deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into live

Browse Source
This commit is contained in:
LizRoss 2017-04-28 09:59:47 -07:00
commit 59a6d8de8a
4 changed files with 64 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
windows/access-protection/credential-guard/credential-guard-known-issues.md
View File

@ -15,20 +15,56 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
Credential Guard has certain requirements for applications. Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when Credential Guard is enabled. For further information, see [Application requirements](https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
Credential Guard has certain application requirements. Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when Credential Guard is enabled. For further information, see [Application requirements](https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
KB4015217: [Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/en-us/help/4015217/windows-10-update-kb4015217)
- KB4015217: [Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/en-us/help/4015217/windows-10-update-kb4015217)
This issue can potentially lead to unexpected account lockouts.
See also Knowledge Base articles [KB4015219](https://support.microsoft.com/en-us/help/4015219/windows-10-update-kb4015219) and
[KB4015221](https://support.microsoft.com/en-us/help/4015221/windows-10-update-kb4015221).
[KB4015221](https://support.microsoft.com/en-us/help/4015221/windows-10-update-kb4015221)
In addition, products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 clients to exhibit high CPU utilization. For further information, see the following Knowledge Base articles:
• KB88869: [Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869)
• [Installing AppSense Environment Manager on Windows 10 machines causes LsaIso.exe to exhibit high CPU usage when Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) *
The following issue is under investigation. For available workarounds, see the following Knowledge Base article:
- [Installing AppSense Environment Manager on Windows 10 machines causes LsaIso.exe to exhibit high CPU usage when Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) *
*Registration required to access this article.
- [Blue screen on Windows 10 computers running Device Guard and Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692)**
**Registration required to access this article.
Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 clients to exhibit high CPU usage. For further information, see the following Knowledge Base articles:
- KB88869: [Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869)
- Windows 10 machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled.
Microsoft is currently working with Citrix to investigate this issue.
## Vendor support
- [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:
- For Credential Guard on Windows 10 with McAfee Encryption products, see:
[Support for Device Guard and Credential Guard on Windows 10 with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
- For Credential Guard on Windows 10 with Check Point Endpoint Security Client, see:
[Check Point Endpoint Security Client support for Microsoft Windows 10 Credential Guard and Device Guard features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
- For Credential Guard on Windows 10 with VMWare Workstation
[Windows 10 host fails when running VMWare Workstation when Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
- For Credential Guard on Windows 10 with specific versions of the Lenovo ThinkPad
[ThinkPad support for Device Guard and Credential Guard in Microsoft Windows 10 ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
- For Credential Guard on Windows 10 with Symantec Endpoint Protection
[Windows 10 with Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Credential guard on systems that run Windows 10 or specific versions of Windows 10. Specific computer system models may be incompatible with Credential Guard.
Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.

20
windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
View File

@ -86,21 +86,27 @@ Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow
### Disable Windows Firewall
Disabling Windows Firewall with Advanced Security can cause the following problems:
Microsoft recommends that you do not disable Windows Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](http://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/).
Disabling Windows Firewall with Advanced Security can also cause problems, including:
- Start menu can stop working
- Modern applications can fail to install or update
- Activation of Windows via phone fails
- Application or OS incompatibilities that depend on Windows Firewall
Do not disable Windows Firewall with Advanced Security service by stopping the service.
The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running.
Use the following procedure to turn the firewall off, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Prolfile|Windows Firewall:Protect all network connections**.
For more information, see [Windows firewall with advanced security deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
If you turn off the Windows Firewall with Advanced Security service, you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](http://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/).
Microsoft recommends disabling Windows Firewall with Advanced Security only when installing a third-party firewall, and resetting Windows Firewall back to defaults when the third-party software is disabled or removed.
If disabling Windows Firewall with Advanced Security is required, do not disable it by stopping the Windows Firewall service (in the **Services** snap-in, the display name is Windows Firewall and the service name is MpsSvc).
Stopping the Windows Firewall service is not supported by Microsoft.
Non-Microsoft firewall software can programmatically disable only the parts of Windows Firewall with Advanced Security that need to be disabled for compatibility.
You should not disable the firewall yourself for this purpose.
Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft.
The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running.
Use the following procedure to turn the firewall off, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Prolfile|Windows Firewall:Protect all network connections**.
For more information, see [Windows firewall with advanced security deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
The following example disables Windows Firewall with Advanced Security for all profiles.

2
windows/deployment/change-history-for-deploy-windows-10.md
View File

@ -21,7 +21,7 @@ This topic lists new and updated topics in the [Deploy Windows 10](index.md) doc
## RELEASE: Windows 10, version 1703
The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The provisioning topics have been moved to [Configure Windows 10](/windows/configuration/index.md).
The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The provisioning topics have been moved to [Configure Windows 10](/windows/configuration/index).
## March 2017

12
windows/deployment/update/waas-quick-start.md
View File

@ -22,19 +22,19 @@ Windows as a service is a new concept, introduced with the release of Windows 10
## Definitions
Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean.
- **Feature updates** will be released two to three times per year. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
- **Feature updates** will be released twice per year, around March and September. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
- **Quality updates** are released monthly, delivering both security and non-security fixes. These are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update.
- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
- **Servicing branches** allow organizations to choose when to deploy new features. Current Branch (CB) deploys the fastest, soon after a feature update is released. Current Branch for Business (CBB) defers the installation of the same feature update by about four months, until that feature update is considered ready for broad deployment. Long Term Servicing Branch (LTSB) is different, used only for specialized devices (which typically dont run Office) such as those that control medical equipment or ATM machines that need to be kept stable and secure.
- **Servicing channels** allow organizations to choose when to deploy new features. The Semi-Annual Channel receives feature updates twice per year. The Long Term Servicing Channel, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases about every three years.
- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.
See [Overview of Windows as a service](waas-overview.md) for more information.
## Key Concepts
New feature update releases are initially considered **Current Branch (CB) releases**; organizations will use these for pilot deployments to ensure compatibility with existing apps and infrastructure. After about four months, the feature update will be declared as **Current Branch for Business (CBB)**, indicating that it is ready for broad deployment.
Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers.
Each Windows 10 feature update (which initially begins as CB and then is declared as CBB) will be serviced with quality updates for a minimum of 18 months after it is released. The total length of time can be longer, as there will be two CBB releases serviced at all times. There will be a minimum of 60 days advanced notice (a grace period) after a CBB declaration occurs before an older feature update is no longer serviced.
Each Windows 10 feature update will be serviced with quality updates for 18 months from the date of the feature update release.
Windows 10 Enterprise LTSB is a separate **Long Term Servicing Branch (LTSB)** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
@ -44,9 +44,9 @@ See [Assign devices to servicing branches for Windows 10 updates](waas-servicing
The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/en-us/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help.
Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isnt required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps and CBB has been declared, broad deployment can begin.
Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isnt required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
This process repeats with each new feature update, two to three times per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles.
This process repeats with each new feature update, twice per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles.
Additional technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files.