deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into wsfb-9502045

Browse Source
This commit is contained in:
Trudy Hakala 2016-10-26 10:48:05 -07:00
commit 5b3ec36e20
8 changed files with 73 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
education/windows/index.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
author: jdeckerMS
author: CelesteDG
---
# Windows 10 for Education

1
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
| New or changed topic | Description |
| --- | --- |
|[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Added Microsoft Remote Desktop information. |
|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) and [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the text about the icon overlay option. This icon now only appears on corporate files in the Save As and File Explore views |
|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added content about using ActiveX controls.|
|[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |New |

6
windows/keep-secure/create-wip-policy-using-intune.md
View File

@ -457,11 +457,11 @@ After you've decided where your protected apps can access enterprise data on you
- **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
- **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explore views. The options are:
- **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:
- **Yes (recommended).** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explore views.
- **Yes.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu.
- **No, or not configured.** Stops the Windows Information Protection icon overlay from appearing on corporate files in the Save As and File Explore views.
- **No, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option.
2. Click **Save Policy**.

6
windows/keep-secure/create-wip-policy-using-sccm.md
View File

@ -434,11 +434,11 @@ There are no default locations included with WIP, you must add each of your netw
![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-sccm-optsettings.png)
- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option.
- **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explore views of File Explorer.
- **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option.
5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.

5
windows/keep-secure/enlightened-microsoft-apps-and-wip.md
View File

@ -21,7 +21,7 @@ localizationpriority: high
Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
## Enlightened versus unenlightened apps
Apps can be enlightened (policy-aware) or unenlightened (policy-unaware).
Apps can be enlightened (also referred to as WIP-aware) or unenlightened (also referred to as WIP-unaware).
- **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
@ -56,6 +56,8 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
- Microsoft Messaging
- Microsoft Remote Desktop
## Adding enlightened Microsoft apps to the allowed apps list
You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager.
@ -76,3 +78,4 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
|Microsoft OneDrive |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** onedrive.exe<br>**App Type:** Desktop app|
|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** notepad.exe<br>**App Type:** Desktop app |
|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mspaint.exe<br>**App Type:** Desktop app |
|Microsoft Remote Desktop |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mstsc.exe<br>**App Type:** Desktop app |

82
windows/keep-secure/tpm-recommendations.md
View File

@ -40,7 +40,8 @@ OEMs implement the TPM as a component in a trusted computing platform, such as a
The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not.
>**Note:**  Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
## TPM 1.2 vs. 2.0 comparison
From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM.
@ -59,47 +60,30 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
- TPM 2.0 offers a more **consistent experience** across different implementations.
- TPM 1.2 implementations across both discrete and firmware vary in policy settings. This may result in support issues as lockout policies vary.
- TPM 2.0 standardized policy requirement helps establish a consistent lockout experience across devices, as such, Windows can offer a better user experience end to end.
- TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
- TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
- While TPM 1.2 parts were discrete silicon components typically soldered on the motherboard, TPM 2.0 is available both as a **discrete (dTPM)** silicon component and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on the systems main SoC:
- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a sinple semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
- On Intel chips, it is the Intel Management Engine (ME) or Converged Security Engine (CSE).
- For AMD chips, it is the AMD Security Processor
- For ARM chips, it is a Trustzone Trusted Application (TA).
- In the case of firmware TPM for desktop Windows systems, the chip vendor provides the firmware TPM implementation along with the other chip firmware to OEMs.
## Discrete, Integrated or Firmware TPM?
## Discrete or firmware TPM?
There are three implementation options for TPMs:
Windows uses discrete and firmware TPM in the same way. Windows gains no functional advantage or disadvantage from either option.
- Discrete TPM chip as a separate component in its own semiconductor package
- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components
- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit
From a security standpoint, discrete and firmware share the same characteristics;
- Both use hardware based secure execution.
- Both use firmware for portions of the TPM functionality.
- Both are equipped with tamper resistance capabilities.
- Both have unique security limitations/risks.
For more info, see [fTPM: A Firmware-based TPM 2.0 Implementation](http://research.microsoft.com/apps/pubs/?id=258236).
Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions which should suit all needs.
## Is there any importance for TPM for consumer?
For end consumers, TPM is behind the scenes but still very relevant for Hello, Passport and in the future, many other key features in Windows 10. It offers the best Passport experience, helps encrypt passwords, and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage.
For end consumers, TPM is behind the scenes but is still very relevant. TPM is used for Windows Hello, Windows Hello for Business and in the future, will be a components of many other key security features in Windows. TPM secures the PIN, helps encrypt passwords, and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage.
## TPM 2.0 Compliance for Windows 10
### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
- As of July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
## Two implementation options:
- Discrete TPM chip as a separate discrete component
- Firmware TPM solution using Intel PTT (platform trust technology) or AMD
### Windows 10 Mobile
- All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM 2.0 enabled.
- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
### IoT Core
@ -226,7 +210,7 @@ The following table defines which Windows features require TPM support. Some fea
</table>
 
## Chipset options for TPM 2.0
There are a variety of TPM manufacturers for both discrete and firmware.
There is a vibrant ecosystem of TPM manufacturers.
### Discrete TPM
<table>
<colgroup>
@ -250,6 +234,33 @@ There are a variety of TPM manufacturers for both discrete and firmware.
</tbody>
</table>
 
### Integrated TPM
<table>
<colgroup>
<col width="100%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Supplier</th>
<th align="left">Chipset</th>
</tr>
</thead>
<tbody>
<tr class="even">
<td align="left">Intel</td>
<td align="left"><ul>
<li>Atom (CloverTrail)
<li>Baytrail</li>
<li>Braswell</li>
<li>4th generation Core (Haswell)</li>
<li>5th generation Core (Broadwell)</li>
<li>6th generation Core (Skylake)</li>
<li>7th generation Core (Kaby Lake)</li>
</ul></td>
</tr>
</tbody>
</table>
### Firmware TPM
<table>
<colgroup>
@ -272,17 +283,6 @@ There are a variety of TPM manufacturers for both discrete and firmware.
</ul></td>
</tr>
<tr class="even">
<td align="left">Intel</td>
<td align="left"><ul>
<li>Atom (CloverTrail)
<li>Baytrail</li>
<li>4th generation(Haswell)</li>
<li>5th generation(Broadwell)</li>
<li>Braswell</li>
<li>Skylake</li>
</ul></td>
</tr>
<tr class="odd">
<td align="left">Qualcomm</td>
<td align="left"><ul>
<li>MSM8994</li>

4
windows/manage/acquire-apps-windows-store-for-business.md
View File

@ -33,7 +33,7 @@ There are a couple of things we need to know when you pay for apps. You can add
You can add payment info on **Account information**. If you dont have one saved with your account, youll be prompted to provide one when you buy an app.
## Acquire apps
To acquire an app
**To acquire an app**
1. Log in to http://businessstore.microsoft.com
2. Click Shop, or use Search to find an app.
3. Click the app you want to purchase.
@ -42,7 +42,7 @@ To acquire an app
6. If you dont have a payment method saved in Account settings, Store for Business will prompt you for one.
7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Account information**.
Youll also need to have your business address saved on **Account information**. The address is used to generate tax rates. For more information on taxes for apps, see organization tax information.
Youll also need to have your business address saved on **Account information**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#organization-tax-information).
Store for Business adds the app to your inventory. From **Inventory**, you can:
- Distribute the app: add to private store, or assign licenses

10
windows/manage/appv-release-notes-for-appv-for-windows.md
View File

@ -30,17 +30,19 @@ MSI packages that were generated using an App-V sequencer from previous versions
- For the standalone Windows 10 SDK without other tools, see [Standalone Windows 10 SDK](https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk).
3. From an elevated Windows PowerShell prompt, navigate to the following folder:
3. Copy msidb.exe from the default path of the Windows SDK installation (**C:\Program Files (x86)\Windows Kits\10**) to a different directory. For example: **C:\MyMsiTools\bin**
4. From an elevated Windows PowerShell prompt, navigate to the following folder:
&lt;Windows Kits 10 installation folder&gt;**\Microsoft Application Virtualization\Sequencer\**
By default, this path will be:<br>**C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\Sequencer**
4. Run the following command:
5. Run the following command:
`Update-AppvPackageMsi -MsiPackage "<path to App-V Package .msi file>" -MsSdkPath "<path to Windows SDK installation>"`
`Update-AppvPackageMsi -MsiPackage "<path to App-V Package .msi file>" -MsSdkPath "<path>"`
By default, the path to the Windows SDK installation will be:<br>**C:\Program Files (x86)\Windows Kits\10**
where the path is to the new directory (**C:\MyMsiTools\ for this example**).
## Error occurs during publishing refresh between App-V 5.0 SP3 Management Server and App-V Client on Windows 10