](credential-guard.md)
+### [How it works](credential-guard-how-it-works.md)
+### [Requirements](credential-guard-requirements.md)
+### [Manage](credential-guard-manage.md)
+### [Considerations](credential-guard-considerations.md)
+### [Scenarios not protected by Credential Guard](credential-guard-not-protected-scenarios.md)
+### [Known issues](credential-manager-known-issues.md)
+### [Scripts](credential-guard-scripts.md)
## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
## [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md)
### [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md)
@@ -572,7 +579,7 @@
###### [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md)
###### [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)
###### [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)
-###### [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md)
+###### [Interactive logon: Don\'t display last signed-in](interactive-logon-do-not-display-last-user-name.md)
###### [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)
###### [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md)
###### [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)
@@ -772,6 +779,13 @@
##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+#### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
+##### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
+##### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
#### [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md)
##### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
###### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index 050d3dc69f..858577af50 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -16,7 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
## March 2017
|New or changed topic |Description |
|---------------------|------------|
-|[Protect derived domain credentials with CredentialGuear](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|
+|[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|
|[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|
diff --git a/windows/keep-secure/code/example.ps1 b/windows/keep-secure/code/example.ps1
index 877292e484..278824d13a 100644
--- a/windows/keep-secure/code/example.ps1
+++ b/windows/keep-secure/code/example.ps1
@@ -24,7 +24,7 @@ $alertDefinitions =
(Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value
$alertDefinitionPayload = @{
- "Name"= "The Alert's Name"
+ "Name"= "The alert's name"
"Severity"= "Low"
"InternalDescription"= "An internal description of the Alert"
"Title"= "The Title"
diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 775b756512..49e9d275ab 100644
--- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -45,9 +45,7 @@ You can use System Center Configuration Manager’s existing functionality to cr
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
-3. Onboard your devices using SCCM by following the steps in the [Onboard devices to Windows Defender ATP](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/windows-defender-advanced-threat-protection#onboard-devices-for-windows-defender-atp) topic.
-
-4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
+3. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.
diff --git a/windows/keep-secure/credential-guard-considerations.md b/windows/keep-secure/credential-guard-considerations.md
new file mode 100644
index 0000000000..a0a3b104fb
--- /dev/null
+++ b/windows/keep-secure/credential-guard-considerations.md
@@ -0,0 +1,47 @@
+---
+title: Considerations when using Credential Guard (Windows 10)
+description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
+ms.assetid:
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Considerations when using Credential Guard
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+- If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard is enabled before the PC is joined to a domain.
+- You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
+ - **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
+ - **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0
+ - The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run.
+ - The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
+ - **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard.
+ - **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
+ - **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
+ You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
+ - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
+- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
+- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
+- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
+
+- Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager:
+ - Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed".
+ - Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
+ - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
+ - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported. For further information, see:
+ [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
+
+## NTLM & CHAP Considerations
+
+When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections.
+
+## Kerberos Considerations
+
+When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead.
\ No newline at end of file
diff --git a/windows/keep-secure/credential-guard-how-it-works.md b/windows/keep-secure/credential-guard-how-it-works.md
new file mode 100644
index 0000000000..b1e48f5ef8
--- /dev/null
+++ b/windows/keep-secure/credential-guard-how-it-works.md
@@ -0,0 +1,31 @@
+---
+title: How Credential Guard works
+description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
+ms.assetid:
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# How Credential Guard works
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+
+For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
+
+When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocols. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
+
+When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
+
+Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
+
+
+
+For further information, see [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
diff --git a/windows/keep-secure/credential-guard-manage.md b/windows/keep-secure/credential-guard-manage.md
new file mode 100644
index 0000000000..7f913589d7
--- /dev/null
+++ b/windows/keep-secure/credential-guard-manage.md
@@ -0,0 +1,188 @@
+---
+title: Manage Credential Guard (Windows 10)
+description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
+ms.assetid:
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Manage Credential Guard
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+## Enable Credential Guard
+Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool).
+
+### Enable Credential Guard by using Group Policy
+
+You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed.
+
+1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**.
+2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
+3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
+4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Credential Guard remotely, choose **Enabled without lock**.
+
+ 
+
+5. Close the Group Policy Management Console.
+
+To enforce processing of the group policy, you can run ```gpupdate /force```.
+
+For further information, see: [Deploying Credential Guard] (https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
+
+### Enable Credential Guard by using the registry
+
+If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
+
+### Add the virtualization-based security features
+
+Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
+
+If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
+You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
+> [!NOTE]
+> If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.
+
+
+**Add the virtualization-based security features by using Programs and Features**
+
+1. Open the Programs and Features control panel.
+2. Click **Turn Windows feature on or off**.
+3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
+4. Select the **Isolated User Mode** check box at the top level of the feature selection.
+5. Click **OK**.
+
+**Add the virtualization-based security features to an offline image by using DISM**
+
+1. Open an elevated command prompt.
+2. Add the Hyper-V Hypervisor by running the following command:
+ ```
+ dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
+ ```
+3. Add the Isolated User Mode feature by running the following command:
+ ```
+ dism /image: /Enable-Feature /FeatureName:IsolatedUserMode
+ ```
+
+> [!NOTE]
+> You can also add these features to an online image by using either DISM or Configuration Manager.
+
+### Enable virtualization-based security and Credential Guard
+
+1. Open Registry Editor.
+2. Enable virtualization-based security:
+ - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
+ - Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
+ - Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
+3. Enable Credential Guard:
+ - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
+ - Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it.
+4. Close Registry Editor.
+
+
+> [!NOTE]
+> You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
+
+
+### Enable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
+
+You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+
+```
+DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot
+```
+
+### Credential Guard deployment in virtual machines
+
+Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine.
+
+Credential Guard protects secrets from non-privileged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine:
+
+``` PowerShell
+Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
+```
+
+Requirements for running Credential Guard in Hyper-V virtual machines
+- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
+- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10.
+
+For further information, see: [Deploying Credential Guard] (https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
+
+### Remove Credential Guard
+
+If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
+
+1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**).
+2. Delete the following registry settings:
+ - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
+ - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
+ - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures
+
+ > [!IMPORTANT]
+ > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
+
+3. Delete the Credential Guard EFI variables by using bcdedit.
+
+**Delete the Credential Guard EFI variables**
+
+1. From an elevated command prompt, type the following commands:
+ ``` syntax
+
+ mountvol X: /s
+
+ copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
+
+ bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
+
+ bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
+
+ bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
+
+ bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
+
+ bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
+
+ mountvol X: /d
+
+ ```
+2. Restart the PC.
+3. Accept the prompt to disable Credential Guard.
+4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard.
+
+> [!NOTE]
+> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
+
+For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
+
+
+#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
+
+You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+
+```
+DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot
+```
+
+### Check that Credential Guard is running
+
+You can use System Information to ensure that Credential Guard is running on a PC.
+
+1. Click **Start**, type **msinfo32.exe**, and then click **System Information**.
+2. Click **System Summary**.
+3. Confirm that **Credential Guard** is shown next to **Device Guard Security Services Running**.
+
+ Here's an example:
+
+ 
+
+You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+
+```
+DG_Readiness_Tool_v3.0.ps1 -Ready
+```
\ No newline at end of file
diff --git a/windows/keep-secure/credential-guard-not-protected-scenarios.md b/windows/keep-secure/credential-guard-not-protected-scenarios.md
new file mode 100644
index 0000000000..70848bcecc
--- /dev/null
+++ b/windows/keep-secure/credential-guard-not-protected-scenarios.md
@@ -0,0 +1,153 @@
+---
+title: Scenarios not protected by Credential Guard (Windows 10)
+description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
+ms.assetid:
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Scenarios not protected by Credential Guard
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+Some ways to store credentials are not protected by Credential Guard, including:
+
+- Software that manages credentials outside of Windows feature protection
+- Local accounts and Microsoft Accounts
+- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
+- Key loggers
+- Physical attacks
+- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
+- Third-party security packages
+- Digest and CredSSP credentials
+ - When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
+- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.
+
+For further information, see: [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
+
+## Additional mitigations
+
+Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also need to be deployed to make the domain environment more robust.
+
+### Restricting domain users to specific domain-joined devices
+
+Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign in to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign in using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
+
+### Kerberos armoring
+
+Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
+
+**To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
+
+- Users need to be in domains that are running Windows Server 2012 R2 or higher
+- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
+- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
+
+### Protecting domain-joined device secrets
+
+Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices which authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign in as the user.
+
+Domain-joined device certificate authentication has the following requirements:
+- Devices' accounts are in Windows Server 2012 domain functional level or higher domains.
+- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
+ - KDC EKU present
+ - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
+- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
+- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
+
+#### Deploying domain-joined device certificates
+
+To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates.
+
+For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template.
+
+**Creating a new certificate template**
+
+1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.**
+2. Right-click **Workstation Authentication**, and then click **Duplicate Template**.
+3. Right-click the new template, and then click **Properties**.
+4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**.
+5. Click **Client Authentication**, and then click **Remove**.
+6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values:
+ - Name: Kerberos Client Auth
+ - Object Identifier: 1.3.6.1.5.2.3.4
+7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**.
+8. Under **Issuance Policies**, click**High Assurance**.
+9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
+
+Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
+
+**Enrolling devices in a certificate**
+
+Run the following command:
+``` syntax
+CertReq -EnrollCredGuardCert MachineAuthentication
+```
+
+> [!NOTE]
+> You must restart the device after enrolling the machine authentication certificate.
+
+### How a certificate issuance policy can be used for access control
+
+Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet.
+
+**To see the issuance policies available**
+
+- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
+ From a Windows PowerShell command prompt, run the following command:
+
+ ``` syntax
+ .\get-IssuancePolicy.ps1 –LinkedToGroup:All
+ ```
+
+**To link an issuance policy to a universal security group**
+
+- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
+ From a Windows PowerShell command prompt, run the following command:
+
+ ``` syntax
+ .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”"
+ ```
+
+### Restricting user sign on
+
+So we now have completed the following:
+
+- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign in
+- Mapped that policy to a universal security group or claim
+- Provided a way for domain controllers to get the device authorization data during user sign in using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
+
+Authentication policies have the following requirements:
+- User accounts are in a Windows Server 2012 domain functional level or higher domain.
+
+**Creating an authentication policy restricting users to the specific universal security group**
+
+1. Open Active Directory Administrative Center.
+2. Click **Authentication**, click **New**, and then click **Authentication Policy**.
+3. In the **Display name** box, enter a name for this authentication policy.
+4. Under the **Accounts** heading, click **Add**.
+5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you with to restrict, and then click **OK**.
+6. Under the **User Sign On** heading, click the **Edit** button.
+7. Click **Add a condition**.
+8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**.
+9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**.
+10. Click **OK** to close the **Edit Access Control Conditions** box.
+11. Click **OK** to create the authentication policy.
+12. Close Active Directory Administrative Center.
+
+> [!NOTE]
+> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
+
+### Discovering authentication failures due to authentication policies
+
+To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
+
+To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx).
+
+For further information, see: [Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
\ No newline at end of file
diff --git a/windows/keep-secure/credential-guard-requirements.md b/windows/keep-secure/credential-guard-requirements.md
new file mode 100644
index 0000000000..f1d8842363
--- /dev/null
+++ b/windows/keep-secure/credential-guard-requirements.md
@@ -0,0 +1,111 @@
+---
+title: Credential Guard Requirements (Windows 10)
+description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Requirements
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in [Security Considerations](#security-considerations).
+
+### Hardware and software requirements
+
+To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses:
+- Support for Virtualization-based security (required)
+- Secure boot (required)
+- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
+- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
+
+The Virtualization-based security requires:
+- 64 bit CPU
+- CPU virtualization extensions plus extended page tables
+- Windows hypervisor
+
+### Application requirements
+
+When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality.
+
+>[!WARNING]
+> Enabling Credential Guard on domain controllers is not supported.
+> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes.
+
+>[!NOTE]
+> Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
+
+Applications will break if they require:
+- Kerberos DES encryption support
+- Kerberos unconstrained delegation
+- Extracting the Kerberos TGT
+- NTLMv1
+
+Applications will prompt & expose credentials to risk if they require:
+- Digest authentication
+- Credential delegation
+- MS-CHAPv2
+
+Applications may cause performance issues when they attempt to hook the isolated Credential Guard process.
+
+### Security considerations
+
+All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard.
+Computers that meet additional qualifications can provide additional protections to further reduce the attack surface.
+The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
+
+> [!NOTE]
+> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers.
+> If you are an OEM, see [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
+
+#### Baseline protections
+
+|Baseline Protections | Description |
+|---------------------------------------------|----------------------------------------------------|
+| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
+| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
+| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations)
**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
+| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
+
+> [!IMPORTANT]
+> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide.
+
+#### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4
+
+| Protections for Improved Security | Description |
+|---------------------------------------------|----------------------------------------------------|
+| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU
**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+| Firmware: **Secure MOR, revision 2 implementation** | **Requirement**: Secure MOR, revision 2 implementation
**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
+
+
+
+#### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
+
+> [!IMPORTANT]
+> The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections.
+
+| Protections for Improved Security | Description |
+|---------------------------------------------|----------------------------------------------------|
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
• The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.
**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
• Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+
+
+
+#### 2017 Additional security qualifications starting with Windows 10, version 1703
+
+The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications.
+
+| Protection for Improved Security | Description |
+|---------------------------------------------|----------------------------------------------------|
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
• UEFI runtime service must meet these requirements:
- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
- PE sections need to be page-aligned in memory (not required for in non-volitile storage).
- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
- No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and exceutable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code
**Security benefits**:
• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. |
+| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. |
diff --git a/windows/keep-secure/credential-guard-scripts.md b/windows/keep-secure/credential-guard-scripts.md
new file mode 100644
index 0000000000..5d7eb958a6
--- /dev/null
+++ b/windows/keep-secure/credential-guard-scripts.md
@@ -0,0 +1,488 @@
+---
+title: Credential Guard Scripts (Windows 10)
+description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
+ms.assetid:
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Credential Guard Scripts
+
+Here is a list of scripts that are mentioned in this topic.
+
+## Get the available issuance policies on the certificate authority
+
+Save this script file as get-IssuancePolicy.ps1.
+
+``` syntax
+#######################################
+## Parameters to be defined ##
+## by the user ##
+#######################################
+Param (
+$Identity,
+$LinkedToGroup
+)
+#######################################
+## Strings definitions ##
+#######################################
+Data getIP_strings {
+# culture="en-US"
+ConvertFrom-StringData -stringdata @'
+help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted.
+help2 = Usage:
+help3 = The following parameter is mandatory:
+help4 = -LinkedToGroup:
+help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups.
+help6 = "no" will return only Issuance Policies that are not currently linked to any group.
+help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups.
+help8 = The following parameter is optional:
+help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored.
+help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters.
+help11 = Examples:
+errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}"
+ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security".
+ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal".
+ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members:
+LinkedIPs = The following Issuance Policies are linked to groups:
+displayName = displayName : {0}
+Name = Name : {0}
+dn = distinguishedName : {0}
+ InfoName = Linked Group Name: {0}
+ InfoDN = Linked Group DN: {0}
+NonLinkedIPs = The following Issuance Policies are NOT linked to groups:
+'@
+}
+##Import-LocalizedData getIP_strings
+import-module ActiveDirectory
+#######################################
+## Help ##
+#######################################
+function Display-Help {
+ ""
+ $getIP_strings.help1
+ ""
+$getIP_strings.help2
+""
+$getIP_strings.help3
+" " + $getIP_strings.help4
+" " + $getIP_strings.help5
+ " " + $getIP_strings.help6
+ " " + $getIP_strings.help7
+""
+$getIP_strings.help8
+ " " + $getIP_strings.help9
+ ""
+ $getIP_strings.help10
+""
+""
+$getIP_strings.help11
+ " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All"
+ " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes"
+ " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance"""
+""
+}
+$root = get-adrootdse
+$domain = get-addomain -current loggedonuser
+$configNCDN = [String]$root.configurationNamingContext
+if ( !($Identity) -and !($LinkedToGroup) ) {
+display-Help
+break
+}
+if ($Identity) {
+ $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties *
+ if ($OIDs -eq $null) {
+$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity
+write-host $errormsg -ForegroundColor Red
+ }
+ foreach ($OID in $OIDs) {
+ if ($OID."msDS-OIDToGroupLink") {
+# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping.
+ $groupDN = $OID."msDS-OIDToGroupLink"
+ $group = get-adgroup -Identity $groupDN
+ $groupName = $group.Name
+# Analyze the group
+ if ($group.groupCategory -ne "Security") {
+$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName
+ write-host $errormsg -ForegroundColor Red
+ }
+ if ($group.groupScope -ne "Universal") {
+ $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName
+write-host $errormsg -ForegroundColor Red
+ }
+ $members = Get-ADGroupMember -Identity $group
+ if ($members) {
+ $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName
+write-host $errormsg -ForegroundColor Red
+ foreach ($member in $members) {
+ write-host " " $member -ForeGroundColor Red
+ }
+ }
+ }
+ }
+ return $OIDs
+ break
+}
+if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) {
+ $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))"
+ $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
+ write-host ""
+ write-host "*****************************************************"
+ write-host $getIP_strings.LinkedIPs
+ write-host "*****************************************************"
+ write-host ""
+ if ($LinkedOIDs -ne $null){
+ foreach ($OID in $LinkedOIDs) {
+# Display basic information about the Issuance Policies
+ ""
+ $getIP_strings.displayName -f $OID.displayName
+ $getIP_strings.Name -f $OID.Name
+ $getIP_strings.dn -f $OID.distinguishedName
+# Get the linked group.
+ $groupDN = $OID."msDS-OIDToGroupLink"
+ $group = get-adgroup -Identity $groupDN
+ $getIP_strings.InfoName -f $group.Name
+ $getIP_strings.InfoDN -f $groupDN
+# Analyze the group
+ $OIDName = $OID.displayName
+ $groupName = $group.Name
+ if ($group.groupCategory -ne "Security") {
+ $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName
+ write-host $errormsg -ForegroundColor Red
+ }
+ if ($group.groupScope -ne "Universal") {
+ $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName
+ write-host $errormsg -ForegroundColor Red
+ }
+ $members = Get-ADGroupMember -Identity $group
+ if ($members) {
+ $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName
+ write-host $errormsg -ForegroundColor Red
+ foreach ($member in $members) {
+ write-host " " $member -ForeGroundColor Red
+ }
+ }
+ write-host ""
+ }
+ }else{
+write-host "There are no issuance policies that are mapped to a group"
+ }
+ if ($LinkedToGroup -eq "yes") {
+ return $LinkedOIDs
+ break
+ }
+}
+if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) {
+ $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))"
+ $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
+ write-host ""
+ write-host "*********************************************************"
+ write-host $getIP_strings.NonLinkedIPs
+ write-host "*********************************************************"
+ write-host ""
+ if ($NonLinkedOIDs -ne $null) {
+ foreach ($OID in $NonLinkedOIDs) {
+# Display basic information about the Issuance Policies
+write-host ""
+$getIP_strings.displayName -f $OID.displayName
+$getIP_strings.Name -f $OID.Name
+$getIP_strings.dn -f $OID.distinguishedName
+write-host ""
+ }
+ }else{
+write-host "There are no issuance policies which are not mapped to groups"
+ }
+ if ($LinkedToGroup -eq "no") {
+ return $NonLinkedOIDs
+ break
+ }
+}
+```
+> [!NOTE]
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+
+### Link an issuance policy to a group
+
+Save the script file as set-IssuancePolicyToGroupLink.ps1.
+
+``` syntax
+#######################################
+## Parameters to be defined ##
+## by the user ##
+#######################################
+Param (
+$IssuancePolicyName,
+$groupOU,
+$groupName
+)
+#######################################
+## Strings definitions ##
+#######################################
+Data ErrorMsg {
+# culture="en-US"
+ConvertFrom-StringData -stringdata @'
+help1 = This command can be used to set the link between a certificate issuance policy and a universal security group.
+help2 = Usage:
+help3 = The following parameters are required:
+help4 = -IssuancePolicyName:
+help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy.
+help6 = The following parameter is optional:
+help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container.
+help8 = Examples:
+help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them.
+help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group.
+MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}"
+NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}".
+IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1}
+MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}".
+confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it?
+OUCreationSuccess = Organizational Unit "{0}" successfully created.
+OUcreationError = Error: Organizational Unit "{0}" could not be created.
+OUFoundSuccess = Organizational Unit "{0}" was successfully found.
+multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}".
+confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it?
+groupCreationSuccess = Univeral Security group "{0}" successfully created.
+groupCreationError = Error: Univeral Security group "{0}" could not be created.
+GroupFound = Group "{0}" was successfully found.
+confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link?
+UnlinkSuccess = Certificate issuance policy successfully unlinked from any group.
+UnlinkError = Removing the link failed.
+UnlinkExit = Exiting without removing the link from the issuance policy to the group.
+IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script.
+ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security".
+ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal".
+ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members:
+ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"?
+LinkSuccess = The certificate issuance policy was successfully linked to the specified group.
+LinkError = The certificate issuance policy could not be linked to the specified group.
+ExitNoLinkReplacement = Exiting without setting the new link.
+'@
+}
+# import-localizeddata ErrorMsg
+function Display-Help {
+""
+write-host $ErrorMsg.help1
+""
+write-host $ErrorMsg.help2
+""
+write-host $ErrorMsg.help3
+write-host "`t" $ErrorMsg.help4
+write-host "`t" $ErrorMsg.help5
+""
+write-host $ErrorMsg.help6
+write-host "`t" $ErrorMsg.help7
+""
+""
+write-host $ErrorMsg.help8
+""
+write-host $ErrorMsg.help9
+".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" "
+""
+write-host $ErrorMsg.help10
+'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null '
+""
+}
+# Assumption: The group to which the Issuance Policy is going
+# to be linked is (or is going to be created) in
+# the domain the user running this script is a member of.
+import-module ActiveDirectory
+$root = get-adrootdse
+$domain = get-addomain -current loggedonuser
+if ( !($IssuancePolicyName) ) {
+display-Help
+break
+}
+#######################################
+## Find the OID object ##
+## (aka Issuance Policy) ##
+#######################################
+$searchBase = [String]$root.configurationnamingcontext
+$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties *
+if ($OID -eq $null) {
+$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+elseif ($OID.GetType().IsArray) {
+$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+else {
+$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName
+write-host $tmp -ForeGroundColor Green
+}
+#######################################
+## Find the container of the group ##
+#######################################
+if ($groupOU -eq $null) {
+# default to the Users container
+$groupContainer = $domain.UsersContainer
+}
+else {
+$searchBase = [string]$domain.DistinguishedName
+$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
+if ($groupContainer.count -gt 1) {
+$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase
+write-host $tmp -ForegroundColor Red
+break;
+}
+elseif ($groupContainer -eq $null) {
+$tmp = $ErrorMsg.confirmOUcreation
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName
+if ($?){
+$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU
+write-host $tmp -ForegroundColor Green
+}
+else{
+$tmp = $ErrorMsg.OUCreationError -f $groupOU
+write-host $tmp -ForeGroundColor Red
+break;
+}
+$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
+}
+else {
+break;
+}
+}
+else {
+$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name
+write-host $tmp -ForegroundColor Green
+}
+}
+#######################################
+## Find the group ##
+#######################################
+if (($groupName -ne $null) -and ($groupName -ne "")){
+##$searchBase = [String]$groupContainer.DistinguishedName
+$searchBase = $groupContainer
+$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
+if ($group -ne $null -and $group.gettype().isarray) {
+$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+elseif ($group -eq $null) {
+$tmp = $ErrorMsg.confirmGroupCreation
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security"
+if ($?){
+$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName
+write-host $tmp -ForegroundColor Green
+}else{
+$tmp = $ErrorMsg.groupCreationError -f $groupName
+write-host $tmp -ForeGroundColor Red
+break
+}
+$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
+}
+else {
+break;
+}
+}
+else {
+$tmp = $ErrorMsg.GroupFound -f $group.Name
+write-host $tmp -ForegroundColor Green
+}
+}
+else {
+#####
+## If the group is not specified, we should remove the link if any exists
+#####
+if ($OID."msDS-OIDToGroupLink" -ne $null) {
+$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink"
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink"
+if ($?) {
+$tmp = $ErrorMsg.UnlinkSuccess
+write-host $tmp -ForeGroundColor Green
+}else{
+$tmp = $ErrorMsg.UnlinkError
+write-host $tmp -ForeGroundColor Red
+}
+}
+else {
+$tmp = $ErrorMsg.UnlinkExit
+write-host $tmp
+break
+}
+}
+else {
+$tmp = $ErrorMsg.IPNotLinked
+write-host $tmp -ForeGroundColor Yellow
+}
+break;
+}
+#######################################
+## Verify that the group is ##
+## Universal, Security, and ##
+## has no members ##
+#######################################
+if ($group.GroupScope -ne "Universal") {
+$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+break;
+}
+if ($group.GroupCategory -ne "Security") {
+$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+break;
+}
+$members = Get-ADGroupMember -Identity $group
+if ($members -ne $null) {
+$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red}
+break;
+}
+#######################################
+## We have verified everything. We ##
+## can create the link from the ##
+## Issuance Policy to the group. ##
+#######################################
+if ($OID."msDS-OIDToGroupLink" -ne $null) {
+$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName
+write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
+set-adobject -Identity $OID -Replace $tmp
+if ($?) {
+$tmp = $Errormsg.LinkSuccess
+write-host $tmp -Foreground Green
+}else{
+$tmp = $ErrorMsg.LinkError
+write-host $tmp -Foreground Red
+}
+} else {
+$tmp = $Errormsg.ExitNoLinkReplacement
+write-host $tmp
+break
+}
+}
+else {
+$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
+set-adobject -Identity $OID -Add $tmp
+if ($?) {
+$tmp = $Errormsg.LinkSuccess
+write-host $tmp -Foreground Green
+}else{
+$tmp = $ErrorMsg.LinkError
+write-host $tmp -Foreground Red
+}
+}
+```
+
+> [!NOTE]
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
\ No newline at end of file
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 7d3b48530d..2cc6cd8b31 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -1,7 +1,6 @@
---
title: Protect derived domain credentials with Credential Guard (Windows 10)
description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
-ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -16,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
+Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security (VBS) to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
By enabling Credential Guard, the following features and solutions are provided:
@@ -24,928 +23,12 @@ By enabling Credential Guard, the following features and solutions are provided:
- **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
-## How it works
+• How to prevent credential theft
+• Virtualization-based security
+• Credential Guard Design
-Kerberos, NTLM, and Credential manager isolate secrets that previous versions of Windows stored in the Local Security Authority (LSA) by using virtualization-based security. Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
-For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
-When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocol. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
-
-When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
-
-Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
-
-
-
-## Requirements
-
-For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in [Security Considerations](#security-considerations).
-
-### Hardware and software requirements
-
-To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses:
-- Support for Virtualization-based security (required)
-- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
-- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
-
-The Virtualization-based security requires:
-- 64 bit CPU
-- CPU virtualization extensions plus extended page tables
-- Windows hypervisor
-
-### Application requirements
-
-When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality.
-
->[!WARNING]
-> Enabling Credential Guard on domain controllers is not supported.
-> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes.
-
->[!NOTE]
-> Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
-
-Applications will break if they require:
-- Kerberos DES encryption support
-- Kerberos unconstrained delegation
-- Extracting the Kerberos TGT
-- NTLMv1
-
-Applications will prompt & expose credentials to risk if they require:
-- Digest authentication
-- Credential delegation
-- MS-CHAPv2
-
-Applications may cause performance issues when they attempt to hook the isolated Credential Guard process.
-
-### Security considerations
-
-All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard.
-Computers that meet additional qualifications can provide additional protections to further reduce the attack surface.
-The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
-
-> [!NOTE]
-> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.
-> If you are an OEM, see [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
-
-#### Baseline protections
-
-|Baseline Protections | Description |
-|---------------------------------------------|----------------------------------------------------|
-| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
-| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
-| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
-| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
-| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
-
-> [!IMPORTANT]
-> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide.
-
-#### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4
-
-| Protections for Improved Security | Description |
-|---------------------------------------------|----------------------------------------------------|
-| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU
**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
-| Firmware: **Secure MOR, revision 2 implementation** | **Requirement**: Secure MOR, revision 2 implementation
**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
-
-
-
-#### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
-
-> [!IMPORTANT]
-> The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections.
-
-| Protections for Improved Security | Description |
-|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
• The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI provides additional security assurance for correctly secured silicon and platform. |
-| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.
**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
• Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
-
-
-
-#### 2017 Additional security qualifications starting with Windows 10, version 1703
-
-The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications.
-
-| Protection for Improved Security | Description |
-|---------------------------------------------|----------------------------------------------------|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
• UEFI runtime service must meet these requirements:
- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
- PE sections need to be page-aligned in memory (not required for in non-volitile storage).
- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
- No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and exceutable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code
**Security benefits**:
• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. |
-| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. |
-
-## Manage Credential Guard
-
-### Enable Credential Guard
-Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool).
-
-#### Turn on Credential Guard by using Group Policy
-
-You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed.
-
-1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**.
-2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
-3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
-4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Credential Guard remotely, choose **Enabled without lock**.
-
- 
-
-5. Close the Group Policy Management Console.
-
-To enforce processing of the group policy, you can run ```gpupdate /force```.
-
-#### Turn on Credential Guard by using the registry
-
-If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
-
-#### Add the virtualization-based security features
-
-Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
-
-If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
-You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
-> [!NOTE]
-> If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.
-
-
-**Add the virtualization-based security features by using Programs and Features**
-
-1. Open the Programs and Features control panel.
-2. Click **Turn Windows feature on or off**.
-3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
-4. Select the **Isolated User Mode** check box at the top level of the feature selection.
-5. Click **OK**.
-
-**Add the virtualization-based security features to an offline image by using DISM**
-
-1. Open an elevated command prompt.
-2. Add the Hyper-V Hypervisor by running the following command:
- ```
- dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
- ```
-3. Add the Isolated User Mode feature by running the following command:
- ```
- dism /image: /Enable-Feature /FeatureName:IsolatedUserMode
- ```
-
-> [!NOTE]
-> You can also add these features to an online image by using either DISM or Configuration Manager.
-
-#### Enable virtualization-based security and Credential Guard
-
-1. Open Registry Editor.
-2. Enable virtualization-based security:
- - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
- - Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
- - Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
-3. Enable Credential Guard:
- - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
- - Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it.
-4. Close Registry Editor.
-
-
-> [!NOTE]
-> You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
-
-
-#### Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
-
-You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
-
-```
-DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot
-```
-
-#### Credential Guard deployment in virtual machines
-
-Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine.
-
-Credential Guard protects secrets from non-priviledged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine:
-
-``` PowerShell
-Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
-```
-
-Requirements for running Credential Guard in Hyper-V virtual machines
-- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
-- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10.
-
-### Remove Credential Guard
-
-If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
-
-1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**).
-2. Delete the following registry settings:
- - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
- - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
- - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures
-
- > [!IMPORTANT]
- > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
-
-3. Delete the Credential Guard EFI variables by using bcdedit.
-
-**Delete the Credential Guard EFI variables**
-
-1. From an elevated command prompt, type the following commands:
- ``` syntax
-
- mountvol X: /s
-
- copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
-
- bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
-
- bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
-
- bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
-
- bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
-
- bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
-
- mountvol X: /d
-
- ```
-2. Restart the PC.
-3. Accept the prompt to disable Credential Guard.
-4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard.
-
-> [!NOTE]
-> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
-
-For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
-
-
-#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
-
-You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
-
-```
-DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot
-```
-
-### Check that Credential Guard is running
-
-You can use System Information to ensure that Credential Guard is running on a PC.
-
-1. Click **Start**, type **msinfo32.exe**, and then click **System Information**.
-2. Click **System Summary**.
-3. Confirm that **Credential Guard** is shown next to **Device Guard Security Services Running**.
-
- Here's an example:
-
- 
-
-You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
-
-```
-DG_Readiness_Tool_v3.0.ps1 -Ready
-```
-
-## Considerations when using Credential Guard
-
-- If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard is enabled before the PC is joined to a domain.
-- You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
- - **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
- - **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0
- - The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run.
- - The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
- - **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard.
- - **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- - **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
- You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
-- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
-- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
-- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malwar efrom taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
-
-- Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager:
- - Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed".
- - Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
- - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
- - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported.
-
-### NTLM & CHAP Considerations
-
-When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections.
-
-### Kerberos Considerations
-
-When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead.
-
-## Scenarios not protected by Credential Guard
-
-Some ways to store credentials are not protected by Credential Guard, including:
-
-- Software that manages credentials outside of Windows feature protection
-- Local accounts and Microsoft Accounts
-- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would be running Windows 10 Enterprise.
-- Key loggers
-- Physical attacks
-- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access high value assets in your organization.
-- Third-party security packages
-- Digest and CredSSP credentials
- - When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
-- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.
-
-## Additional mitigations
-
-Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also need to be deployed to make the domain environment more robust.
-
-### Restricting domain users to specific domain-joined devices
-
-Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices with Credential Guard? By deploying authentication policies which restrict them to specific domain-joined device that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
-
-#### Kerberos armoring
-
-Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
-
-**To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
-
-- Users need to be in domains which are running Windows Server 2012 R2 or higher
-- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
-- All the devices with Credential Guard which the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
-
-#### Protecting domain-joined device secrets
-
-Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices which authenticate using those certificates. This prevents shared secrets on stolen from the device to be used with stolen user credentials to sign on as the user.
-
-Domain-joined device certificate authentication has the following requirements:
-- Devices' accounts are in Windows Server 2012 domain funcational level or higher domains.
-- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
- - KDC EKU present
- - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
-- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
-- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
-
-##### Deploying domain-joined device certificates
-
-To guarantee that certificates with the issuance policy required are only on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates.
-
-For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template.
-
-**Creating a new certificate template**
-
-1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.**
-2. Right-click **Workstation Authentication**, and then click **Duplicate Template**.
-3. Right-click the new template, and then click **Properties**.
-4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**.
-5. Click **Client Authentication**, and then click **Remove**.
-6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values:
- - Name: Kerberos Client Auth
- - Object Identifier: 1.3.6.1.5.2.3.4
-7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**.
-8. Under **Issuance Policies**, click**High Assurance**.
-9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
-
-Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
-
-**Enrolling devices in a certificate**
-
-Run the following command:
-``` syntax
-CertReq -EnrollCredGuardCert MachineAuthentication
-```
-
-> [!NOTE]
-> You must restart the device after enrolling the machine authentication certificate.
-
-#### How a certificate issuance policy can be used for access control
-
-Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet.
-
-**To see the issuance policies available**
-
-- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
- From a Windows PowerShell command prompt, run the following command:
-
- ``` syntax
- .\get-IssuancePolicy.ps1 –LinkedToGroup:All
- ```
-
-**To link a issuance policy to a universal security group**
-
-- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
- From a Windows PowerShell command prompt, run the following command:
-
- ``` syntax
- .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”"
- ```
-
-#### Restricting user sign on
-
-So we now have the following:
-
-- Created a special certificate issuance policy to identify devices which meet the deployment criteria required for the user to be able to sign on
-- Mapped that policy to a universal security group or claim
-- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring-
-so what is left to do is configuring the access check on the domain controllers. This is done with authentication policies.
-
-Authentication policies have the following requirements:
-- User accounts are in a Windows Server 2012 domain functional level or higher domain.
-
-**Creating an authentication policy restricting to the specific universal security group**
-
-1. Open Active Directory Administrative Center.
-2. Click **Authentication**, click **New**, and then click **Authentication Policy**.
-3. In the **Display name** box, enter a name for this authentication policy.
-4. Under the **Accounts** heading, click **Add**.
-5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you with to restrict, and then click **OK**.
-6. Under the **User Sign On** heading, click the **Edit** button.
-7. Click **Add a condition**.
-8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**.
-9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**.
-10. Click **OK** to close the **Edit Access Control Conditions** box.
-11. Click **OK** to create the authentication policy.
-12. Close Active Directory Administrative Center.
-
-> [!NOTE]
-> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
-
-#### Discovering authentication failures due to authentication policies
-
-To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
-
-To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx).
-
-## Appendix: Scripts
-
-Here is a list of scripts that are mentioned in this topic.
-
-### Get the available issuance policies on the certificate authority
-
-Save this script file as get-IssuancePolicy.ps1.
-
-``` syntax
-#######################################
-## Parameters to be defined ##
-## by the user ##
-#######################################
-Param (
-$Identity,
-$LinkedToGroup
-)
-#######################################
-## Strings definitions ##
-#######################################
-Data getIP_strings {
-# culture="en-US"
-ConvertFrom-StringData -stringdata @'
-help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targetted.
-help2 = Usage:
-help3 = The following parameter is mandatory:
-help4 = -LinkedToGroup:
-help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups.
-help6 = "no" will return only Issuance Policies that are not currently linked to any group.
-help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups.
-help8 = The following parameter is optional:
-help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored.
-help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters.
-help11 = Examples:
-errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}"
-ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security".
-ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal".
-ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members:
-LinkedIPs = The following Issuance Policies are linked to groups:
-displayName = displayName : {0}
-Name = Name : {0}
-dn = distinguishedName : {0}
- InfoName = Linked Group Name: {0}
- InfoDN = Linked Group DN: {0}
-NonLinkedIPs = The following Issuance Policies are NOT linked to groups:
-'@
-}
-##Import-LocalizedData getIP_strings
-import-module ActiveDirectory
-#######################################
-## Help ##
-#######################################
-function Display-Help {
- ""
- $getIP_strings.help1
- ""
-$getIP_strings.help2
-""
-$getIP_strings.help3
-" " + $getIP_strings.help4
-" " + $getIP_strings.help5
- " " + $getIP_strings.help6
- " " + $getIP_strings.help7
-""
-$getIP_strings.help8
- " " + $getIP_strings.help9
- ""
- $getIP_strings.help10
-""
-""
-$getIP_strings.help11
- " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All"
- " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes"
- " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance"""
-""
-}
-$root = get-adrootdse
-$domain = get-addomain -current loggedonuser
-$configNCDN = [String]$root.configurationNamingContext
-if ( !($Identity) -and !($LinkedToGroup) ) {
-display-Help
-break
-}
-if ($Identity) {
- $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties *
- if ($OIDs -eq $null) {
-$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity
-write-host $errormsg -ForegroundColor Red
- }
- foreach ($OID in $OIDs) {
- if ($OID."msDS-OIDToGroupLink") {
-# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping.
- $groupDN = $OID."msDS-OIDToGroupLink"
- $group = get-adgroup -Identity $groupDN
- $groupName = $group.Name
-# Analyze the group
- if ($group.groupCategory -ne "Security") {
-$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName
- write-host $errormsg -ForegroundColor Red
- }
- if ($group.groupScope -ne "Universal") {
- $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName
-write-host $errormsg -ForegroundColor Red
- }
- $members = Get-ADGroupMember -Identity $group
- if ($members) {
- $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName
-write-host $errormsg -ForegroundColor Red
- foreach ($member in $members) {
- write-host " " $member -ForeGroundColor Red
- }
- }
- }
- }
- return $OIDs
- break
-}
-if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) {
- $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))"
- $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
- write-host ""
- write-host "*****************************************************"
- write-host $getIP_strings.LinkedIPs
- write-host "*****************************************************"
- write-host ""
- if ($LinkedOIDs -ne $null){
- foreach ($OID in $LinkedOIDs) {
-# Display basic information about the Issuance Policies
- ""
- $getIP_strings.displayName -f $OID.displayName
- $getIP_strings.Name -f $OID.Name
- $getIP_strings.dn -f $OID.distinguishedName
-# Get the linked group.
- $groupDN = $OID."msDS-OIDToGroupLink"
- $group = get-adgroup -Identity $groupDN
- $getIP_strings.InfoName -f $group.Name
- $getIP_strings.InfoDN -f $groupDN
-# Analyze the group
- $OIDName = $OID.displayName
- $groupName = $group.Name
- if ($group.groupCategory -ne "Security") {
- $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName
- write-host $errormsg -ForegroundColor Red
- }
- if ($group.groupScope -ne "Universal") {
- $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName
- write-host $errormsg -ForegroundColor Red
- }
- $members = Get-ADGroupMember -Identity $group
- if ($members) {
- $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName
- write-host $errormsg -ForegroundColor Red
- foreach ($member in $members) {
- write-host " " $member -ForeGroundColor Red
- }
- }
- write-host ""
- }
- }else{
-write-host "There are no issuance policies that are mapped to a group"
- }
- if ($LinkedToGroup -eq "yes") {
- return $LinkedOIDs
- break
- }
-}
-if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) {
- $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))"
- $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
- write-host ""
- write-host "*********************************************************"
- write-host $getIP_strings.NonLinkedIPs
- write-host "*********************************************************"
- write-host ""
- if ($NonLinkedOIDs -ne $null) {
- foreach ($OID in $NonLinkedOIDs) {
-# Display basic information about the Issuance Policies
-write-host ""
-$getIP_strings.displayName -f $OID.displayName
-$getIP_strings.Name -f $OID.Name
-$getIP_strings.dn -f $OID.distinguishedName
-write-host ""
- }
- }else{
-write-host "There are no issuance policies which are not mapped to groups"
- }
- if ($LinkedToGroup -eq "no") {
- return $NonLinkedOIDs
- break
- }
-}
-```
-> [!NOTE]
-> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
-
-### Link an issuance policy to a group
-
-Save the script file as set-IssuancePolicyToGroupLink.ps1.
-
-``` syntax
-#######################################
-## Parameters to be defined ##
-## by the user ##
-#######################################
-Param (
-$IssuancePolicyName,
-$groupOU,
-$groupName
-)
-#######################################
-## Strings definitions ##
-#######################################
-Data ErrorMsg {
-# culture="en-US"
-ConvertFrom-StringData -stringdata @'
-help1 = This command can be used to set the link between a certificate issuance policy and a universal security group.
-help2 = Usage:
-help3 = The following parameters are required:
-help4 = -IssuancePolicyName:
-help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy.
-help6 = The following parameter is optional:
-help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container.
-help8 = Examples:
-help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them.
-help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group.
-MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}"
-NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}".
-IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1}
-MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}".
-confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it?
-OUCreationSuccess = Organizational Unit "{0}" successfully created.
-OUcreationError = Error: Organizational Unit "{0}" could not be created.
-OUFoundSuccess = Organizational Unit "{0}" was successfully found.
-multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}".
-confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it?
-groupCreationSuccess = Univeral Security group "{0}" successfully created.
-groupCreationError = Error: Univeral Security group "{0}" could not be created.
-GroupFound = Group "{0}" was successfully found.
-confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link?
-UnlinkSuccess = Certificate issuance policy successfully unlinked from any group.
-UnlinkError = Removing the link failed.
-UnlinkExit = Exiting without removing the link from the issuance policy to the group.
-IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script.
-ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security".
-ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal".
-ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members:
-ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"?
-LinkSuccess = The certificate issuance policy was successfully linked to the specified group.
-LinkError = The certificate issuance policy could not be linked to the specified group.
-ExitNoLinkReplacement = Exiting without setting the new link.
-'@
-}
-# import-localizeddata ErrorMsg
-function Display-Help {
-""
-write-host $ErrorMsg.help1
-""
-write-host $ErrorMsg.help2
-""
-write-host $ErrorMsg.help3
-write-host "`t" $ErrorMsg.help4
-write-host "`t" $ErrorMsg.help5
-""
-write-host $ErrorMsg.help6
-write-host "`t" $ErrorMsg.help7
-""
-""
-write-host $ErrorMsg.help8
-""
-write-host $ErrorMsg.help9
-".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" "
-""
-write-host $ErrorMsg.help10
-'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null '
-""
-}
-# Assumption: The group to which the Issuance Policy is going
-# to be linked is (or is going to be created) in
-# the domain the user running this script is a member of.
-import-module ActiveDirectory
-$root = get-adrootdse
-$domain = get-addomain -current loggedonuser
-if ( !($IssuancePolicyName) ) {
-display-Help
-break
-}
-#######################################
-## Find the OID object ##
-## (aka Issuance Policy) ##
-#######################################
-$searchBase = [String]$root.configurationnamingcontext
-$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties *
-if ($OID -eq $null) {
-$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase
-write-host $tmp -ForeGroundColor Red
-break;
-}
-elseif ($OID.GetType().IsArray) {
-$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase
-write-host $tmp -ForeGroundColor Red
-break;
-}
-else {
-$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName
-write-host $tmp -ForeGroundColor Green
-}
-#######################################
-## Find the container of the group ##
-#######################################
-if ($groupOU -eq $null) {
-# default to the Users container
-$groupContainer = $domain.UsersContainer
-}
-else {
-$searchBase = [string]$domain.DistinguishedName
-$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
-if ($groupContainer.count -gt 1) {
-$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase
-write-host $tmp -ForegroundColor Red
-break;
-}
-elseif ($groupContainer -eq $null) {
-$tmp = $ErrorMsg.confirmOUcreation
-write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName
-if ($?){
-$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU
-write-host $tmp -ForegroundColor Green
-}
-else{
-$tmp = $ErrorMsg.OUCreationError -f $groupOU
-write-host $tmp -ForeGroundColor Red
-break;
-}
-$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
-}
-else {
-break;
-}
-}
-else {
-$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name
-write-host $tmp -ForegroundColor Green
-}
-}
-#######################################
-## Find the group ##
-#######################################
-if (($groupName -ne $null) -and ($groupName -ne "")){
-##$searchBase = [String]$groupContainer.DistinguishedName
-$searchBase = $groupContainer
-$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
-if ($group -ne $null -and $group.gettype().isarray) {
-$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase
-write-host $tmp -ForeGroundColor Red
-break;
-}
-elseif ($group -eq $null) {
-$tmp = $ErrorMsg.confirmGroupCreation
-write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security"
-if ($?){
-$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName
-write-host $tmp -ForegroundColor Green
-}else{
-$tmp = $ErrorMsg.groupCreationError -f $groupName
-write-host $tmp -ForeGroundColor Red
-break
-}
-$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
-}
-else {
-break;
-}
-}
-else {
-$tmp = $ErrorMsg.GroupFound -f $group.Name
-write-host $tmp -ForegroundColor Green
-}
-}
-else {
-#####
-## If the group is not specified, we should remove the link if any exists
-#####
-if ($OID."msDS-OIDToGroupLink" -ne $null) {
-$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink"
-write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink"
-if ($?) {
-$tmp = $ErrorMsg.UnlinkSuccess
-write-host $tmp -ForeGroundColor Green
-}else{
-$tmp = $ErrorMsg.UnlinkError
-write-host $tmp -ForeGroundColor Red
-}
-}
-else {
-$tmp = $ErrorMsg.UnlinkExit
-write-host $tmp
-break
-}
-}
-else {
-$tmp = $ErrorMsg.IPNotLinked
-write-host $tmp -ForeGroundColor Yellow
-}
-break;
-}
-#######################################
-## Verify that the group is ##
-## Universal, Security, and ##
-## has no members ##
-#######################################
-if ($group.GroupScope -ne "Universal") {
-$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName
-write-host $tmp -ForeGroundColor Red
-break;
-}
-if ($group.GroupCategory -ne "Security") {
-$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName
-write-host $tmp -ForeGroundColor Red
-break;
-}
-$members = Get-ADGroupMember -Identity $group
-if ($members -ne $null) {
-$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName
-write-host $tmp -ForeGroundColor Red
-foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red}
-break;
-}
-#######################################
-## We have verified everything. We ##
-## can create the link from the ##
-## Issuance Policy to the group. ##
-#######################################
-if ($OID."msDS-OIDToGroupLink" -ne $null) {
-$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName
-write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
-set-adobject -Identity $OID -Replace $tmp
-if ($?) {
-$tmp = $Errormsg.LinkSuccess
-write-host $tmp -Foreground Green
-}else{
-$tmp = $ErrorMsg.LinkError
-write-host $tmp -Foreground Red
-}
-} else {
-$tmp = $Errormsg.ExitNoLinkReplacement
-write-host $tmp
-break
-}
-}
-else {
-$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
-set-adobject -Identity $OID -Add $tmp
-if ($?) {
-$tmp = $Errormsg.LinkSuccess
-write-host $tmp -Foreground Green
-}else{
-$tmp = $ErrorMsg.LinkError
-write-host $tmp -Foreground Red
-}
-}
-```
-
-> [!NOTE]
-> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
-
## Related topics
- [Isolated User Mode in Windows 10 with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-in-Windows-10-with-Dave-Probert)
diff --git a/windows/keep-secure/credential-manager-known-issues.md b/windows/keep-secure/credential-manager-known-issues.md
new file mode 100644
index 0000000000..dae1ef2c13
--- /dev/null
+++ b/windows/keep-secure/credential-manager-known-issues.md
@@ -0,0 +1,17 @@
+---
+title: Known issues with Credential Manager (Windows 10)
+description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
+ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Known issues with Credential Manager
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
diff --git a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md
index eecae9a27a..8c54c753a6 100644
--- a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -11,7 +11,7 @@ author: mjcaparas
localizationpriority: high
---
-# Create custom alerts using the threat intelligence (TI) Application program interface (API)
+# Create custom alerts using the threat intelligence (TI) application program interface (API)
**Applies to:**
@@ -23,12 +23,12 @@ localizationpriority: high
[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to create specific alerts that are applicable to your organization.
+You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your organization.
## Before you begin
Before creating custom alerts, you'll need to enable the threat intelligence application in Azure Active Directory and generate access tokens. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md).
-### Use the threat intelligence REST APIs to create custom threat intelligence alerts
+### Use the threat intelligence REST API to create custom threat intelligence alerts
You can call and specify the resource URLs using one of the following operations to access and manipulate a threat intelligence resource, you call and specify the resource URLs using one of the following operations:
- GET
diff --git a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
index 749d25c114..01eaa034f6 100644
--- a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
@@ -60,7 +60,7 @@ If you took corrective actions and the machine status is still misconfigured, [o
### No sensor data
A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report partial sensor data.
-Follow theses actions to correct known issues related to a misconfigured machine with status ‘Impaired communication’:
+Follow theses actions to correct known issues related to a misconfigured machine with status ‘No sensor data’:
- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
diff --git a/windows/keep-secure/images/atp-machine-details-view.png.pdf b/windows/keep-secure/images/atp-machine-details-view.png.pdf
deleted file mode 100644
index 6f018827bb..0000000000
Binary files a/windows/keep-secure/images/atp-machine-details-view.png.pdf and /dev/null differ
diff --git a/windows/keep-secure/images/privacy-setting-in-sign-in-options.png b/windows/keep-secure/images/privacy-setting-in-sign-in-options.png
new file mode 100644
index 0000000000..cf2e499e04
Binary files /dev/null and b/windows/keep-secure/images/privacy-setting-in-sign-in-options.png differ
diff --git a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md
index f82d103fb6..ddb0839afa 100644
--- a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md
+++ b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md
@@ -17,31 +17,80 @@ author: brianlic-msft
Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting.
## Reference
-When a session is locked in a Windows operating system (meaning the user at the computer pressed CTRL+ALT+DEL and the Secure Desktop is displayed), user information is displayed. By default, this information is in the form of **<user name> is logged on**. The displayed user name is the user’s full name as set on the Properties page for that user. These settings do not apply to the logon tiles, which are displayed on the desktop after using the **Switch User** feature. The information that is displayed can be changed to meet your security requirements using the following possible values.
+This security setting controls whether details such as email address or domain\username appear with the username on the sign-in screen.
+For clients that run Windows 10 version 1511 and 1507 (RTM), this setting works similarly to previous versions of Windows.
+However, because of a new **Privacy** setting introduced in Windows 10 version 1607, this security setting affects those clients differently.
-### Possible values
+### Changes in Windows 10 version 1607
+
+Beginning with Windows 10 version 1607, new functionality was added to Windows 10 to hide username details such as email address by default, with the ability to change the default to show the details.
+This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
+The Privacy setting is off by default, which hides the details.
+
+
+
+The **Interactive logon: Display user information when the session is locked** Group Policy setting controls the same functionality.
+
+This setting has these possible values:
- **User display name, domain and user names**
- If this is a local logon, the user’s full name is displayed on the Secure Desktop. If it is a domain logon, the user’s domain and user’s account name is displayed.
+ For a local logon, the user's full name is displayed.
+ If the user signed in using a Microsoft account, the user's email address is displayed.
+ For a domain logon, the domain\username is displayed.
+ This has the same effect as turning on the **Privacy** setting.
- **User display name only**
- The name of the user who locked the session is displayed on the Secure Desktop as the user’s full name.
+ The full name of the user who locked the session is displayed.
+ This has the same effect as turning off the **Privacy** setting.
- **Do not display user information**
- No names are displayed on the Secure Desktop, but user’s full names will be displayed on the **Switch user** desktop.
+ No names are displayed.
+ Beginning with Windows 10 version 1607, this option is not supported.
+ If this option is chosen, the full name of the user who locked the session is displayed instead.
+ This change makes this setting consistent with the functionality of the new **Privacy** setting.
+ To display no user information, enable the Group Policy setting **Interactive logon: Don't display last signed-in**.
- Blank.
- Default setting. This translates to “Not defined,” but it will display the user’s full name in the same manner as the **User display name** option. When an option is set, you cannot reset this policy to blank, or not defined.
+ Default setting.
+ This translates to “Not defined,” but it will display the user’s full name in the same manner as the option **User display name only**.
+ When an option is set, you cannot reset this policy to blank, or not defined.
+
+### Hotfix for Windows 10 version 1607
+
+Clients that run Windows 10 version 1607 will not show details on the sign-in screen even if the **User display name, domain and user names** option is chosen because the **Privacy** setting is off.
+If the **Privacy** setting is turned on, details will show.
+
+The **Privacy** setting cannot be changed for clients in bulk.
+Instead, apply KB 4013429 to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows.
+
+There are related Group Policy settings:
+
+- **Computer Configuration\Policies\Administrative Templates\System\Logon\Block user from showing account details on sign-in** prevents users from showing account details on the sign-in screen.
+- **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Don’t display last signed-in** prevents the username of the last user to sign in from being shown.
+- **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Don’t display username at sign-in** prevents the username from being shown at Windows sign-in and immediately after credentials are entered and before the desktop appears.
+
+### Interaction with related Group Policy settings
+
+For all versions of Windows 10, only the user display name is shown by default.
+
+If **Block user from showing account details on sign-in** is enabled, then only the user display name is shown regardless of any other Group Policy settings.
+Users will not be able to show details.
+
+If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** to show additional details such as domain\username.
+In this case, clients that run Windows 10 version 1607 need KB 4013429 applied.
+Users will not be able to hide additional details.
+
+If **Block user from showing account details on sign-in** is not enabled and **Don’t display last signed-in** is enabled, the username will not be shown.
### Best practices
-Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have computers with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy.
+Your implementation of this policy depends on your security requirements for displayed logon information. If you run computers that store sensitive data, with monitors displayed in unsecured locations, or if you have computers with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy.
-Depending on your security policy, you might also want to enable the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to logon.
+Depending on your security policy, you might also want to enable the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy.
### Location
@@ -86,13 +135,7 @@ When a computer displays the Secure Desktop in an unsecured area, certain user i
Enabling this policy setting allows the operating system to hide certain user information from being displayed on the Secure Desktop (after the device has been booted or when the session has been locked by using CTRL+ALT+DEL). However, user information is displayed if the **Switch user** feature is used so that the logon tiles are displayed for each logged on user.
-You might also want to enable the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to logon.
-
-### Potential impact
-
-If you do not enable this policy, the effect will be the same as enabling the policy and selecting the **User display name, domain and user names** option.
-
-If the policy is enabled and set to **Do not display user information**, an observer cannot see who is logged onto the Secure Desktop, but the logon tile is still present if the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy is not enabled. Depending on how the logon tiles are configured, they could provide visual clues as to who is logged on. In addition, if the Interactive logon: Do not display last user name policy is not enabled, then the **Switch user** feature will show user information.
+You might also want to enable the [Interactive logon: Do not display last signed-in](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to logon.
## Related topics
diff --git a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
index 5af92d1bcf..d712d65bdd 100644
--- a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
+++ b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
@@ -1,5 +1,5 @@
---
-title: Interactive logon Do not display last user name (Windows 10)
+title: Interactive logon Don't display last signed-in (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not display last user name security policy setting.
ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd
ms.prod: w10
@@ -9,12 +9,12 @@ ms.pagetype: security
author: brianlic-msft
---
-# Interactive logon: Do not display last user name
+# Interactive logon: Don't display last signed-in
**Applies to**
- Windows 10
-Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display last user name** security policy setting.
+Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display last signed-in** security policy setting. Before Windows 10 version 1703, this policy setting was named **Interactive logon:Do not display last user name.**
## Reference
diff --git a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md
index e4a19d51d6..3a89c15e0b 100644
--- a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md
@@ -47,5 +47,7 @@ The following features are included in the preview release:
- [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues.
- [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
+- [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) - Create custom threat intelligence alerts using the threat intelligence API to generate alerts that are applicable to your organization.
+
>[!NOTE]
> All response actions require machines to be on the latest Windows 10 Insider Preview build.
diff --git a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
index 36b0a25f3b..6e63d9f1b5 100644
--- a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
@@ -71,7 +71,7 @@ You can now use the alert ID obtained from creating a new alert definition to cr
## Complete code
You can use the complete code to create calls to the API.
-[!code[CustomTIAPI](./code/example.py#L1-L51)]
+[!code[CustomTIAPI](./code/example.py#L1-L53)]
## Related topics
- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
index a1a1738dad..2d68063ec7 100644
--- a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
+++ b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
@@ -38,6 +38,7 @@ For encrypting Remote Desktop Services network communication, this policy settin
For BitLocker, this policy setting needs to be enabled before any encryption key is generated.
Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 and later when this policy is enabled are incompatible with BitLocker on operating systems prior to Windows Server 2012 R2 and Windows 8.1; BitLocker will prevent the creation or use of recovery passwords on these systems, so recovery keys should be used instead.
+Additionally, if a data drive is password-protected, it can be accessed by a FIPS-compliant computer after the password is supplied, but the drive will be read-only.
### Possible values
diff --git a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
index 835ddbf45a..be6cfe9d8e 100644
--- a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
@@ -47,7 +47,7 @@ Here is an example of an IOC:
IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it.
-## Related topic
+## Related topics
- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..0757a26702
--- /dev/null
+++ b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,39 @@
+---
+title: Use the threat intelligence API in Windows Defender Advanced Threat Protection to create custom alerts
+description: Use the custom threat intelligence API to create custom alerts for your organization.
+keywords: threat intelligence, alert definitions, indicators of compromise
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Use the threat intelligence API to create custom alerts
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization.
+
+You can use the code examples to guide you in creating calls to the custom threat intelligence API.
+
+## In this section
+
+Topic | Description
+:---|:---
+[Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) | Understand the concepts around threat intelligence so that you can effectively create custom intelligence for your organization.
+[Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Set up the custom threat intelligence application through the Windows Defender ATP portal so that you can create custom threat intelligence (TI) using REST API.
+[Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) | Create custom threat intelligence alerts so that you can generate specific alerts that are applicable to your organization.
+[PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) | Use the PowerShell code examples to guide you in using the custom threat intelligence API.
+[Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) | Use the Python code examples to guide you in using the custom threat intelligence API.
+[Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) | Learn how to address possible issues you might encounter while using the threat intelligence API.
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index 70f2e9290f..49dd11e6c9 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -3,11 +3,12 @@
## [Cortana integration in your business or enterprise](cortana-at-work-overview.md)
### [Testing scenarios using Cortana in your business or organization](cortana-at-work-testing-scenarios.md)
#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work-scenario-1.md)
-#### [Test scenario 2 - Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md)
+#### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md)
#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work-scenario-3.md)
#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work-scenario-4.md)
#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work-scenario-5.md)
-#### [Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work-scenario-6.md)
+#### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work-scenario-6.md)
+#### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work-scenario-7.md)
### [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md)
### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work-crm.md)
### [Set up and test Cortana for Power BI in your organization](cortana-at-work-powerbi.md)
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index 13a0de7e4f..2a2d4a8635 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -14,6 +14,12 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
>If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
+## March 2017
+
+| New or changed topic | Description |
+| --- | --- |
+|[Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work-scenario-6.md) |New |
+
## February 2017
| New or changed topic | Description |
@@ -26,11 +32,12 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Added Express updates. |
| [Distribute offline apps](distribute-offline-apps.md) | General updates to topic. Added links to supporting content for System Center Configuration Manager and Microsoft Intune. |
+
## January 2017
| New or changed topic | Description |
| --- | --- |
-| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) | New |
+| [Cortana integration in your business or enterprise and sub-topics](cortana-at-work-overview.md) |New |
| [Start layout XML for desktop editions of Windows 10](start-layout-xml-desktop.md) | New (previously published in Hardware Dev Center on MSDN) |
| [Start layout XML for mobile editions of Windows 10](start-layout-xml-mobile.md) | New (previously published in Hardware Dev Center on MSDN) |
| [Quick guide to Windows as a service](waas-quick-start.md) | Added video that explains how Windows as a service works. |
diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md
index a7f9bbef7e..d8710b1bb2 100644
--- a/windows/manage/configure-windows-telemetry-in-your-organization.md
+++ b/windows/manage/configure-windows-telemetry-in-your-organization.md
@@ -98,17 +98,17 @@ Windows telemetry also helps Microsoft better understand how customers use (or d
### Insights into your own organization
-Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Windows 10 Upgrade Analytics](../deploy/manage-windows-upgrades-with-upgrade-analytics.md).
+Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](../deploy/manage-windows-upgrades-with-upgrade-readiness.md).
-#### Windows 10 Upgrade Analytics
+#### Upgrade Readiness
Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points.
-To better help customers through this difficult process, Microsoft developed Upgrade Analytics to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis.
+To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis.
With Windows telemetry enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft.
-Use Upgrade Analytics to get:
+Use Upgrade Readiness to get:
- A visual workflow that guides you from pilot to production
- Detailed computer, driver, and application inventory
@@ -118,7 +118,7 @@ Use Upgrade Analytics to get:
- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
- Data export to commonly used software deployment tools
-The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
+The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
## How is telemetry data handled by Microsoft?
@@ -179,7 +179,7 @@ The levels are cumulative and are illustrated in the following diagram. Also, th
### Security level
-The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windos IoT Core editions.
+The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.
> [!NOTE]
> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
@@ -216,6 +216,8 @@ No user content, such as user files or communications, is gathered at the **Secu
The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
+The normal upload range for the Basic telemetry level is between 109 KB - 159 KB per day, per device.
+
The data gathered at this level includes:
- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include:
@@ -256,12 +258,15 @@ The data gathered at this level includes:
- **Windows Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
+
### Enhanced level
The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
+The normal upload range for the Enhanced telemetry level is between 239 KB - 348 KB per day, per device.
+
The data gathered at this level includes:
- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
diff --git a/windows/manage/cortana-at-work-scenario-6.md b/windows/manage/cortana-at-work-scenario-6.md
index ac15463824..2ad1c7cb5c 100644
--- a/windows/manage/cortana-at-work-scenario-6.md
+++ b/windows/manage/cortana-at-work-scenario-6.md
@@ -1,13 +1,14 @@
---
-title: Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device (Windows 10)
-description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP).
+title: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email (Windows 10)
+description: A test scenario about how to use Cortana with the Suggested reminders feature.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+author: eross-msft
localizationpriority: high
---
-# Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
+# Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email
- Windows 10, Windows Insider Program
- Windows 10 Mobile, Windows Insider Program
@@ -16,22 +17,32 @@ localizationpriority: high
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
>[!IMPORTANT]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/en-us/servicesagreement).
-This optional scenario helps you to protect your organization’s data on a device, based on an inspection by Cortana.
+Cortana automatically finds patterns in your email, suggesting reminders based things that you said you would do so you don’t forget about them. For example, Cortana recognizes that if you include the text, _I’ll get this to you by the end of the week_ in an email, you're making a commitment to provide something by a specific date. Cortana can now suggest that you be reminded about this event, letting you decide whether to keep it or to cancel it.
-## Use Cortana and WIP to protect your organization’s data
+>[!NOTE]
+>The Suggested reminders feature is currently only available in English (en-us).
-1. Create and deploy an WIP policy to your organization. For info about how to do this, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md).
+**To use Cortana to create Suggested reminders for you**
-2. Create a new email from a non-protected or personal mailbox, including the text _I’ll send you that presentation tomorrow_.
+1. Make sure that you've connected Cortana to Office 365. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md).
-3. Wait up to 2 hours to make sure everything has updated, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+2. Click on the **Cortana** search box in the taskbar, click the **Notebook** icon, and then click **Permissions**.
- Cortana automatically pulls your commitment to sending the presentation out of your email, showing it to you.
+3. Make sure the **Contacts, email, calendar, and communication history** option is turned on.
-4. Create a new email from a protected mailbox, including the same text as above, _I’ll send you that presentation tomorrow_.
+ 
-5. Wait until everything has updated again, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+4. Click the **Notebook** icon again, click the **Suggested reminders** option, click to turn on the **All reminder suggestions cards** option, click the **Notify me when something I mentioned doing is coming up** box, and then click **Save**.
+
+ 
+
+5. Create and send an email to yourself (so you can see the Suggested reminder), including the text, _I’ll finish this project by end of day today_.
+
+6. After you get the email, click on the Cortana **Home** icon, and scroll to today’s events.
+
+ If the reminder has a specific date or time associated with it, like end of day, Cortana notifies you at the appropriate time and puts the reminder into the Action Center. Also from the Home screen, you can view the email where you made the promise, set aside time on your calendar, officially set the reminder, or mark the reminder as completed.
+
+ 
- Because it was in an WIP-protected email, the presentation info isn’t pulled out and it isn’t shown to you.
diff --git a/windows/manage/cortana-at-work-scenario-7.md b/windows/manage/cortana-at-work-scenario-7.md
new file mode 100644
index 0000000000..e8d6cfd3ff
--- /dev/null
+++ b/windows/manage/cortana-at-work-scenario-7.md
@@ -0,0 +1,38 @@
+---
+title: Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device (Windows 10)
+description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP).
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: eross-msft
+localizationpriority: high
+---
+
+# Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+>[!IMPORTANT]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+
+This optional scenario helps you to protect your organization’s data on a device, based on an inspection by Cortana.
+
+## Use Cortana and WIP to protect your organization’s data
+
+1. Create and deploy an WIP policy to your organization. For info about how to do this, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md).
+
+2. Create a new email from a non-protected or personal mailbox, including the text _I’ll send you that presentation tomorrow_.
+
+3. Wait up to 2 hours to make sure everything has updated, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+ Cortana automatically pulls your commitment to sending the presentation out of your email, showing it to you.
+
+4. Create a new email from a protected mailbox, including the same text as above, _I’ll send you that presentation tomorrow_.
+
+5. Wait until everything has updated again, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+ Because it was in an WIP-protected email, the presentation info isn’t pulled out and it isn’t shown to you.
diff --git a/windows/manage/cortana-at-work-testing-scenarios.md b/windows/manage/cortana-at-work-testing-scenarios.md
index 41f734e006..9f97783bca 100644
--- a/windows/manage/cortana-at-work-testing-scenarios.md
+++ b/windows/manage/cortana-at-work-testing-scenarios.md
@@ -18,15 +18,19 @@ localizationpriority: high
We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
-- Sign-in to Cortana using Azure AD, manage entries in the notebook, and search for content across your device, Bing, and the cloud, using Cortana.
+- [Sign-in to Cortana using Azure AD, manage entries in the notebook, and search for content across your device, Bing, and the cloud, using Cortana](cortana-at-work-scenario-1.md)
-- Set a reminder and have it remind you when you’ve reached a specific location.
+- [Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md)
-- Search for your upcoming meetings on your work calendar.
+- [Set a reminder and have it remind you when you’ve reached a specific location](cortana-at-work-scenario-3.md)
-- Send an email to a co-worker from your work email app.
+- [Search for your upcoming meetings on your work calendar](cortana-at-work-scenario-4.md)
-- Use WIP to secure content on a device and then try to manage your organization’s entries in the notebook.
+- [Send an email to a co-worker from your work email app](cortana-at-work-scenario-5.md)
+
+- [Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work-scenario-6.md)
+
+- [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organization’s entries in the notebook](cortana-at-work-scenario-7.md)
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
\ No newline at end of file
diff --git a/windows/manage/images/cortana-communication-history-permissions.png b/windows/manage/images/cortana-communication-history-permissions.png
new file mode 100644
index 0000000000..db182be13c
Binary files /dev/null and b/windows/manage/images/cortana-communication-history-permissions.png differ
diff --git a/windows/manage/images/cortana-suggested-reminder-settings.png b/windows/manage/images/cortana-suggested-reminder-settings.png
new file mode 100644
index 0000000000..176dbff483
Binary files /dev/null and b/windows/manage/images/cortana-suggested-reminder-settings.png differ
diff --git a/windows/manage/images/cortana-suggested-reminder.png b/windows/manage/images/cortana-suggested-reminder.png
new file mode 100644
index 0000000000..4184bd1b6c
Binary files /dev/null and b/windows/manage/images/cortana-suggested-reminder.png differ
diff --git a/windows/manage/start-layout-xml-desktop.md b/windows/manage/start-layout-xml-desktop.md
index c86fc0cfe6..db4bf8dd66 100644
--- a/windows/manage/start-layout-xml-desktop.md
+++ b/windows/manage/start-layout-xml-desktop.md
@@ -224,7 +224,7 @@ The following example shows how to create a tile of the Web site's URL using the
Column="4"/>
```
-The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to *8Size**, **Row**, and *8Column**.
+The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to **Size**, **Row**, and **Column**.
| Attribute | Required/optional | Description |
| --- | --- | --- |
diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md
index 8f9e0d54cd..120818bbe1 100644
--- a/windows/manage/waas-delivery-optimization.md
+++ b/windows/manage/waas-delivery-optimization.md
@@ -99,6 +99,8 @@ Download mode dictates which download sources clients are allowed to use when do
By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to peer. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
>[!NOTE]
+>To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)
+>
>This configuration is optional and not required for most implementations of Delivery Optimization.
### Max Cache Age
diff --git a/windows/manage/waas-optimize-windows-10-updates.md b/windows/manage/waas-optimize-windows-10-updates.md
index 773814c884..e8a17a2b8b 100644
--- a/windows/manage/waas-optimize-windows-10-updates.md
+++ b/windows/manage/waas-optimize-windows-10-updates.md
@@ -61,7 +61,7 @@ For OS updates that support Express, there are two versions of the file payload
1. **Full-file version** - essentially replacing the local versions of the update binaries.
2. **Express version** - containing the deltas needed to patch the existing binaries on the device.
-Both the full-file version and the Express version are referenced in the udpate's metadata, which has been downloaded to the client as part of the scan phase.
+Both the full-file version and the Express version are referenced in the update's metadata, which has been downloaded to the client as part of the scan phase.
**Express download works as follows:**
diff --git a/windows/manage/windows-libraries.md b/windows/manage/windows-libraries.md
index 1608798dce..f8937e7a43 100644
--- a/windows/manage/windows-libraries.md
+++ b/windows/manage/windows-libraries.md
@@ -10,10 +10,10 @@ author: jasongerend
ms.date: 2/6/2017
description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures.
---
-> Applies to: Windows 10, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
-
# Windows Libraries
+> Applies to: Windows 10, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
+
Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location.
## Features for Users
diff --git a/windows/manage/windows-store-for-business-overview.md b/windows/manage/windows-store-for-business-overview.md
index c2ce1d7706..59c4b92895 100644
--- a/windows/manage/windows-store-for-business-overview.md
+++ b/windows/manage/windows-store-for-business-overview.md
@@ -89,50 +89,12 @@ For more information, see [Sign up for the Store for Business](../manage/sign-up
After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign WSFB roles. These are the roles and their permissions.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Admin |
-X |
-X |
-X |
- |
-
-
-Purchaser |
- |
-X |
-X |
- |
-
-
-Device Guard signer |
- |
- |
- |
-X |
-
-
-
-
+| Permission | Account settings | Acquire apps | Distribute apps | Device Guard signing |
+| ---------- | ---------------- | ------------ | --------------- | -------------------- |
+| Admin | X | X | X | |
+| Purchaser | | X | X | |
+| Device Guard signer | | | | X |
-
In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](../manage/manage-users-and-groups-windows-store-for-business.md).
Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with the Store for Business.
@@ -367,7 +329,19 @@ Store for Business is currently available in these markets.
-
+## Privacy notice
+
+Microsoft Store for Business services get names and email addresses of people in your organization from Azure Active Directory. This information is needed for these admin functions:
+- Granting and managing permissions
+- Managing app licenses
+- Distributing apps to people (names appear in a list that admins can select from)
+
+Store for Business does not save names, or email addresses.
+
+Your use of Store for Business is also governed by the Store for Business Terms of Use.
+
+Information sent to Store for Business is subject to the [Store for Business Privacy Statement](https://privacy.microsoft.com/privacystatement/).
+
## ISVs and the Store for Business