cipher /r:EFSRA
-
- Where *EFSRA* is the name of the .cer and .pfx files that you want to create.
+
+ ```cmd
+ cipher /r:EFSRA
+ ```
+
+ Where *EFSRA* is the name of the `.cer` and `.pfx` files that you want to create.
3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file.
@@ -58,7 +60,9 @@ If you don't already have an EFS DRA certificate, you'll need to create and extr
3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
- cipher /c filename
+ ```cmd
+ cipher /c filename
+ ```
Where *filename* is the name of the file you created in Step 1.
@@ -72,9 +76,11 @@ If you don't already have an EFS DRA certificate, you'll need to create and extr
3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
- cipher /d encryptedfile.extension
-
- Where *encryptedfile.extension* is the name of your encrypted file. For example, corporatedata.docx.
+ ```cmd
+ cipher /d encryptedfile.extension
+ ```
+
+ Where *encryptedfile.extension* is the name of your encrypted file. For example, `corporatedata.docx`.
## Recover WIP-protected after unenrollment
@@ -84,26 +90,34 @@ It's possible that you might revoke data from an unenrolled device only to later
>To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device.
1. Have the employee sign in to the unenrolled device, open an elevated command prompt, and type:
-
- Robocopy "%localappdata%\Microsoft\EDP\Recovery" "new_location" * /EFSRAW
+
+ ```cmd
+ Robocopy "%localappdata%\Microsoft\EDP\Recovery" "new_location" * /EFSRAW
+ ```
Where "*new_location*" is in a different directory. This can be on the employee's device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent.
To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**.
-
+
If the employee performed a clean installation and there is no user profile, you need to recover the keys from the System Volume folder in each drive. Type:
-
- Robocopy "drive_letter:\System Volume Information\EDP\Recovery\" "new_location" * /EFSRAW
+
+ ```cmd
+ Robocopy "drive_letter:\System Volume Information\EDP\Recovery\" "new_location" * /EFSRAW
+ ```
2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing:
- cipher.exe /D "new_location"
+ ```cmd
+ cipher.exe /D "new_location"
+ ```
3. Have your employee sign in to the unenrolled device, and type:
- Robocopy "new_location" "%localappdata%\Microsoft\EDP\Recovery\Input"
+ ```cmd
+ Robocopy "new_location" "%localappdata%\Microsoft\EDP\Recovery\Input"
+ ```
4. Ask the employee to lock and unlock the device.
@@ -127,7 +141,8 @@ The employee experience is based on sign in with an Azure AD work account. The e
After signing in, the necessary WIP key info is automatically downloaded and employees are able to access the files again.
-**To test what the employee sees during the WIP key recovery process**
+### To test what the employee sees during the WIP key recovery process
+
1. Attempt to open a work file on an unenrolled device.
The **Connect to Work to access work files** box appears.
@@ -139,6 +154,7 @@ After signing in, the necessary WIP key info is automatically downloaded and emp
3. Sign-in to Azure AD as the employee and verify that the files now open
## Related topics
+
- [Security Watch Deploying EFS: Part 1](/previous-versions/technet-magazine/cc162507(v=msdn.10))
- [Protecting Data by Using EFS to Encrypt Hard Drives](/previous-versions/tn-archive/cc875821(v=technet.10))
@@ -151,4 +167,4 @@ After signing in, the necessary WIP key info is automatically downloaded and emp
>[!Note]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to this article](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to this article](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index 7d32f0a68b..3c7680cf51 100644
--- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -17,53 +17,46 @@ ms.date: 02/26/2019
ms.reviewer:
---
-# Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune
+# Associate and deploy a VPN policy for Windows Information Protection (WIP) using Endpoint Manager
+
**Applies to:**
-- Windows 10, version 1607 and later
-- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
+- Windows 10, version 1607 and later
After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
-## Associate your WIP policy to your VPN policy by using Microsoft Intune
-Follow these steps to associate your WIP policy with your organization's existing VPN policy.
+## Associate your WIP policy to your VPN policy using Endpoint Manager
-**To associate your policies**
+To associate your WIP policy with your organization's existing VPN policy, use the following steps:
-1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration).
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **Devices** > **Configuration profiles** > **Create profile**.
+3. Enter the following properties:
-2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**.
+ - **Platform**: Select **Windows 10 and later**
+ - **Profile**: Select **Templates** > **Custom**.
- 
+4. Select **Create**.
+5. In **Basics**, enter the following properties:
-3. In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**.
+ - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later.
+ - **Description**: Enter a description for the profile. This setting is optional, but recommended.
- 
+6. Select **Next**.
+7. In **Configuration settings**, enter the following properties:
-4. In the **Custom OMA-URI Settings** blade, click **Add**.
+ - **Name**: Enter a name for your setting. For example, enter `EDPModeID`.
+ - **OMA-URI**: Enter `./Vendor/MSFT/VPNv2/YourVPNProfileName/EDPModeId`.
+ - **Data type**: Select `String`.
+ - **Value**: Type your fully-qualified domain that should be used by the OMA-URI setting. For example, enter `corp.contoso.com`.
-5. In the **Add Row** blade, type:
+ For more information on these settings, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).
- - **Name.** Type a name for your setting, such as *EDPModeID*.
-
- - **Description.** Type an optional description for your setting.
-
- - **OMA-URI.** Type _./Vendor/MSFT/VPNv2/<VPNProfileName>/EDPModeId_ into the box.
-
- - **Data type.** Select **String** from the dropdown box
-
- - **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_.
-
- 
-
-6. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy.
-
-7. Click **Create** to create the policy, including your OMA_URI info.
+8. Select **Next**, and continue configuring the policy. For the specific steps and recommendations, see [Create a profile with custom settings in Intune](/mem/intune/configuration/custom-settings-configure).
## Deploy your VPN policy using Microsoft Intune
-After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
-**To deploy your Custom VPN policy**
+After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
1. On the **App policy** blade, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**.
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 26b8886645..3fb7d9b80d 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -20,7 +20,6 @@ ms.reviewer:
**Applies to:**
- Windows 10, version 1607 and later
-- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune manages only the apps on a user's personal device.
diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
index 1c9ca74eed..c81eea7fca 100644
--- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
@@ -21,12 +21,11 @@ ms.reviewer:
**Applies to:**
-- Windows 10, version 1607 and later
-- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
+- Windows 10, version 1607 and later
After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
-**To deploy your WIP policy**
+## To deploy your WIP policy
1. On the **App protection policies** pane, click your newly-created policy, click **Assignments**, and then select groups to include or exclude from the policy.
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 6551bd495d..a1dba47f5e 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -23,7 +23,6 @@ ms.date: 05/02/2019
**Applies to:**
- Windows 10, version 1607 and later
-- Windows 10 Mobile, version 1607 and later
Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
index 4abadeccec..1f6aaa6f4e 100644
--- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
+++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
@@ -21,12 +21,12 @@ ms.date: 02/26/2019
# General guidance and best practices for Windows Information Protection (WIP)
**Applies to:**
-- Windows 10, version 1607 and later
-- Windows 10 Mobile, version 1607 and later
+- Windows 10, version 1607 and later
This section includes info about the enlightened Microsoft apps, including how to add them to your allowed apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP).
## In this section
+
|Topic |Description |
|------|------------|
|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
index 1d28851374..cf0c2bbce8 100644
--- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -21,7 +21,6 @@ ms.reviewer:
**Applies to:**
- Windows 10, version 1607 and later
-- Windows 10 Mobile, version 1607 and later
This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise.
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
index 6f0d4796b6..c017a7e4f6 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
@@ -20,12 +20,12 @@ ms.date: 02/26/2019
# Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager
**Applies to:**
-- Windows 10, version 1607 and later
-- Windows 10 Mobile, version 1607 and later
+- Windows 10, version 1607 and later
Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
## In this section
+
|Topic |Description |
|------|------------|
|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
index 238400ed86..348af05f36 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
@@ -21,11 +21,11 @@ ms.date: 03/11/2019
**Applies to:**
- Windows 10, version 1607 and later
-- Windows 10 Mobile, version 1607 and later
Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
## In this section
+
|Topic |Description |
|------|------------|
|[Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM (Mobile Device Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index ec997e526a..f9a0db9b78 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -23,7 +23,6 @@ ms.date: 03/05/2019
**Applies to:**
- Windows 10, version 1607 and later
-- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index 254e5b85bc..d5400291be 100644
--- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -22,25 +22,25 @@ ms.reviewer:
**Applies to:**
- Windows 10, version 1607 and later
-- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a WIP policy. If you are using Intune, the SharePoint entries may be added automatically.
## Recommended Enterprise Cloud Resources
+
This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on the apps you use in your organization.
|If your organization uses... |Add these entries to your Enterprise Cloud Resources network settingProtected Processes isolates non-trusted processes from each other and from sensitive operating system components.| -|Users access a dangerous website without knowledge of the risk.|The Windows Defender SmartScreen URL Reputation feature prevents users from going to a malicious website that may try to exploit the browser and take control of the device.| -|Malware exploits a vulnerability in a browser add-on.|Microsoft Edge is an app built on the Universal Windows Platform (UWP) that does not run legacy binary extensions, including Microsoft ActiveX and browser helper objects frequently used for toolbars, which eliminates these risks.| -|A website that includes malicious code exploits a vulnerability in the web browser to run malware on the client device.|Microsoft Edge includes Enhanced Protected Mode, which uses AppContainer-based sandboxing to help protect the system against vulnerabilities that at attacker may discover in the extensions running in the browser (for example, Adobe Flash, Java) or the browser itself.| - - -> [!NOTE] -> The Windows 10 Mobile devices use a System on a Chip (SoC) design provided by SoC vendors such as Qualcomm. With this architecture, the SoC vendor and device manufacturers provide the pre-UEFI bootloaders and the UEFI environment. The UEFI environment implements the UEFI Secure Boot standard described in section 27 of the UEFI specification, which can be found at [www.uefi.org/specs]( http://www.uefi.org/specs). This standard describes the process by which all UEFI drivers and applications are validated against keys provisioned into a UEFI-based device before they are executed. - -### UEFI with Secure Boot - -When a Windows 10 Mobile device starts, it begins the process of loading the operating system by locating the bootloader in the device’s storage system. Without safeguards in place, the phone might simply hand control over to the bootloader without even determining whether it’s a trusted operating system or malware. - -UEFI is a standards-based solution that offers a modern-day replacement for the BIOS. In fact, it provides the same functionality as BIOS while adding security features and other advanced capabilities. Like BIOS, UEFI initializes devices, but UEFI components with the Secure Boot feature (version 2.3.1 or later) also helps to ensure that only trusted firmware in Option ROMs, UEFI apps, and operating system bootloaders can start on the mobile phone. - -UEFI can run internal integrity checks that verify the firmware’s digital signature before running it. Because only the mobile phone’s manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI has protection against firmware-based malware that loads before Windows 10 Mobile and to try and hide its malicious behavior from the operating system. Firmware-based malware of this nature is typically called bootkits. - -When a mobile device with UEFI and Secure Boot starts, the UEFI firmware verifies the bootloader’s digital signature to verify that no one has modified it after it was digitally signed. The firmware also verifies that a trusted authority issued the bootloader’s digital signature. This check helps to ensure that the system starts only after checking that the bootloader is both trusted and unmodified since signing. - -All Windows 10 Mobile devices always have Secure Boot enabled. In addition, they trust only the Windows operating system signature. Neither Windows 10 Mobile, apps, or even malware can change the UEFI configuration. For more information about UEFI with Secure Boot, read [Protecting the pre-OS environment with UEFI](https://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx) - -### Trusted Platform Module - -A Trusted Platform Module (TPM) is a tamper-resistant cryptographic module that enhances the security and privacy of computing platforms. The TPM is incorporated as a component in a trusted computing platform like a PC, tablet, or smartphone. A trusted computing platform is specially designed to work with the TPM to support privacy and security scenarios that software alone cannot achieve. A TPM is required to receive Windows 10 Mobile device hardware certification. - -A proper implementation of a TPM as part of a trusted computing platform provides a hardware root of trust, meaning that the hardware behaves in a trusted way. For example, if you create a key in a TPM with the property that no one can export that key from the TPM, the key absolutely cannot leave the TPM. The close integration of a TPM with a platform increases the transparency of the boot process and supports device health scenarios by enabling a reliable report of the software used to start a platform. - -The following list describes key functionality that a TPM provides in Windows 10 Mobile: -- **Managing cryptographic keys.** A TPM can create, store, and permit the use of keys in defined ways. Windows 10 Mobile uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and various other keys. -- **Safeguarding and reporting integrity measurements.** Windows 10 Mobile uses the TPM to record and help protect integrity-related measurements of select hardware and Windows boot components for the Measured Boot feature. In this scenario, Measured Boot measures each component – from firmware up through the drivers – and then stores those measurements in the device’s TPM. From here, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 Mobile device. -- **Proving a TPM is really a TPM.** Managing cryptographic keys and measuring integrity are so central to protecting privacy and security that a TPM must differentiate itself from malware masquerading as a TPM. - -Windows 10 Mobile supports TPM implementations that comply with the 2.0 standard. The TPM 2.0 standard includes several improvements that make it superior to the 1.2 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. When the TPM 1.2 standard appeared in the early 2000s, the security community considered these algorithms cryptographically strong. Since then, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection, as well as the ability to plug-in algorithms that certain geographies or industries may prefer. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself. - -Many assume that original equipment manufacturers (OEMs) must implant a TPM in hardware on a motherboard as a discrete module, but TPM can also be effective when implemented in firmware. Windows 10 Mobile supports only firmware TPM that complies with the 2.0 standard. Windows does not differentiate between discrete and firmware-based solutions because both must meet the same implementation and security requirements. Therefore, any Windows 10 feature that can take advantage of TPM can be used with Windows 10 Mobile. - -> [!NOTE] -> Microsoft requires TPM 2.0 on devices running any version of Windows 10 Mobile. For more information, see [minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) - -Several Windows 10 Mobile security features require TPM: -- Virtual smart cards -- Measured Boot -- Health attestation (requires TPM 2.0 or later) - -Still other features will use the TPM if it is available. For example, Windows Hello does not require TPM but uses it if it’s available. Organizations can configure policy to require TPM for Windows Hello. - -### Biometrics - -Windows 10 Mobile makes biometrics a core security feature. Microsoft has fully integrated biometrics into the Windows 10 Mobile security components, not just tacked it on top of the platform (as was the case in previous versions of Windows). This is a big change. Earlier biometric implementations were largely front-end methods that simplified authentication. Under the hood, the system used biometrics to access a password, which it then used for authentication behind the scenes. Biometrics may have provided convenience, but not necessarily enterprise-grade authentication. - -Microsoft has been evangelizing the importance of enterprise-grade biometric sensors to the OEMs that create Windows 10 Mobile devices. These facial-recognition and iris-scanning sensors are fully supported by Windows Hello. - -In the future, Microsoft expects OEMs to produce even more advanced enterprise-grade biometric sensors and to continue integrating them into mobile devices. As a result, biometrics will become a commonplace authentication method as part of an MFA system. - -### Trusted Boot - -UEFI with Secure Boot uses hardware technologies to help protect users from bootkits. Secure Boot can validate the integrity of the device, firmware, and bootloader. After the bootloader launches, users must rely on the operating system to protect the integrity of the remainder of the system. - -When UEFI with Secure Boot verifies that it trusts the bootloader and starts Windows 10 Mobile, the Windows Trusted Boot feature protects the rest of the startup process by verifying that all Windows startup components are trustworthy (e.g., signed by a trusted source) and have integrity. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, and startup files. - -### Measured Boot - -In earlier versions of Windows, the biggest challenge with rootkits and bootkits was that they could frequently be undetectable to the client. Because they often started before Windows defenses and the antimalware solution – and they had system-level privileges – rootkits and bootkits could completely disguise themselves while continuing to access system resources. Although UEFI with Secure Boot and Trusted Boot could prevent most rootkits and bootkits, intruders could still potentially exploit a few attack vectors (e.g., if someone compromised the signature used to sign a boot component, such as a non-Microsoft driver, and used it to sign a malicious one). - -Windows 10 Mobile implements the Measured Boot feature, which uses the TPM hardware component to record a series of measurements for critical startup-related components, including firmware, Windows boot components, and drivers. Because Measured Boot uses the hardware-based security capabilities of TPM, which isolates and protects the measurement data against malware attacks, the log data is well protected against even sophisticated attacks. - -Measured Boot focuses on acquiring the measurement data and protecting it against tampering. To provide more complete security, it must be coupled with a service that can analyze the data to determine device health. - -### Device Health Attestation - -Device Health Attestation (DHA) is a new feature in Windows 10 Mobile that helps prevent low-level malware infections. DHA uses a device’s TPM and firmware to measure the critical security properties of the device’s BIOS and Windows startup processes. These measurements are made in such a way that even on a system infected with kernel-level malware or a rootkit, an attacker is unlikely to spoof the properties. - -You can use DHA with Microsoft Intune (sold separately) or a third-party MDM solution to combine hardware-measured security properties with other device properties and gain an overall view of the device’s health and compliance state. This integration can be useful in a variety of scenarios, including detecting jailbroken devices, monitoring device compliance, generating compliance reports, alerting users or administrators, initiating corrective action on the device, and managing conditional access to resources such as Office 365. - -The example that follows shows how Windows 10 protective measures integrate and work with Intune and third-party MDM solutions. It demonstrates how the phone security architecture in Windows 10 Mobile can help you monitor and verify compliance and how the security and trust rooted in the device hardware can protect end-to-end corporate resources. - -When a user turns a phone on: -1. The Secure Boot feature in Windows 10 Mobile helps protect the startup sequence, allows the device to boot into a defined and trusted configuration, and loads a factory-trusted boot loader. -2. Windows 10 Mobile Trusted Boot takes control when the Secure Boot process is complete, verifying the digital signature of the Windows kernel and the components that are loaded and executed during the startup process. -3. In parallel to steps 1 and 2, the phone’s TPM runs independently in a hardware-protected security zone (isolated from the boot execution path, which monitors boot activities). It creates a protected, tamper-evident audit trail, signed with a secret that only the TPM can access. -4. Devices that are DHA-enabled send a copy of this audit trail to the Microsoft Health Attestation service (HAS) in a protected, tamper-resistant, and tamper-evident communication channel. -5. HAS reviews the audit trails, issues an encrypted and signed report, and forwards it to the device. -6. From your DHA-enabled MDM solution, you can review the report in a protected, tamper-resistant, and tamper-evident communication channel to assess whether the device is running in a compliant (healthy) state, allow access, or trigger corrective action aligned with the organization’s security needs and policies. -Because this solution can detect and prevent low-level malware that may be extremely difficult to detect any other way, Microsoft recommends that you consider implementing a DHA-enabled MDM system like Intune. It can take advantage of the Windows 10 Mobile cloud-based health attestation server feature to detect and block devices infected with advanced malware. - -### Device Guard - -Device Guard is a feature set that consists of both hardware and software system integrity–hardening features. These features revolutionize Windows operating system security by moving the entire operating system to a trust-nothing model. - -All apps on Windows 10 Mobile must be digitally signed and come from Microsoft Store or a trusted enterprise store. Device Guard implements policies that further restrict this. By default, Device Guard supports all apps from Microsoft Store. You can create policies that define the apps that can and cannot run on the Windows 10 Mobile device. If the app does not have a digital signature, is prevented by policy, or does not come from a trusted store, it will not run on Windows 10 Mobile. - -Advanced hardware features, described above, drive these security offerings. By integrating these hardware features further into the core operating system, Windows 10 Mobile can use them in new ways. To deliver this additional security, Device Guard requires UEFI with Secure Boot. - -### Address Space Layout Randomization - -One of the most common techniques used by attackers to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data reside, and overwrite that information with a malicious payload. In the early days of operating systems, any malware that could write directly to the system memory could do such a thing; the malware would simply overwrite system memory in well-known and predictable locations. - -Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. The below diagram illustrates how ASLR works, showing how the locations of different critical Windows components can change in memory between restarts. - - - -Microsoft has substantively improved the ASLR implementation in Windows 10 Mobile over previous versions, applying it across the entire system rather than only in specific apps. With 64bit system and application processes that can take advantage of a vastly increased memory space, it is even more difficult for malware to predict where Windows 10 Mobile stores vital data. When used on systems that have TPMs, ASLR memory randomization becomes increasingly unique across devices, adding additional degrees of difficulty for repurposing successful exploits to another system. - -### Data Execution Prevention - -Malware depends on its ability to insert a malicious payload into memory with the hope that an unsuspecting user will execute it later. While ASLR makes that more difficult, Windows 10 Mobile extends that protection to prevent malware from running if written to an area that you have allocated solely for the storage of information. Data Execution Prevention (DEP) substantially reduces the range of memory that malicious code can use for its benefit. DEP uses the **No execute** bit on modern CPUs to mark blocks of memory as read-only so that malware can’t use those blocks to execute malicious code. All Windows 10 and Windows 10 Mobile devices support DEP. - -### Windows heap - -The heap is a location in memory that Windows uses to store dynamic application data. Microsoft continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that an attacker could use. -Windows 10 Mobile has made several important improvements to the security of the heap over previous versions of Windows: -- Internal data structures that the heap uses are better protected against memory corruption. -- Heap memory allocations have randomized locations and sizes, making it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 Mobile adds a random offset to the address of a newly allocated heap, making the allocation much less predictable. -- Windows 10 Mobile uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 Mobile responds by instantly terminating the app. - -### Memory reservations - -Microsoft reserves the lowest 64 KB of process memory for the operating system. Apps are no longer allowed to allocate that portion of the memory, making it more difficult for malware to overwrite critical system data structures in memory. - -### Control Flow Guard - -When Windows loads applications into memory, it allocates space to those applications based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls additional code located in other memory addresses. The relationships among the code locations are well known – they are written in the code itself. However, until Windows 10 Mobile, the operating system didn’t enforce the flow among these locations, giving attackers the opportunity to change the flow to meet their needs. In other words, an application exploit takes advantage of this behavior by running code that the application may not typically run. - -Windows 10 Mobile mitigates this kind of threat through Control Flow Guard (CFG). When a trusted application that its creator compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If CFG doesn’t trust the location, it immediately terminates the application as a potential security risk. - -You cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when he or she compiles the application. Because browsers are a key entry point for attacks, Microsoft Edge takes full advantage of CFG. - -### Protected Processes - -Unfortunately, no device is immune to malware. Despite all the best preventative controls, malware can eventually find a way to infect any operating system or hardware platform. So, although prevention with a defense-in-depth strategy is important, additional malware controls are required. -If malware is running on a system, you need to limit what it can do Protected Processes prevents untrusted processes from tampering with those that have been specially signed. Protected Processes defines levels of trust for processes: it prevents less trusted processes from interacting with and therefore attacking more trusted processes. Windows 10 Mobile uses Protected Processes broadly throughout the operating system. - -### AppContainer - -The Windows 10 Mobile security model is based on the principle of least privilege and uses isolation to achieve it. Every app and even portions of the operating system itself run inside their own isolated sandbox called an AppContainer – a secured isolation boundary within which an app and its processes can run. Each AppContainer is defined and implemented through a security policy. - -The security policy of a specific AppContainer defines the operating system capabilities that apps have access to from within the AppContainer, such as geographical location information, camera, microphone, networking, or sensors. - -A set of default permissions are granted to all AppContainers, including access to a unique, isolated storage location. Access to other capabilities can be declared within the app code itself. Unlike traditional desktop applications, access to additional capabilities and privileges cannot be requested at run time. - -The AppContainer concept is advantageous because it provides: -- **Attack surface reduction.** Apps can access only those capabilities that are declared in the application code and needed to perform their functions. -- **User consent and control.** Capabilities that apps use are automatically published to the app details page in the Microsoft Store. App access to capabilities that may expose sensitive information automatically prompt the user to acknowledge and provide consent. -- **App isolation.** Communication between Windows apps is tightly controlled. Apps are isolated from one another and can communicate only by using predefined communication channels and data types. - -Apps receive the minimal privileges they need to perform their legitimate tasks. This means that even if a malicious attacker exploits an app, the potential damage is limited because the app cannot elevate its privileges and is contained within its AppContainer. Microsoft Store displays the permissions that the app requires along with the app’s age rating and publisher. - -The combination of Device Guard and AppContainer help to prevent unauthorized apps from running. In the event malware slips into the app ecosystem, the AppContainer helps to constrain the app and limit potential damage. The Windows 10 Mobile trust-nothing model doesn’t assume that any component is perfect. However, potential vulnerabilities in apps, AppContainers, and Windows 10 Mobile itself could give an attacker a chance to compromise a system. For this reason, redundant vulnerability mitigations are needed. The next several topics describe some of the redundant mitigations in Windows 10 Mobile. - -### Microsoft Edge - -The web browser is a critical component of any security strategy. It is the user’s interface to the Internet, an environment teeming with malicious sites and potentially dangerous content. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the number one pathway from which malicious hackers initiate their attacks. - -Windows 10 Mobile includes Microsoft Edge, an entirely new web browser that goes beyond browsing with features like Reading View. Microsoft Edge is more secure than previous Microsoft web browsers in several ways: -- **Microsoft Edge on Windows 10 Mobile does not support extensions.** Microsoft Edge has built-in PDF viewing capability. -- **Microsoft Edge is designed as a UWP app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. -- **Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, fewer security settings are required. In addition, Microsoft established Microsoft Edge default settings that align with security best practices, making it more secure by design. - -## Summary - -Windows 10 Mobile provides security on personal and corporate-owned devices to protect against unauthorized access, data leakage, and malware threats. All of the features covered in this paper – multifactor authentication, data separation, and malware resistance – are seamlessly incorporated into the operating system. This means enterprises are protected without compromising the productivity and ease of use that drives users to bring mobile devices into the workplace. - -## Revision History - -November 2015 Updated for Windows 10 Mobile (version 1511) - -July 2016 Updated for Windows 10 Mobile Anniversary Update (version 1607) \ No newline at end of file diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index d02ab43956..9aa921ea74 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -17,12 +17,12 @@ ms.topic: article # What's new in Windows 10 Enterprise LTSC 2015 **Applies to** -- Windows 10 Enterprise LTSC 2015 +- Windows 10 Enterprise LTSC 2015 -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). ->[!NOTE] ->Features in Windows 10 Enterprise LTSC 2015 are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md). +> [!NOTE] +> Features in Windows 10 Enterprise LTSC 2015 are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md). ## Deployment @@ -42,7 +42,6 @@ Enhancements to AppLocker in Windows 10 include: - A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. - A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. -- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](/windows/client-management/mdm/applocker-csp). [Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview). @@ -58,7 +57,7 @@ Enhancements to AppLocker in Windows 10 include: ### Certificate management -For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile) +For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. ### Microsoft Passport @@ -68,13 +67,13 @@ Microsoft Passport lets users authenticate to a Microsoft account, an Active Dir ### Security auditing -In Windows 10, security auditing has added some improvements: +In Windows 10, security auditing has added some improvements: - [New audit subcategories](#bkmk-auditsubcat) - [More info added to existing audit events](#bkmk-moreinfo) #### New audit subcategories -In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: +In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: - [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event. - [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. @@ -83,7 +82,7 @@ In Windows 10, two new audit subcategories were added to the Advanced Audit Pol #### More info added to existing audit events -With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: +With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: - [Changed the kernel default audit policy](#bkmk-kdal) - [Added a default process SACL to LSASS.exe](#bkmk-lsass) - [Added new fields in the logon event](#bkmk-logon) @@ -94,11 +93,11 @@ With Windows 10, version 1507, we've added more info to existing audit events t #### Changed the kernel default audit policy -In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. +In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. #### Added a default process SACL to LSASS.exe -In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. +In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. This can help identify attacks that steal credentials from the memory of a process. #### New fields in the logon event @@ -137,7 +136,7 @@ The logon event ID 4688 has been updated to include more verbose information to #### New Security Account Manager events -In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: +In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: - SamrEnumerateGroupsInDomain - SamrEnumerateUsersInDomain - SamrEnumerateAliasesInDomain @@ -170,9 +169,9 @@ Event ID 6416 has been added to track when an external device is detected throug ### Trusted Platform Module -#### New TPM features in Windows 10 +#### New TPM features in Windows 10 -The following sections describe the new and changed functionality in the TPM for Windows 10: +The following sections describe the new and changed functionality in the TPM for Windows 10: - [Device health attestation](#bkmk-dha) - [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support - [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support @@ -186,7 +185,8 @@ Some things that you can check on the device are: - Is BitLocker Drive Encryption supported and enabled? - Is SecureBoot supported and enabled? -> **Note** The device must be running Windows 10 and it must support at least TPM 2.0. +> [!NOTE] +> The device must be running Windows 10 and it must support at least TPM 2.0. [Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview). @@ -198,7 +198,7 @@ You should not turn off UAC because this is not a supported scenario for devices For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings). -In Windows 10, User Account Control has added some improvements: +In Windows 10, User Account Control has added some improvements: - **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](/windows/win32/amsi/antimalware-scan-interface-portal) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked. @@ -219,13 +219,13 @@ Windows 10 provides a set of VPN features that both increase enterprise security ## Management -Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. +Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. ### MDM support -MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more. +MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more. -MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. +MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](/windows/client-management/mdm/) @@ -245,8 +245,8 @@ Enterprises have the following identity and management choices. | Grouping | Domain join; Workgroup; Azure AD join | | Device management | Group Policy; Microsoft Endpoint Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | - > **Note** -With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](/lifecycle/). +> [!NOTE] +> With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](/lifecycle/). ### Device lockdown @@ -272,9 +272,9 @@ Administrators can also use mobile device management (MDM) or Group Policy to di ## Updates -Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. +Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. -By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: +By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: - **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). @@ -287,7 +287,7 @@ Together, these Windows Update for Business features help reduce device manageme Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb). -For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates). +For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates). ## Microsoft Edge @@ -295,4 +295,4 @@ The new chromium-based Microsoft Edge is not included in the LTSC release of Win ## See Also -[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. \ No newline at end of file +[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index b563c7b398..1a98ceb952 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -17,9 +17,9 @@ ms.topic: article # What's new in Windows 10 Enterprise LTSC 2016 **Applies to** -- Windows 10 Enterprise LTSC 2016 +- Windows 10 Enterprise LTSC 2016 -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2016 (LTSB), compared to Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2016 (LTSB), compared to Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). >[!NOTE] >Features in Windows 10 Enterprise LTSC 2016 are equivalent to Windows 10, version 1607. @@ -76,7 +76,6 @@ Additional changes for Windows Hello in Windows 10 Enterprise LTSC 2016: - Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. - Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**. - Beginning in this version of Windows 10, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**. - [Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification) @@ -88,7 +87,9 @@ Additional changes for Windows Hello in Windows 10 Enterprise LTSC 2016: It provides the following benefits: - The algorithm is FIPS-compliant. - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. - >**Note:** Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. + + > [!NOTE] + > Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. ### Security auditing @@ -135,7 +136,7 @@ With the growing threat from more sophisticated targeted attacks, a new security - The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients. - The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection. - New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607) -- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins. +- Microsoft Intune: *VPN* profile template includes support for native VPN plug-ins. For more information, see [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure). ## Management @@ -179,4 +180,4 @@ The new chromium-based Microsoft Edge is not included in the LTSC release of Win ## See Also -[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. \ No newline at end of file +[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md index 6364bc3fd1..ac90bf888f 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -237,7 +237,7 @@ Microsoft Edge kiosk mode offers two lockdown experiences of the browser so orga ## Windows Subsystem for Linux -Windows Subsystem for Linux (WSL) is be available in-box. +Windows Subsystem for Linux (WSL) is available in-box. ## Networking diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index 373252080c..efdd81bde2 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, versions 1507 and 1511 (Windows 10) -description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511) and Windows 10 Mobile. +description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511). ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6 ms.reviewer: ms.prod: w10 @@ -34,11 +34,10 @@ With Windows 10, you can create provisioning packages that let you quickly and e ### AppLocker -#### New AppLocker features in Windows 10, version 1507 +#### New AppLocker features in Windows 10, version 1507 - A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. - A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. -- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](/windows/client-management/mdm/applocker-csp). [Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview). @@ -51,10 +50,10 @@ With Windows 10, you can create provisioning packages that let you quickly and e - The algorithm is FIPS-compliant. - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. ->[!NOTE] ->Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. +> [!NOTE] +> Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. -#### New BitLocker features in Windows 10, version 1507 +#### New BitLocker features in Windows 10, version 1507 @@ -80,7 +79,7 @@ With Windows 10, you can create provisioning packages that let you quickly and e ### Easier certificate management -For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile) +For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. ### Microsoft Passport @@ -94,15 +93,15 @@ Microsoft Passport lets users authenticate to a Microsoft account, an Active Dir - The [WindowsSecurityAuditing](/windows/client-management/mdm/windowssecurityauditing-csp) and [Reporting](/windows/client-management/mdm/reporting-csp) configuration service providers allow you to add security audit policies to mobile devices. -#### New features in Windows 10, version 1507 +#### New features in Windows 10, version 1507 -In Windows 10, security auditing has added some improvements: +In Windows 10, security auditing has added some improvements: - [New audit subcategories](#bkmk-auditsubcat) - [More info added to existing audit events](#bkmk-moreinfo) ##### New audit subcategories -In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: +In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: - [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event. - [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. @@ -111,7 +110,7 @@ In Windows 10, two new audit subcategories were added to the Advanced Audit Pol ##### More info added to existing audit events -With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: +With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: - [Changed the kernel default audit policy](#bkmk-kdal) - [Added a default process SACL to LSASS.exe](#bkmk-lsass) - [Added new fields in the logon event](#bkmk-logon) @@ -122,11 +121,11 @@ With Windows 10, version 1507, we've added more info to existing audit events t ##### Changed the kernel default audit policy -In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. +In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. ##### Added a default process SACL to LSASS.exe -In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. +In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. This can help identify attacks that steal credentials from the memory of a process. ##### New fields in the logon event @@ -165,7 +164,7 @@ The logon event ID 4688 has been updated to include more verbose information to ##### New Security Account Manager events -In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: +In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: - SamrEnumerateGroupsInDomain - SamrEnumerateUsersInDomain - SamrEnumerateAliasesInDomain @@ -198,13 +197,13 @@ Event ID 6416 has been added to track when an external device is detected throug ### Trusted Platform Module -#### New TPM features in Windows 10, version 1511 +#### New TPM features in Windows 10, version 1511 - Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC). -#### New TPM features in Windows 10, version 1507 +#### New TPM features in Windows 10, version 1507 -The following sections describe the new and changed functionality in the TPM for Windows 10: +The following sections describe the new and changed functionality in the TPM for Windows 10: - [Device health attestation](#bkmk-dha) - [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support - [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support @@ -219,7 +218,7 @@ Some things that you can check on the device are: - Is SecureBoot supported and enabled? >[!NOTE] ->The device must be running Windows 10 and it must support at least TPM 2.0. +>The device must be running Windows 10 and it must support at least TPM 2.0. [Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview). @@ -231,9 +230,9 @@ You should not turn off UAC because this is not a supported scenario for devices For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings). -In Windows 10, User Account Control has added some improvements. +In Windows 10, User Account Control has added some improvements. -#### New User Account Control features in Windows 10, version 1507 +#### New User Account Control features in Windows 10, version 1507 - **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](/windows/win32/amsi/antimalware-scan-interface-portal) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked. @@ -254,13 +253,13 @@ Windows 10 provides a set of VPN features that both increase enterprise security ## Management -Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. +Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. ### MDM support -MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more. +MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more. -MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. +MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](/windows/client-management/mdm/) @@ -282,7 +281,8 @@ Enterprises have the following identity and management choices. | Grouping | Domain join; Workgroup; Azure AD join | | Device management | Group Policy; Microsoft Endpoint Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | -**Note:** With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](/lifecycle/). +> [!NOTE] +> With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](/lifecycle/). ### Device lockdown @@ -318,9 +318,9 @@ For more information, see [Microsoft Store for Business overview](/microsoft-sto ## Updates -Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. +Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. -By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: +By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: - **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). @@ -333,7 +333,7 @@ Together, these Windows Update for Business features help reduce device manageme Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb). -For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates). +For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates). ## Microsoft Edge Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana. @@ -344,9 +344,9 @@ Microsoft Edge takes you beyond just browsing to actively engaging with the web - **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls. ### Enterprise guidance -Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). +Microsoft Edge is the default browser experience for Windows 10. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). -We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10. +We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10. [Learn more about using Microsoft Edge in the enterprise](/microsoft-edge/deploy/emie-to-improve-compatibility) @@ -354,7 +354,3 @@ We also recommend that you upgrade to IE11 if you're running any earlier version ## Learn more - [Windows 10 release information](https://technet.microsoft.com/windows/release-info) - - - - diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index e211ea26c2..ccf2f1132f 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1607 (Windows 10) -description: What's new in Windows 10 for Windows 10 (version 1607) and Windows 10 Mobile. +description: What's new in Windows 10 for Windows 10 (version 1607). keywords: ["What's new in Windows 10", "Windows 10", "anniversary update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -19,7 +19,7 @@ Below is a list of some of the new and updated features in Windows 10, version 1 >[!NOTE] >For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). - + ## Deployment ### Windows Imaging and Configuration Designer (ICD) @@ -78,7 +78,6 @@ Additional changes for Windows Hello in Windows 10, version 1607: - Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. - Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**. - Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. - [Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification) @@ -87,7 +86,7 @@ Additional changes for Windows Hello in Windows 10, version 1607: - The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients. - The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection. - New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607) -- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins. +- Microsoft Intune: *VPN* profile template includes support for native VPN plug-ins. For more information, see [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure). ### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP)