Added the following new policies for Windows 10, version 1709:
+Added new CSP in the next major update to Windows 10.
+Added new CSP in Windows 10, version 1709.
To PurposeGroups setting, added the following values for the next major update of Windows 10:
+To PurposeGroups setting, added the following values Windows 10, version 1709:
[CM_CellularEntries CSP](cm-cellularentries-csp.md)
[EnterpriseAPN CSP](enterpriseapn-csp.md)
In the next major update of Windows 10, support was added for Windows 10 Home, Pro, Enterprise, and Education editions.
+In the Windows 10, version 1709, support was added for Windows 10 Home, Pro, Enterprise, and Education editions.
Added in Windows 10, version 1709. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display. + +
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. + +
If you disable or do not configure this policy setting, users control this setting. + +
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. + + + +ADMX Info: +- GP english name: *Turn off the display (on battery)* +- GP name: *VideoPowerDownTimeOutDC_2* +- GP path: *System/Power Management/Video and Display Settings* +- GP ADMX file name: *power.admx* + + + + + +**Power/DisplayOffTimeoutPluggedIn** + + + +
Added in Windows 10, version 1709. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display. + +
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. + +
If you disable or do not configure this policy setting, users control this setting. + +
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. + + + +ADMX Info: +- GP english name: *Turn off the display (plugged in)* +- GP name: *VideoPowerDownTimeOutAC_2* +- GP path: *System/Power Management/Video and Display Settings* +- GP ADMX file name: *power.admx* + + + + + +**Power/HibernateTimeoutOnBattery** + + +
Added in Windows 10, version 1709. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. + +
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. + +
If you disable or do not configure this policy setting, users control this setting. + + +
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. + + +ADMX Info: +- GP english name: *Specify the system hibernate timeout (on battery)* +- GP name: *DCHibernateTimeOut_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + + + +**Power/HibernateTimeoutPluggedIn** + + +
Added in Windows 10, version 1709. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. + +
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. + +
If you disable or do not configure this policy setting, users control this setting. + +
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. + + + +ADMX Info: +- GP english name: *Specify the system hibernate timeout (plugged in)* +- GP name: *ACHibernateTimeOut_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + + **Power/RequirePasswordWhenComputerWakesOnBattery** @@ -11987,6 +12084,53 @@ ADMX Info: + + +**Power/StandbyTimeoutOnBattery** + + +
Added in Windows 10, version 1709. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. + +
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. + +
If you disable or do not configure this policy setting, users control this setting. + +
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. + + + +ADMX Info: +- GP english name: *Specify the system sleep timeout (on battery)* +- GP name: *DCStandbyTimeOut_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + + + +**Power/StandbyTimeoutPluggedIn** + + +
Added in Windows 10, version 1709. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. + +
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. + +
If you disable or do not configure this policy setting, users control this setting. + +
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+
+
+
+ADMX Info:
+- GP english name: *Specify the system sleep timeout (plugged in)*
+- GP name: *ACStandbyTimeOut_2*
+- GP path: *System/Power Management/Sleep Settings*
+- GP ADMX file name: *power.admx*
+
+
+
+
**Printers/PointAndPrintRestrictions**
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index f9b0e89ad4..aaaf80aa49 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -35,7 +35,8 @@
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
- "ms.author": "jdecker"
+ "ms.author": "jdecker",
+ "ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 18fc7be5b4..51841c4ad0 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -8,6 +8,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
localizationpriority: high
author: brianlic-msft
+ms.author: brianlic-msft
+ms.date: 06/13/2017
---
# Manage connections from Windows operating system components to Microsoft services
@@ -1692,6 +1694,10 @@ If you're running Windows 10, version 1607 or later, you only need to enable the
- Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
+ -and-
+
+- Create a new REG\_DWORD registry setting in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
+
If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
- Configure the following in **Settings**:
diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index e7a7a025ab..c302cdc63f 100644
--- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -21,7 +21,7 @@ localizationpriority: high
A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions.
-- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only).
+- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer (Windows 10, version 1607 or later) to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only).
or
diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md
index 40ccf85845..5c1898026e 100644
--- a/windows/configuration/start-layout-xml-desktop.md
+++ b/windows/configuration/start-layout-xml-desktop.md
@@ -6,6 +6,8 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
+ms.author: jdecker
+ms.date: 06/13/2017
localizationpriority: high
---
@@ -52,9 +54,9 @@ The following table lists the supported elements and attributes for the LayoutMo
| RequiredStartGroupsCollectionParent:LayoutModificationTemplate | n/a | Use to contain collection of RequiredStartGroups |
| [RequiredStartGroups](#requiredstartgroups)Parent:RequiredStartGroupsCollection | Region | Use to contain the AppendGroup tags, which represent groups that can be appended to the default Start layout |
| [AppendGroup](#appendgroup)Parent:RequiredStartGroups | Name | Use to specify the tiles that need to be appended to the default Start layout |
-| [start:Tile](#specify-start-tiles)Parent:AppendGroup | AppUserModelIDSizeRowColumn | Use to specify any of the following:- A Universal Windows app- A Windows 8 or Windows 8.1 app |
+| [start:Tile](#specify-start-tiles)Parent:AppendGroup | AppUserModelIDSizeRowColumn | Use to specify any of the following:- A Universal Windows app- A Windows 8 or Windows 8.1 appNote that AppUserModelID is case-sensitive. |
| start:DesktopApplicationTileParent:AppendGroup | DesktopApplicationIDDesktopApplicationLinkPathSizeRowColumn | Use to specify any of the following:- A Windows desktop application with a known AppUserModelID- An application in a known folder with a link in a legacy Start Menu folder- A Windows desktop application link in a legacy Start Menu folder- A Web link tile with an associated .url file that is in a legacy Start Menu folder |
-| start:SecondaryTileParent:AppendGroup | AppUserModelIDTileIDArgumentsDisplayNameSquare150x150LogoUriShowNameOnSquare150x150LogoShowNameOnWide310x150LogoWide310x150LogoUriBackgroundColorForegroundTextIsSuggestedAppSizeRowColumn | Use to pin a Web link through a Microsoft Edge secondary tile |
+| start:SecondaryTileParent:AppendGroup | AppUserModelIDTileIDArgumentsDisplayNameSquare150x150LogoUriShowNameOnSquare150x150LogoShowNameOnWide310x150LogoWide310x150LogoUriBackgroundColorForegroundTextIsSuggestedAppSizeRowColumn | Use to pin a Web link through a Microsoft Edge secondary tile. Note that AppUserModelID is case-sensitive. |
| TopMFUAppsParent:LayoutModificationTemplate | n/a | Use to add up to 3 default apps to the frequently used apps section in the system area |
| TileParent:TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID |
| DesktopApplicationTileParent:TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID |
@@ -144,6 +146,9 @@ You can use the **start:Tile** tag to pin any of the following apps to Start:
To specify any one of these apps, you must set the **AppUserModelID** attribute to the application user model ID that's associated with the corresponding app.
+>[!IMPORTANT]
+>**AppUserModelID** (AUMID) is case-sensitive.
+
The following example shows how to pin the Microsoft Edge Universal Windows app:
```XML
@@ -181,6 +186,7 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap
- By using the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option.
+
You can use the [Get-StartApps cmdlet](https://technet.microsoft.com/library/dn283402.aspx) on a PC that has the application pinned to Start to obtain the app ID.
To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app.
@@ -239,7 +245,7 @@ The following table describes the other attributes that you can use with the **s
| Attribute | Required/optional | Description |
| --- | --- | --- |
-| AppUserModelID | Required | Must point to Microsoft Edge. |
+| AppUserModelID | Required | Must point to Microsoft Edge. Note that AppUserModelID is case-sensitive. |
| TileID | Required | Must uniquely identify your Web site tile. |
| Arguments | Required | Must contain the URL of your Web site. |
| DisplayName | Required | Must specify the text that you want users to see. |
diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json
index 3df45b300e..2c2ef6cd84 100644
--- a/windows/deployment/docfx.json
+++ b/windows/deployment/docfx.json
@@ -35,7 +35,8 @@
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
- "ms.author": "greglin"
+ "ms.author": "greglin",
+ "ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
index d13224f45d..82621b15ac 100644
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
+++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
@@ -20,7 +20,473 @@ For an overview of the process described in the following procedures, see [Deplo
The process for creating a golden code integrity policy from a reference system is straightforward. This section outlines the process that is required to successfully create a code integrity policy with Windows PowerShell. First, for this example, you must initiate variables to be used during the creation process. Rather than using variables, you can simply use the full file paths in the command. Next, you create the code integrity policy by scanning the system for installed applications. When created, the policy file is converted to binary format so that Windows can consume its contents.
-> **Note** Before you begin this procedure, ensure that the reference PC is clean of viruses or malware. Each piece of installed software should be validated as trustworthy before you create this policy. Also, be sure that any software that you would like to be scanned is installed on the system before you create the code integrity policy.
+> [!Note]
+> Before you begin this procedure, make sure that the reference PC is virus and malware-free,and that any software you want to be scanned is installed on the system before creating the code integrity policy.
+
+### Scripting and applications
+
+Each installed software application should be validated as trustworthy before you create a policy. We recommend that you review the reference PC for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed, and Windows Script Host (WSH), which can be manually disabled if you do not want it to run scripts.
+You can remove or disable such software on reference PCs used to create code integrity policies. You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker).
+
+Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Device Guard code integrity policies.
+
+In certain circumstances, if the use case is appropriate, for example if your operational scenario requires elevated security, you may want to block these applications. For example, if you have a code integrity policy that trusts all Microsoft-signed applications, we recommend that you block the following applications (optional in the case of cscript.exe and wscript.exe) from running on your systems:
+
+- bash.exe
+- bginfo.exe
+- cdb.exe
+- cscript.exe1
+- csi.exe
+- dnx.exe
+- fsi.exe
+- kd.exe
+- lxssmanager.dll
+- msbuild.exe2
+- mshta.exe
+- ntsd.exe
+- rcsi.exe
+- windbg.exe
+- wscript.exe1
+
+1 Microsoft Windows Script Host (WSH) is an automation technology for Microsoft Windows operating systems that allows scripts to load and run. It comprises two files, wscript.exe and cscript.exe. When WSH is enabled, scripts are allowed. However, when Device Guard is enabled, the functionality of WSH scripts is restricted by default.
+
+2 If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
+
+* Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
+
+
+
+|Name|Twitter|
+|---|---|
+|Casey Smith |@subTee|
+|Matt Graeber | @mattifestation|
+|Matt Nelson | @enigma0x3|
+|Oddvar Moe |@Oddvarmoe|
+
+
+
+>[!Note]
+>This application list is fluid and will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
+
+When an application version is upgraded, you may want to add deny rules to your code integrity policies for that application’s previous, less secure versions, especially to fix a vulnerability or potential Device Guard bypass. Certain vendors may or may not intend to update their software to work with Device Guard.
+
+To block the listed applications, you can merge this policy into your existing policy by adding the following deny rules using the PowerShell Merge-CIPolicy cmdlet:
+
+```
+
+
+The June 2017 Windows updates resolve a vulnerability in PowerShell that allowed an attacker to bypass Device Guard code integrity policies. Powershell cmdlets cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. We recommend that you block the following PowerShell cmdlets and merge this policy into your existing policy by adding the following deny rules using the Merge-CIPolicy cmdlet:
+
+```
+
+
To create a code integrity policy, copy each of the following commands into an elevated Windows PowerShell session, in order:
@@ -36,7 +502,7 @@ To create a code integrity policy, copy each of the following commands into an e
` New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt `
- > **Notes**
+ > [!Notes]
> - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application.
@@ -52,7 +518,8 @@ To create a code integrity policy, copy each of the following commands into an e
After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security.
-> **Note** We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see [Merge code integrity policies](#merge-code-integrity-policies).
+> [!Note]
+> We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see [Merge code integrity policies](#merge-code-integrity-policies).
We recommend that every code integrity policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error message dialog boxes. For information about how to audit a code integrity policy, see the next section, [Audit code integrity policies](#audit-code-integrity-policies).
@@ -60,7 +527,8 @@ We recommend that every code integrity policy be run in audit mode before being
When code integrity policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a code integrity policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new code integrity policy. When the new exception policy is created, you can merge it with your existing code integrity policies.
-> **Note** Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format.
+> [!Note]
+> Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format.
**To audit a code integrity policy with local policy:**
@@ -68,7 +536,7 @@ When code integrity policies are run in audit mode, it allows administrators to
2. On the computer you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**.
- > **Notes**
+ > [!Note]
> - The computer that you will run in audit mode must be clean of viruses or malware. Otherwise, in the process that you follow after auditing the system, you might unintentionally merge in a code integrity policy that allows viruses or malware to run.
@@ -76,7 +544,7 @@ When code integrity policies are run in audit mode, it allows administrators to
3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Code Integrity Policy**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1.
- > **Notes**
+ > [!Note]
> - The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every system. You can instead copy the code integrity policies to a file share to which all computer accounts have access.
@@ -124,7 +592,8 @@ Use the following procedure after you have been running a computer with a code i
` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt`
- > **Note** When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
+ > [!Note]
+ > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
4. Find and review the Device Guard audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following:
@@ -134,7 +603,8 @@ Use the following procedure after you have been running a computer with a code i
You can now use this file to update the existing code integrity policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing code integrity policy, see the next section, [Merge code integrity policies](#merge-code-integrity-policies).
-> **Note** You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies.
+> [!Note]
+> You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies.
## Use a code integrity policy to control specific plug-ins, add-ins, and modules
@@ -166,7 +636,8 @@ New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs
When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from golden computers. Because each computer running Windows 10 can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy.
-> **Note** The following example uses several of the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine.
+> [!Note]
+> The following example uses several of the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine.
To merge two code integrity policies, complete the following steps in an elevated Windows PowerShell session:
@@ -182,7 +653,8 @@ To merge two code integrity policies, complete the following steps in an elevate
` $CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"`
- > **Note** The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit code integrity policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other code integrity policies, update the variables accordingly.
+ > [!Note]
+ > The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit code integrity policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other code integrity policies, update the variables accordingly.
2. Use [Merge-CIPolicy](https://technet.microsoft.com/library/mt634485.aspx) to merge two policies and create a new code integrity policy:
@@ -198,7 +670,8 @@ Now that you have created a new code integrity policy (for example, called **New
Every code integrity policy is created with audit mode enabled. After you have successfully deployed and tested a code integrity policy in audit mode and are ready to test the policy in enforced mode, complete the following steps in an elevated Windows PowerShell session:
-> **Note** Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see [Audit code integrity policies](#audit-code-integrity-policies), earlier in this topic.
+> [!Note]
+> Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see [Audit code integrity policies](#audit-code-integrity-policies), earlier in this topic.
1. Initialize the variables that will be used:
@@ -210,7 +683,8 @@ Every code integrity policy is created with audit mode enabled. After you have s
` $CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"`
- > **Note** The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
+ > [!Note]
+ > The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
2. Ensure that rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) are set the way that you intend for this policy. We strongly recommend that you enable these rule options before you run any enforced policy for the first time. Enabling these options provides administrators with a pre-boot command prompt, and allows Windows to start even if the code integrity policy blocks a kernel-mode driver from running. When ready for enterprise deployment, you can remove these options.
@@ -228,7 +702,8 @@ Every code integrity policy is created with audit mode enabled. After you have s
` Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete`
- > **Note** To enforce a code integrity policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a code integrity policy.
+ > [!Note]
+ > To enforce a code integrity policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a code integrity policy.
5. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the new code integrity policy to binary format:
@@ -244,7 +719,8 @@ Signing code integrity policies by using an on-premises CA-generated certificate
Before signing code integrity policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath
This can be relevant because of drivers. You could create a code integrity policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several code integrity policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment.
- - Is there already a list of accepted applications?
A list of accepted applications can be used to help create a baseline code integrity policy.
As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
-
- What software does each department or role need? Should they be able to install and run other departments’ software?
If multiple departments are allowed to run the same list of software, you might be able to merge several code integrity policies to simplify management.
- Are there departments or roles where unique, restricted software is used?
If one department needs to run an application that no other department is allowed, it might require a separate code integrity policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate code integrity policy.
+ - Is there already a list of accepted applications?
A list of accepted applications can be used to help create a baseline code integrity policy.
As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
+
+ - As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts?
+ In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Device Guard code integrity policies.
+ You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker).
+
+ Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass code integrity policies. For operational scenarios that require elevated security, certain applications with known Code Integrity bypass vulnerabilities may represent a security risk if you whitelist them in your code integrity policies. Other applications whose older versions have vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your code integrity policies. Once applications with vulnerabilities are fixed, you can create a rule that only allows the fixed version or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used.
+
+ Security professionals collaborate with Microsoft® continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Device Guard code integrity policies.
+ Depending on the context, you may want to block these applications. To see the list of applications, and for use case examples such as disabling Windows Script Host (WSH) or disabling msbuild.exe, (See [Deploy code integrity policies: steps](https://technet.microsoft.com/itpro/windows/keep-secure/deploy-code-integrity-policies-steps)).
+
4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
## Getting started on the deployment process
diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json
index ebbbf433db..ca5178e70e 100644
--- a/windows/device-security/docfx.json
+++ b/windows/device-security/docfx.json
@@ -35,7 +35,8 @@
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
- "ms.author": "justinha"
+ "ms.author": "justinha",
+ "ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/device-security/images/tpm-capabilities.png b/windows/device-security/images/tpm-capabilities.png
new file mode 100644
index 0000000000..aecbb68522
Binary files /dev/null and b/windows/device-security/images/tpm-capabilities.png differ
diff --git a/windows/device-security/images/tpm-remote-attestation.png b/windows/device-security/images/tpm-remote-attestation.png
new file mode 100644
index 0000000000..fa092591a1
Binary files /dev/null and b/windows/device-security/images/tpm-remote-attestation.png differ
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index 8c9110e8b7..a95581a35a 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -37,7 +37,8 @@
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
- "ms.author": "brianlic"
+ "ms.author": "brianlic",
+ "ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json
index d0865639cb..2989cbeaa7 100644
--- a/windows/threat-protection/docfx.json
+++ b/windows/threat-protection/docfx.json
@@ -35,7 +35,8 @@
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
- "ms.author": "justinha"
+ "ms.author": "justinha",
+ "ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md
index 6b8301ccab..c963eb975e 100644
--- a/windows/whats-new/contribute-to-a-topic.md
+++ b/windows/whats-new/contribute-to-a-topic.md
@@ -1,6 +1,6 @@
---
title: Edit an existing topic using the Edit link
-description: Instructions about how to edit an existing topic by using the Contribute link on TechNet.
+description: Instructions about how to edit an existing topic by using the Edit link on TechNet.
keywords: contribute, edit a topic
ms.prod: w10
ms.mktglfcycl: explore
@@ -10,13 +10,13 @@ ms.sitesec: library
# Editing existing Windows IT professional documentation
You can now make suggestions and update existing, public content with a GitHub account and a simple click of a link.
->**Note**
+>[!NOTE]
>At this time, only the English (en-us) content is available for editing.
**To edit a topic**
-1. All contributors who are ***not*** a Microsoft employee must [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before contributing to any Microsoft repositories.
-If you've already contributed to Microsoft repositories in the past, congratulations! You've already completed this step.
+1. All contributors who are ***not*** a Microsoft employee must [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before updating or adding to any Microsoft repositories.
+If you've previously contributed to topics in the Microsoft repositories, congratulations! You've already completed this step.
2. Go to the page on TechNet that you want to update, and then click **Edit**.
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index bdecd75985..590b6d84d5 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -35,7 +35,8 @@
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
- "ms.author": "trudyha"
+ "ms.author": "trudyha",
+ "ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md
index b64a85a590..e0bd472d86 100644
--- a/windows/whats-new/index.md
+++ b/windows/whats-new/index.md
@@ -1,6 +1,6 @@
---
title: What's new in Windows 10 (Windows 10)
-description: Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Windows Hello, Device Guard, and more.
+description: Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more.
ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44
keywords: ["What's new in Windows 10", "Windows 10", "anniversary update", "contribute", "edit topic"]
ms.prod: w10
@@ -20,7 +20,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec
- [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md)
-- [Edit an existing topic using the Contribute link](contribute-to-a-topic.md)
+- [Edit an existing topic using the Edit link](contribute-to-a-topic.md)
## Learn more