From b41c487dd345624379ff4cbf5f4a7f84d06f55ad Mon Sep 17 00:00:00 2001 From: GITMichiko Date: Wed, 18 Jan 2017 09:31:22 -0800 Subject: [PATCH 01/25] Update credential-guard.md Add new requirements section --- windows/keep-secure/credential-guard.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index a92cf8f9f5..96afd50094 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -38,7 +38,11 @@ Here's a high-level overview on how the LSA is isolated by using virtualization- ![Credential Guard overview](images/credguard.png) -## Hardware and software requirements +## Requirements + +For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as "Hardware and software requirements". Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as "Application requirements". Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in Security Considerations. + +### Hardware and software requirements To deploy Credential Guard, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements. Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. From 28c6e773841219bf2b5bc30789ccddbc9cd61468 Mon Sep 17 00:00:00 2001 From: GITMichiko Date: Mon, 23 Jan 2017 16:43:49 -0800 Subject: [PATCH 02/25] Update credential-guard.md Update in Michiko to convert existing to Security considerations. --- windows/keep-secure/credential-guard.md | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 96afd50094..024e1817ce 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -48,17 +48,18 @@ To deploy Credential Guard, the computers you are protecting must meet certain b You can deploy Credential Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh. -The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. +## Security considerations + +The following tables provide more information about the impact hardware, firmware, and software on protections used by Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. > [!NOTE] > For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx).
> Starting in Widows 10, 1607, TPM 2.0 is required. +### Baseline protection recommendations -## Credential Guard requirements for baseline protections - -|Baseline Protections - requirement | Description | +|Baseline Protections | Description | |---------------------------------------------|----------------------------------------------------| | Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | | Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
- VT-x (Intel) or
- AMD-V
And:
- Extended page tables, also called Second Level Address Translation (SLAT).

**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | @@ -70,13 +71,9 @@ The following tables provide more information about the hardware, firmware, and > [!IMPORTANT] > The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide. -## Credential Guard requirements for improved security +### 2015 Additional Security Recommendations (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4) -The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met. - -### 2015 Additional Qualification Requirements for Credential Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4) - -| Protections for Improved Security - requirement | Description | +| Protections for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| | Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU

**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). | | Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- BIOS password or stronger authentication must be supported.
- In the BIOS configuration, BIOS authentication must be set.
- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.

**Security benefits**:
- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | @@ -84,12 +81,12 @@ The following tables describes additional hardware and firmware requirements, an
-### 2016 Additional Qualification Requirements for Credential Guard (starting with Windows 10, version 1607, and Windows Server 2016) +### 2016 Additional Security Recommendations (starting with Windows 10, version 1607, and Windows Server 2016) > [!IMPORTANT] > The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Credential Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them. -| Protections for Improved Security - requirement | Description | +| Protections for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| | Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).

**Security benefits**:
- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
- HSTI provides additional security assurance for correctly secured silicon and platform. | | Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.

**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. | @@ -97,9 +94,9 @@ The following tables describes additional hardware and firmware requirements, an
-### 2017 Additional Qualification Requirements for Credential Guard (starting with the next major release of Windows 10) +### 2017 Additional Security Recommendations (starting with the next major release of Windows 10) -| Protection for Improved Security - requirement | Description | +| Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| | Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM. | From 3caad49c682bf76f47d95035cb1ad56980983452 Mon Sep 17 00:00:00 2001 From: GITMichiko Date: Mon, 23 Jan 2017 17:00:11 -0800 Subject: [PATCH 03/25] Update credential-guard.md Intro update --- windows/keep-secure/credential-guard.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 96afd50094..9490387f08 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -15,24 +15,23 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. +Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets & credentials stored by applications as domain credentials. -Credential Guard offers the following features and solutions: +By enabling Credential Guard the following features and solutions are provided: -- **Hardware security** Credential Guard increases the security of derived domain credentials by taking advantage of platform security features including, Secure Boot and virtualization. -- **Virtualization-based security** Windows services that manage derived domain credentials and other secrets run in a protected environment that is isolated from the running operating system. -- **Better protection against advanced persistent threats** Securing derived domain credentials using the virtualization-based security blocks the credential theft attack techniques and tools used in many targeted attacks. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. -- **Manageability** You can manage Credential Guard by using Group Policy, WMI, from a command prompt, and Windows PowerShell. +- **Hardware security** NTLM, Kerberos and Credential Manager take advantage of platform security features including, Secure Boot and virtualization to protect credentials. +- **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system. +- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. ## How it works -Credential Guard isolates secrets that previous versions of Windows stored in the Local Security Authority (LSA) by using virtualization-based security. Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. +Kerberos, NTLM and Credential manager isolates secrets that previous versions of Windows stored in the Local Security Authority (LSA) by using virtualization-based security. Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment. -Credential Guard prevents NTLMv1, MS-CHAPv2, Digest, and CredSSP from using sign-on credentials. Thus, single sign-on does not work with these protocols. However, Credential guard allows these protocols to be used with prompted credentials or those saved in Credential Manager. It is strongly recommended that valuable credentials, such as the sign-on credentials, not be used with any of these protocols. If these protocols must be used by domain users, secondary credentials should be provisioned for these use cases. +When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocol. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or AAD users, secondary credentials should be provisioned for these use cases. -Credential Guard does not allow unconstrained Kerberos delegation or Kerberos DES encryption at all. Neither sign-on nor prompted/saved credentials may be used. +When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption not only for signed-in credentials, but also prompted or saved credentials either. Here's a high-level overview on how the LSA is isolated by using virtualization-based security: From 517d60ea67121c67a2eccf80685f5832a5386688 Mon Sep 17 00:00:00 2001 From: GITMichiko Date: Mon, 23 Jan 2017 17:37:28 -0800 Subject: [PATCH 04/25] Update credential-guard.md application draft --- windows/keep-secure/credential-guard.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 96afd50094..289fe1ab10 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -48,6 +48,24 @@ To deploy Credential Guard, the computers you are protecting must meet certain b You can deploy Credential Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh. +### Application requirements + +When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. + +>[!WARNING] Enabling Credential Guard on Domain Controllers is not supported +> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled. Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database. + +Applications will break if they require: +- Kerberos DES encryption support +- Kerberos unconstrained delegation +- Extracting the Kerberos TGT +- NTLMv1 + +Applications will prompt & expose credentials to risk if they require: +- Digest authentication +- Credential delegation +- MS-CHAPv2 + The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. > [!NOTE] From 16bb7c2d600dbdeac3595e927640bd6a7044f139 Mon Sep 17 00:00:00 2001 From: GITMichiko Date: Thu, 26 Jan 2017 00:07:48 -0800 Subject: [PATCH 05/25] Update credential-guard.md Added missing Security Considerations heading and demoted subheadings to match --- windows/keep-secure/credential-guard.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index c40e90f58a..6465993ef4 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -65,6 +65,8 @@ Applications will prompt & expose credentials to risk if they require: - Credential delegation - MS-CHAPv2 +### Security considerations + The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. > [!NOTE] @@ -72,7 +74,7 @@ The following tables provide more information about the hardware, firmware, and > If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
> Starting in Widows 10, 1607, TPM 2.0 is required. -### Baseline protection recommendations +#### Baseline protection recommendations |Baseline Protections | Description | |---------------------------------------------|----------------------------------------------------| @@ -86,7 +88,7 @@ The following tables provide more information about the hardware, firmware, and > [!IMPORTANT] > The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide. -### 2015 Additional Security Recommendations (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4) +#### 2015 Additional Security Recommendations (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4) | Protections for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| @@ -96,7 +98,7 @@ The following tables provide more information about the hardware, firmware, and
-### 2016 Additional Security Recommendations (starting with Windows 10, version 1607, and Windows Server 2016) +#### 2016 Additional Security Recommendations (starting with Windows 10, version 1607, and Windows Server 2016) > [!IMPORTANT] > The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Credential Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them. @@ -109,7 +111,7 @@ The following tables provide more information about the hardware, firmware, and
-### 2017 Additional Security Recommendations (starting with the next major release of Windows 10) +#### 2017 Additional Security Recommendations (starting with the next major release of Windows 10) | Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| From 7047eec1676376ab2ca738dbb74e30229ed0678c Mon Sep 17 00:00:00 2001 From: GITMichiko Date: Thu, 26 Jan 2017 00:23:30 -0800 Subject: [PATCH 06/25] Update credential-guard.md hardware requirements --- windows/keep-secure/credential-guard.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index c40e90f58a..12bd430f83 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -45,7 +45,15 @@ For Credential Guard to provide protections, the computers you are protecting mu To deploy Credential Guard, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements. Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. -You can deploy Credential Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh. +To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses: +- Support for Virtualization-based security (required) +- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware) +- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change) + +The Virtualization-based security requires: +- 64 bit CPU +- CPU virtualization extensions plu extended page tables +- Windows hypervisor ### Application requirements From ddf059038ad12ec80c785700770bc187ca02568d Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Mon, 30 Jan 2017 18:21:41 -0800 Subject: [PATCH 07/25] Waas-Delivery-optimization - added content added online requirement. Added to simple mode in order to better explain it. --- windows/manage/waas-delivery-optimization.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md index 9b3dc0a522..243665903d 100644 --- a/windows/manage/waas-delivery-optimization.md +++ b/windows/manage/waas-delivery-optimization.md @@ -19,6 +19,10 @@ localizationpriority: high Delivery Optimization is a self-organizing distributed cache solution for businesses looking to reduce bandwidth consumption for operating system updates, operating system upgrades, and applications by allowing clients to download those elements from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), and Windows Update for Business. This functionality is similar to BranchCache in other systems, such as System Center Configuration Manager. +Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This mean that in order to utilize Delivery Optimization, machines need to have access to the internet. + +For more details, see [Download mode](#download-mode). + >[!NOTE] >WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. @@ -33,17 +37,19 @@ You can use Group Policy or an MDM solution like Intune to configure Delivery Op Several Delivery Optimization features are configurable. + + ### Download mode (DODownloadMode) Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. | Download mode option | Functionality when set | | --- | --- | -| HTTP Only (0) | This setting disables peer content sharing but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. | +| HTTP Only (0) | This setting disables peer content sharing but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. This mode uses metadata provided by the Delivery Optimization cloud services for a more consistent plain download experience. | | LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. | | Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use the GroupID option to create your own custom group independently of domains and AD DS sites. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | -| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable or unreachable. | +| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable or unreachable. In this mode, Delivery Optimization provides a modern download manager experience, with little optimization and no peer content sharing. | |Bypass (100) | Bypass Delivery Optimization and use BITS, instead. For example, select this mode so that clients can use BranchCache. | >[!NOTE] From 4d4784d6ae4da38cd83d5c8db7a70d5c96740720 Mon Sep 17 00:00:00 2001 From: GITMichiko Date: Tue, 31 Jan 2017 13:20:13 -0800 Subject: [PATCH 08/25] Update credential-guard.md refined app stuff. typo in HW --- windows/keep-secure/credential-guard.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index a0911b6720..9ce9b9cbaa 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -52,15 +52,19 @@ To provide basic protection against OS level attempts to read Credential Manager The Virtualization-based security requires: - 64 bit CPU -- CPU virtualization extensions plu extended page tables +- CPU virtualization extensions plus extended page tables - Windows hypervisor ### Application requirements When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. ->[!WARNING] Enabling Credential Guard on Domain Controllers is not supported -> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled. Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database. +>[!WARNING] +> Enabling Credential Guard on Domain Controllers is not supported
+> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled causing crashes. + +>[!NOTE] +> Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). Applications will break if they require: - Kerberos DES encryption support @@ -73,6 +77,8 @@ Applications will prompt & expose credentials to risk if they require: - Credential delegation - MS-CHAPv2 +Applications may cause performance issues when they attempt to hook the isolated Credential Guard process. + ### Security considerations The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. From 8533fa6bac53f91df75629c12787009f6c9ea471 Mon Sep 17 00:00:00 2001 From: rikot Date: Wed, 1 Feb 2017 11:17:57 -0500 Subject: [PATCH 09/25] Update manage-windows-updates-for-surface-hub.md --- .../manage-windows-updates-for-surface-hub.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index 40fdda11b1..35787fbff1 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -57,6 +57,7 @@ Surface Hubs, like all Windows 10 devices, include **Windows Update for Business 2. [Configure when Surface Hub receives updates](#configure-when-surface-hub-receives-updates). > [!NOTE] + > You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-wufb-intune) @@ -75,7 +76,7 @@ This table gives examples of deployment rings. ### Configure Surface Hub to use Current Branch or Current Branch for Business By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches). - +* **To manually configure Surface Hub to use CB or CBB:** 1. Open **Settings** > **Update & Security** > **Windows Update**, and then select **Advanced Options**. 2. Select **Defer feature updates**. @@ -104,6 +105,13 @@ You can connect Surface Hub to your Windows Server Update Services (WSUS) server To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/UpdateServiceUrl](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) policy. +**If you use a proxy server or other method to block URLs** +If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”: +- http(s)://*.update.microsoft.com +- http://download.windowsupdate.com +- http://windowsupdate.microsoft.com + +Once the Windows 10 Team Anniversary Update is installed, you can remove these addresses to return your Surface Hub to its previous state. ## Maintenance window From c14355694243578c6aa74a7cc1f5b748c42df2e9 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 1 Feb 2017 14:12:08 -0800 Subject: [PATCH 10/25] Update credential-guard.md --- windows/keep-secure/credential-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 9ce9b9cbaa..8e9f872d0d 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -15,7 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets & credentials stored by applications as domain credentials. +Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. By enabling Credential Guard the following features and solutions are provided: From a434950159b77a227e381776dce8332c73f26678 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 1 Feb 2017 14:12:58 -0800 Subject: [PATCH 11/25] Update credential-guard.md --- windows/keep-secure/credential-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 8e9f872d0d..6b213c523b 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -1,4 +1,4 @@ ---- +,--- title: Protect derived domain credentials with Credential Guard (Windows 10) description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1 @@ -17,7 +17,7 @@ author: brianlic-msft Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. -By enabling Credential Guard the following features and solutions are provided: +By enabling Credential Guard, the following features and solutions are provided: - **Hardware security** NTLM, Kerberos and Credential Manager take advantage of platform security features including, Secure Boot and virtualization to protect credentials. - **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system. From 187186da696b467c09899dcabd0c2ac442bc3cca Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 1 Feb 2017 14:16:01 -0800 Subject: [PATCH 12/25] Update credential-guard.md --- windows/keep-secure/credential-guard.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 6b213c523b..62de1f7545 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -1,4 +1,4 @@ -,--- +,,--- title: Protect derived domain credentials with Credential Guard (Windows 10) description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1 @@ -19,13 +19,13 @@ Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard u By enabling Credential Guard, the following features and solutions are provided: -- **Hardware security** NTLM, Kerberos and Credential Manager take advantage of platform security features including, Secure Boot and virtualization to protect credentials. +- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials. - **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system. -- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. +- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. ## How it works -Kerberos, NTLM and Credential manager isolates secrets that previous versions of Windows stored in the Local Security Authority (LSA) by using virtualization-based security. Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. +Kerberos, NTLM, and Credential manager isolate secrets that previous versions of Windows stored in the Local Security Authority (LSA) by using virtualization-based security. Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment. From 5bea22adff182a0bd2eb03023e07ca3ebb21e72c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 1 Feb 2017 14:20:06 -0800 Subject: [PATCH 13/25] Update credential-guard.md --- windows/keep-secure/credential-guard.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 62de1f7545..46faf54f4b 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -1,4 +1,4 @@ -,,--- +s,,--- title: Protect derived domain credentials with Credential Guard (Windows 10) description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1 @@ -29,9 +29,9 @@ Kerberos, NTLM, and Credential manager isolate secrets that previous versions of For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment. -When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocol. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or AAD users, secondary credentials should be provisioned for these use cases. +When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocol. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases. -When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption not only for signed-in credentials, but also prompted or saved credentials either. +When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials. Here's a high-level overview on how the LSA is isolated by using virtualization-based security: From 617ac9f95c57f4b3cb2a5876a10e6edfa3ad9331 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 1 Feb 2017 14:28:34 -0800 Subject: [PATCH 14/25] Update credential-guard.md --- windows/keep-secure/credential-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 46faf54f4b..05e8cf4958 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -1,4 +1,4 @@ -s,,--- +[s,,--- title: Protect derived domain credentials with Credential Guard (Windows 10) description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1 @@ -39,7 +39,7 @@ Here's a high-level overview on how the LSA is isolated by using virtualization- ## Requirements -For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as "Hardware and software requirements". Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as "Application requirements". Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in Security Considerations. +For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in [Security Considerations](#security-considerations). ### Hardware and software requirements From 39e194229e9baa926617b1c703163eee87664f5c Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 1 Feb 2017 14:49:46 -0800 Subject: [PATCH 15/25] Waas-configure-wufb - fixed reg values DeferQualityUpdatesPeriod \ DeferFeatureUpdatesPeriod + inDays to both notified of issue by B Dolan --- windows/manage/waas-configure-wufb.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/manage/waas-configure-wufb.md b/windows/manage/waas-configure-wufb.md index 9626d2e24f..fcb36d20f6 100644 --- a/windows/manage/waas-configure-wufb.md +++ b/windows/manage/waas-configure-wufb.md @@ -182,9 +182,9 @@ Below are quick-reference tables of the supported Windows Update for Business po | MDM Key | Key type | Value | | --- | --- | --- | | BranchReadinessLevel | REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)
32: systems take Feature Updates for the Current Branch for Business (CBB)
Note: Other value or absent: receive all applicable updates (CB) | -| DeferQualityUpdatesPeriod | REG_DWORD | 0-30: defer quality updates by given days | +| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-30: defer quality updates by given days | | PauseQualityUpdates | REG_DWORD | 1: pause quality updates
Other value or absent: don’t pause quality updates | -| DeferFeatureUpdatesPeriod | REG_DWORD | 0-180: defer feature updates by given days | +| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-180: defer feature updates by given days | | PauseFeatureUpdates | REG_DWORD | 1: pause feature updates
Other value or absent: don’t pause feature updates | | ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers
Other value or absent: offer Windows Update drivers | From c44f69aa8eaf3601e79c361e6467ec8a126fd33e Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 1 Feb 2017 14:57:15 -0800 Subject: [PATCH 16/25] Update credential-guard.md --- windows/keep-secure/credential-guard.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 05e8cf4958..83458e51f1 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -19,7 +19,7 @@ Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard u By enabling Credential Guard, the following features and solutions are provided: -- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials. + **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials. - **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system. - **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. @@ -60,7 +60,7 @@ The Virtualization-based security requires: When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. >[!WARNING] -> Enabling Credential Guard on Domain Controllers is not supported
+> Enabling Credential Guard on domain controllers is not supported
> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled causing crashes. >[!NOTE] @@ -100,7 +100,7 @@ The following tables provide more information about the hardware, firmware, and | Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT

Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | > [!IMPORTANT] -> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide. +> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security to significantly strengthen the level of security that Credential Guard can provide. #### 2015 Additional Security Recommendations (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4) From fd00479513e7d2ad9e033e346f015d7e5f57fd12 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 1 Feb 2017 15:00:29 -0800 Subject: [PATCH 17/25] Update credential-guard.md --- windows/keep-secure/credential-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 83458e51f1..37f0fd9b7f 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -21,7 +21,7 @@ By enabling Credential Guard, the following features and solutions are provided: **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials. - **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system. -- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. +,- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. ## How it works @@ -61,7 +61,7 @@ When Credential Guard is enabled, specific authentication capabilities are block >[!WARNING] > Enabling Credential Guard on domain controllers is not supported
-> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled causing crashes. +> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes. >[!NOTE] > Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). From 0161a423f34d67c4e9f744c81377671ae3434a17 Mon Sep 17 00:00:00 2001 From: Justinha Date: Wed, 1 Feb 2017 15:40:37 -0800 Subject: [PATCH 18/25] removed credential delegation from remote desktop table heading --- windows/keep-secure/remote-credential-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/remote-credential-guard.md b/windows/keep-secure/remote-credential-guard.md index a8f2f46557..0ae8111073 100644 --- a/windows/keep-secure/remote-credential-guard.md +++ b/windows/keep-secure/remote-credential-guard.md @@ -34,7 +34,7 @@ Use the following table to compare different security options for Remote Desktop > [!NOTE] > This table compares different options than are shown in the previous diagram. -| Remote Desktop with Credential Delegation | Remote Credential Guard | Restricted Admin mode | +| Remote Desktop | Remote Credential Guard | Restricted Admin mode | |---|---|---| | Protection: Provides **less protection** than other modes in this table. | Protection: Provides **moderate protection**, compared to other modes in this table. | Protection: Provides **the most protection** of the modes in this table. However, it also requires you to be in the local “Administrators” group on the remote computer. | | Version support: The remote computer can be running **any operating system that supports credential delegation**, which was introduced in Windows Vista. | Version support: The remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | Version support: The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.

For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). | From 6b319d25bacc26654418b846d7d700832efe9b3d Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 1 Feb 2017 17:36:28 -0800 Subject: [PATCH 19/25] Waas-servicing-branches - add section - remove WU --- .../manage/waas-servicing-branches-windows-10-updates.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/windows/manage/waas-servicing-branches-windows-10-updates.md b/windows/manage/waas-servicing-branches-windows-10-updates.md index f42352f643..b514878ffe 100644 --- a/windows/manage/waas-servicing-branches-windows-10-updates.md +++ b/windows/manage/waas-servicing-branches-windows-10-updates.md @@ -190,6 +190,13 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
+## Block user access to Windows Update Settings + +In Windows 10, administrators can control user access to Windows Update. +By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured. + +>[!NOTE] +> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecate and are no longer supported on this platform. ## Related topics From d2f76e58eba86de11ac894434bedfbc311842d01 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 1 Feb 2017 17:47:51 -0800 Subject: [PATCH 20/25] fixed typo --- windows/manage/waas-servicing-branches-windows-10-updates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/waas-servicing-branches-windows-10-updates.md b/windows/manage/waas-servicing-branches-windows-10-updates.md index b514878ffe..bf763d2b49 100644 --- a/windows/manage/waas-servicing-branches-windows-10-updates.md +++ b/windows/manage/waas-servicing-branches-windows-10-updates.md @@ -190,7 +190,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
-## Block user access to Windows Update Settings +## Block user access to Windows Update settings In Windows 10, administrators can control user access to Windows Update. By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured. From 97fa0782ba1244039f2b8aebca2888d5ee747de1 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 2 Feb 2017 07:10:58 -0800 Subject: [PATCH 21/25] fix format --- devices/surface-hub/manage-windows-updates-for-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index 35787fbff1..b2e70af5d6 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -107,7 +107,7 @@ To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/Up **If you use a proxy server or other method to block URLs** If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”: -- http(s)://*.update.microsoft.com +- http(s)://\*.update.microsoft.com - http://download.windowsupdate.com - http://windowsupdate.microsoft.com From b7c16542943af08bed734aa473975147ebd37c60 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 2 Feb 2017 07:27:21 -0800 Subject: [PATCH 22/25] URLs --- .../surface-hub/manage-windows-updates-for-surface-hub.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index b2e70af5d6..d4cb3d614d 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -76,7 +76,7 @@ This table gives examples of deployment rings. ### Configure Surface Hub to use Current Branch or Current Branch for Business By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches). -* + **To manually configure Surface Hub to use CB or CBB:** 1. Open **Settings** > **Update & Security** > **Windows Update**, and then select **Advanced Options**. 2. Select **Defer feature updates**. @@ -107,9 +107,9 @@ To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/Up **If you use a proxy server or other method to block URLs** If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”: -- http(s)://\*.update.microsoft.com -- http://download.windowsupdate.com -- http://windowsupdate.microsoft.com +- `http(s)://\*.update.microsoft.com` +- `http://download.windowsupdate.com` +- `http://windowsupdate.microsoft.com` Once the Windows 10 Team Anniversary Update is installed, you can remove these addresses to return your Surface Hub to its previous state. From fd50e41f55a45efa4c934090a680d920b6defe30 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 2 Feb 2017 08:00:34 -0800 Subject: [PATCH 23/25] format --- devices/surface-hub/manage-windows-updates-for-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index d4cb3d614d..1a5e22a17e 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -107,7 +107,7 @@ To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/Up **If you use a proxy server or other method to block URLs** If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”: -- `http(s)://\*.update.microsoft.com` +- `http(s)://*.update.microsoft.com` - `http://download.windowsupdate.com` - `http://windowsupdate.microsoft.com` From 7e988cb680e3ff469bc2250899b21b22c05b6e46 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Thu, 2 Feb 2017 10:01:20 -0800 Subject: [PATCH 24/25] waas-DO - fixed after PM review --- windows/manage/waas-delivery-optimization.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md index 243665903d..b1701d80d9 100644 --- a/windows/manage/waas-delivery-optimization.md +++ b/windows/manage/waas-delivery-optimization.md @@ -19,7 +19,7 @@ localizationpriority: high Delivery Optimization is a self-organizing distributed cache solution for businesses looking to reduce bandwidth consumption for operating system updates, operating system upgrades, and applications by allowing clients to download those elements from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), and Windows Update for Business. This functionality is similar to BranchCache in other systems, such as System Center Configuration Manager. -Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This mean that in order to utilize Delivery Optimization, machines need to have access to the internet. +Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This mean that in order to utilize the peer-to-peer functionality of Delivery Optimization, machines need to have access to the internet. For more details, see [Download mode](#download-mode). @@ -45,11 +45,11 @@ Download mode dictates which download sources clients are allowed to use when do | Download mode option | Functionality when set | | --- | --- | -| HTTP Only (0) | This setting disables peer content sharing but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. This mode uses metadata provided by the Delivery Optimization cloud services for a more consistent plain download experience. | +| HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. | | LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. | | Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use the GroupID option to create your own custom group independently of domains and AD DS sites. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | -| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable or unreachable. In this mode, Delivery Optimization provides a modern download manager experience, with little optimization and no peer content sharing. | +| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | |Bypass (100) | Bypass Delivery Optimization and use BITS, instead. For example, select this mode so that clients can use BranchCache. | >[!NOTE] From d23d739707acef1a9756c3a78ecb1a13a48d0e92 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Thu, 2 Feb 2017 10:15:48 -0800 Subject: [PATCH 25/25] fixed type and added change of WaaS-branches to CH --- .../change-history-for-manage-and-update-windows-10.md | 8 ++++++-- .../manage/waas-servicing-branches-windows-10-updates.md | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index a794ec798f..837fac6dda 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -14,6 +14,12 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in >If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). +## February 2017 + +| New or changed topic | Description | +| --- | --- | +| [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) | Added Group Policy setting that blocks user access to Windows Update. | + ## January 2017 | New or changed topic | Description | @@ -24,8 +30,6 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | [Quick guide to Windows as a service](waas-quick-start.md) | Added video that explains how Windows as a service works. | | [Manage device restarts after updates](waas-restart.md) | Added Registry keys for controlling restarts. | - - ## December 2016 | New or changed topic | Description | diff --git a/windows/manage/waas-servicing-branches-windows-10-updates.md b/windows/manage/waas-servicing-branches-windows-10-updates.md index bf763d2b49..7e62bcbf3a 100644 --- a/windows/manage/waas-servicing-branches-windows-10-updates.md +++ b/windows/manage/waas-servicing-branches-windows-10-updates.md @@ -196,7 +196,7 @@ In Windows 10, administrators can control user access to Windows Update. By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured. >[!NOTE] -> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecate and are no longer supported on this platform. +> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform. ## Related topics