mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-18 16:27:22 +00:00
consent doc link
This commit is contained in:
Greg Lindsay
commit
5bf6383dc3
@ -8,12 +8,12 @@ author: jdeckerms
|
||||
ms.author: jdecker
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 12/20/2017
|
||||
ms.date: 01/26/2019
|
||||
---
|
||||
|
||||
# Enable encryption for HoloLens
|
||||
|
||||
You can enable [Bitlocker device encryption](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview) to protect files and information stored on the HoloLens. Device encryption helps protect your data by encrypting it using AES-CBC 128 encryption method, which is equivalent to [EncryptionMethodByDriveType method 3](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype) in the BitLocker configuration service provider (CSP). Only someone with the right encryption key (such as a password) can decrypt it or perform a data recovery.
|
||||
You can enable [BitLocker device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) to protect files and information stored on the HoloLens. Device encryption helps protect your data by encrypting it using AES-CBC 128 encryption method, which is equivalent to [EncryptionMethodByDriveType method 3](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype) in the BitLocker configuration service provider (CSP). Only someone with the right encryption key (such as a password) can decrypt it or perform a data recovery.
|
||||
|
||||
|
||||
|
||||
@ -100,6 +100,6 @@ Provisioning packages are files created by the Windows Configuration Designer to
|
||||
|
||||
Encryption is silent on HoloLens. To verify the device encryption status:
|
||||
|
||||
- On HoloLens, go to **Settings** > **System** > **About**. **Bitlocker** is **enabled** if the device is encrypted.
|
||||
- On HoloLens, go to **Settings** > **System** > **About**. **BitLocker** is **enabled** if the device is encrypted.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.topic: article
|
||||
ms.prod: w10
|
||||
ms.technology: windows
|
||||
author: jdeckerms
|
||||
ms.date: 10/09/2018
|
||||
ms.date: 01/25/2019
|
||||
---
|
||||
|
||||
# Mobile device management
|
||||
|
||||
@ -22,31 +22,49 @@ For details about Microsoft mobile device management protocols for Windows 10 s
|
||||
|
||||
## In this section
|
||||
|
||||
- [What's new in Windows 10, version 1511](#whatsnew)
|
||||
- [What's new in Windows 10, version 1607](#whatsnew1607)
|
||||
- [What's new in Windows 10, version 1703](#whatsnew10)
|
||||
- [What's new in Windows 10, version 1709](#whatsnew1709)
|
||||
- [What's new in Windows 10, version 1803](#whatsnew1803)
|
||||
- [What's new in Windows 10, version 1809](#whatsnew1809)
|
||||
- [Change history in MDM documentation](#change-history-in-mdm-documentation)
|
||||
- [What's new in MDM enrollment and management](#whats-new-in-mdm-enrollment-and-management)
|
||||
- [In this section](#in-this-section)
|
||||
- [<a href="" id="whatsnew"></a>What's new in Windows 10, version 1511](#a-href%22%22-id%22whatsnew%22awhats-new-in-windows-10-version-1511)
|
||||
- [<a href="" id="whatsnew1607"></a>What's new in Windows 10, version 1607](#a-href%22%22-id%22whatsnew1607%22awhats-new-in-windows-10-version-1607)
|
||||
- [<a href="" id="whatsnew10"></a>What's new in Windows 10, version 1703](#a-href%22%22-id%22whatsnew10%22awhats-new-in-windows-10-version-1703)
|
||||
- [<a href="" id="whatsnew1709"></a>What's new in Windows 10, version 1709](#a-href%22%22-id%22whatsnew1709%22awhats-new-in-windows-10-version-1709)
|
||||
- [<a href="" id="whatsnew1803"></a>What's new in Windows 10, version 1803](#a-href%22%22-id%22whatsnew1803%22awhats-new-in-windows-10-version-1803)
|
||||
- [<a href="" id="whatsnew1809"></a>What's new in Windows 10, version 1809](#a-href%22%22-id%22whatsnew1809%22awhats-new-in-windows-10-version-1809)
|
||||
- [Breaking changes and known issues](#breaking-changes-and-known-issues)
|
||||
- [Get command inside an atomic command is not supported](#getcommand)
|
||||
- [Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10](#notification)
|
||||
- [Apps installed using WMI classes are not removed](#appsnotremoved)
|
||||
- [Passing CDATA in SyncML does not work](#cdata)
|
||||
- [SSL settings in IIS server for SCEP must be set to "Ignore"](#sslsettings)
|
||||
- [MDM enrollment fails on the mobile device when traffic is going through proxy](#enrollmentviaproxy)
|
||||
- [Server-initiated unenroll failure](#unenrollment)
|
||||
- [Certificates causing issues with Wi-Fi and VPN](#certissues)
|
||||
- [Version information for mobile devices](#versioninformation)
|
||||
- [Upgrading Windows Phone 8.1 devices with app whitelisting using ApplicationRestriction policy has issues](#whitelist)
|
||||
- [Apps dependent on Microsoft Frameworks may get blocked](#frameworks)
|
||||
- [Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile](#wificertissue)
|
||||
- [Remote PIN reset not supported in Azure Active Directory joined mobile devices](#remote)
|
||||
- [MDM client will immediately check-in with the MDM server after client renews WNS channel URI](#renewwns)
|
||||
- [User provisioning failure in Azure Active Directory joined Windows 10 PC](#userprovisioning)
|
||||
- [Requirements to note for VPN certificates also used for Kerberos Authentication](#kerberos)
|
||||
- [Device management agent for the push-button reset is not working](#pushbuttonreset)
|
||||
- [<a href="" id="getcommand"></a>Get command inside an atomic command is not supported](#a-href%22%22-id%22getcommand%22aget-command-inside-an-atomic-command-is-not-supported)
|
||||
- [<a href="" id="notification"></a>Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10](#a-href%22%22-id%22notification%22anotification-channel-uri-not-preserved-during-upgrade-from-windows-81-to-windows-10)
|
||||
- [<a href="" id="appsnotremoved"></a>Apps installed using WMI classes are not removed](#a-href%22%22-id%22appsnotremoved%22aapps-installed-using-wmi-classes-are-not-removed)
|
||||
- [<a href="" id="cdata"></a>Passing CDATA in SyncML does not work](#a-href%22%22-id%22cdata%22apassing-cdata-in-syncml-does-not-work)
|
||||
- [<a href="" id="sslsettings"></a>SSL settings in IIS server for SCEP must be set to "Ignore"](#a-href%22%22-id%22sslsettings%22assl-settings-in-iis-server-for-scep-must-be-set-to-%22ignore%22)
|
||||
- [<a href="" id="enrollmentviaproxy"></a>MDM enrollment fails on the mobile device when traffic is going through proxy](#a-href%22%22-id%22enrollmentviaproxy%22amdm-enrollment-fails-on-the-mobile-device-when-traffic-is-going-through-proxy)
|
||||
- [<a href="" id="unenrollment"></a>Server-initiated unenrollment failure](#a-href%22%22-id%22unenrollment%22aserver-initiated-unenrollment-failure)
|
||||
- [<a href="" id="certissues"></a>Certificates causing issues with Wi-Fi and VPN](#a-href%22%22-id%22certissues%22acertificates-causing-issues-with-wi-fi-and-vpn)
|
||||
- [<a href="" id="versioninformation"></a>Version information for mobile devices](#a-href%22%22-id%22versioninformation%22aversion-information-for-mobile-devices)
|
||||
- [<a href="" id="whitelist"></a>Upgrading Windows Phone 8.1 devices with app whitelisting using ApplicationRestriction policy has issues](#a-href%22%22-id%22whitelist%22aupgrading-windows-phone-81-devices-with-app-whitelisting-using-applicationrestriction-policy-has-issues)
|
||||
- [<a href="" id="frameworks"></a>Apps dependent on Microsoft Frameworks may get blocked in phones prior to build 10586.218](#a-href%22%22-id%22frameworks%22aapps-dependent-on-microsoft-frameworks-may-get-blocked-in-phones-prior-to-build-10586218)
|
||||
- [<a href="" id="wificertissue"></a>Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile](#a-href%22%22-id%22wificertissue%22amultiple-certificates-might-cause-wi-fi-connection-instabilities-in-windows-10-mobile)
|
||||
- [<a href="" id="remote"></a>Remote PIN reset not supported in Azure Active Directory joined mobile devices](#a-href%22%22-id%22remote%22aremote-pin-reset-not-supported-in-azure-active-directory-joined-mobile-devices)
|
||||
- [<a href="" id="renewwns"></a>MDM client will immediately check-in with the MDM server after client renews WNS channel URI](#a-href%22%22-id%22renewwns%22amdm-client-will-immediately-check-in-with-the-mdm-server-after-client-renews-wns-channel-uri)
|
||||
- [<a href="" id="userprovisioning"></a>User provisioning failure in Azure Active Directory joined Windows 10 PC](#a-href%22%22-id%22userprovisioning%22auser-provisioning-failure-in-azure-active-directory-joined-windows-10-pc)
|
||||
- [<a href="" id="kerberos"></a>Requirements to note for VPN certificates also used for Kerberos Authentication](#a-href%22%22-id%22kerberos%22arequirements-to-note-for-vpn-certificates-also-used-for-kerberos-authentication)
|
||||
- [<a href="" id="pushbuttonreset"></a>Device management agent for the push-button reset is not working](#a-href%22%22-id%22pushbuttonreset%22adevice-management-agent-for-the-push-button-reset-is-not-working)
|
||||
- [Change history in MDM documentation](#change-history-in-mdm-documentation)
|
||||
- [January 2019](#january-2019)
|
||||
- [December 2018](#december-2018)
|
||||
- [September 2018](#september-2018)
|
||||
- [August 2018](#august-2018)
|
||||
- [July 2018](#july-2018)
|
||||
- [June 2018](#june-2018)
|
||||
- [May 2018](#may-2018)
|
||||
- [April 2018](#april-2018)
|
||||
- [March 2018](#march-2018)
|
||||
- [February 2018](#february-2018)
|
||||
- [January 2018](#january-2018)
|
||||
- [December 2017](#december-2017)
|
||||
- [November 2017](#november-2017)
|
||||
- [October 2017](#october-2017)
|
||||
- [September 2017](#september-2017)
|
||||
- [August 2017](#august-2017)
|
||||
- [FAQ](#faq)
|
||||
|
||||
## <a href="" id="whatsnew"></a>What's new in Windows 10, version 1511
|
||||
@ -1766,6 +1784,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
|
||||
|--- | ---|
|
||||
|[Policy CSP - Storage](policy-csp-storage.md)|Added the following new policies: AllowStorageSenseGlobal, ConfigStorageSenseGlobalCadence, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseRecycleBinCleanupThreshold, ConfigStorageSenseDownloadsCleanupThreshold, and ConfigStorageSenseCloudContentCleanupThreshold.|
|
||||
|[SharedPC CSP](sharedpc-csp.md)|Updated values and supported operations.|
|
||||
|[Mobile device management](index.md)|Updated information about MDM Security Baseline.|
|
||||
|
||||
### December 2018
|
||||
|
||||
|
||||
@ -6,7 +6,7 @@ ms.topic: article
|
||||
ms.prod: w10
|
||||
ms.technology: windows
|
||||
author: MariciaAlforque
|
||||
ms.date: 05/14/2018
|
||||
ms.date: 01/26/2019
|
||||
---
|
||||
|
||||
# Policy CSP - DataProtection
|
||||
@ -66,7 +66,7 @@ ms.date: 05/14/2018
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.
|
||||
This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when [BitLocker Device Encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) is enabled.
|
||||
|
||||
Most restricted value is 0.
|
||||
|
||||
|
||||
@ -148,7 +148,7 @@ The following list shows the supported values:
|
||||
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
|
||||
|
||||
|
||||
Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
|
||||
Specifies whether to allow automatic [device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined.
|
||||
|
||||
<!--/Description-->
|
||||
<!--SupportedValues-->
|
||||
@ -479,7 +479,7 @@ The following list shows the supported values:
|
||||
|
||||
Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**.
|
||||
|
||||
Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
|
||||
Specifies whether to allow automatic [device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined.
|
||||
|
||||
<!--/Description-->
|
||||
<!--SupportedValues-->
|
||||
|
||||
@ -9,7 +9,7 @@ ms.sitesec: library
|
||||
ms.pagetype: mobile, devices, security
|
||||
ms.localizationpriority: medium
|
||||
author: AMeeus
|
||||
ms.date: 09/21/2017
|
||||
ms.date: 01/26/2019
|
||||
---
|
||||
|
||||
# Windows 10 Mobile deployment and management guide
|
||||
@ -460,7 +460,7 @@ Some device-wide settings for managing VPN connections can help you manage VPNs
|
||||
|
||||
*Applies to: Corporate and personal devices*
|
||||
|
||||
Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage. The device encryption in Windows 10 Mobile helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device.
|
||||
Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage. The [device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) in Windows 10 Mobile helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device.
|
||||
|
||||
Windows 10 Mobile also has the ability to install apps on a secure digital (SD) card. The operating system stores apps on a partition specifically designated for that purpose. This feature is always on so you don’t need to set a policy explicitly to enable it.
|
||||
|
||||
|
||||
@ -8,7 +8,6 @@ ms.sitesec: library
|
||||
ms.pagetype: deploy
|
||||
author: jaimeo
|
||||
ms.author: jaimeo
|
||||
ms.date: 10/29/2018
|
||||
ms.localizationpriority: medium
|
||||
---
|
||||
|
||||
@ -209,7 +208,8 @@ If you want to stop using Upgrade Readiness and stop sending diagnostic data to
|
||||
2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the diagnostic data level to **Security**:
|
||||
|
||||
**Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*
|
||||
**Windows 10**: Follow the instructions in the [Configure Windows diagnostic data in your organization](/configuration/configure-windows-diagnostic-data-in-your-organization.md) topic.
|
||||
|
||||
**Windows 10**: Follow the instructions in [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization).
|
||||
|
||||
3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*.
|
||||
4. **Optional step:** You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection".
|
||||
|
||||
@ -10,7 +10,7 @@ ms.author: pashort
|
||||
manager: elizapo
|
||||
ms.reviewer:
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 04/20/2018
|
||||
ms.date: 01/26/2019
|
||||
---
|
||||
|
||||
# VPN and conditional access
|
||||
@ -52,15 +52,13 @@ The following client-side components are also required:
|
||||
- Trusted Platform Module (TPM)
|
||||
|
||||
## VPN device compliance
|
||||
According to the VPNv2 CSP, these settings options are **Optional**. If you want your users to access on-premises resources, such as files on a network share, based on the credential of a certificate that was issued by an on-premises CA, and not the Cloud CA certificate, you add these settings to the VPNv2 profile. Alternatively, if you add the cloud root certificates to the NTAuth store in on-prem AD, your user's cloud certificate will chain and KDC will issue TGT and TGS tickets to them.
|
||||
At this time, the Azure AD certificates issued to users do not contain a CRL Distribution Point (CDP) and are not suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the <SSO> section.
|
||||
|
||||
Server-side infrastructure requirements to support VPN device compliance include:
|
||||
|
||||
- The VPN server should be configured for certificate authentication.
|
||||
- The VPN server should be configured for certificate authentication
|
||||
- The VPN server should trust the tenant-specific Azure AD CA
|
||||
- Either of the below should be true for Kerberos/NTLM SSO:
|
||||
- Domain servers trust Azure AD CA
|
||||
- A domain-trusted certificate is deployed to the client device and is configured to be used for single sign-on (SSO)
|
||||
- For client access using Kerberos/NTLM, a domain-trusted certificate is deployed to the client device and is configured to be used for single sign-on (SSO)
|
||||
|
||||
After the server side is set up, VPN admins can add the policy settings for conditional access to the VPN profile using the VPNv2 DeviceCompliance node.
|
||||
|
||||
@ -68,7 +66,7 @@ Two client-side configuration service providers are leveraged for VPN device com
|
||||
|
||||
- VPNv2 CSP DeviceCompliance settings
|
||||
- **Enabled**: enables the Device Compliance flow from the client. If marked as **true**, the VPN client attempts to communicate with Azure AD to get a certificate to use for authentication. The VPN should be set up to use certificate authentication and the VPN server must trust the server returned by Azure AD.
|
||||
- **Sso**: nodes under SSO can be used to choose a certificate different from the VPN authentication certificate for Kerberos authentication in the case of device compliance.
|
||||
- **Sso**: entries under SSO should be used to direct the VPN client to use a certificate other than the VPN authentication certificate when accessing resources that require Kerberos authentication.
|
||||
- **Sso/Enabled**: if this field is set to **true**, the VPN client looks for a separate certificate for Kerberos authentication.
|
||||
- **Sso/IssuerHash**: hashes for the VPN client to look for the correct certificate for Kerberos authentication.
|
||||
- **Sso/Eku**: comma-separated list of Enhanced Key Usage (EKU) extensions for the VPN client to look for the correct certificate for Kerberos authentication.
|
||||
@ -79,8 +77,7 @@ Two client-side configuration service providers are leveraged for VPN device com
|
||||
- Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
|
||||
|
||||
>[!NOTE]
|
||||
>Enabling SSO is not necessarily required unless you want VPN users to be issued Kerberos tickets to access on-premises resources using a certificate issued by the on-premises CA; not the cloud certificate issued by AAD.
|
||||
|
||||
>Currently, it is required that certificates be issued from an on-premises CA, and that SSO be enabled in the user’s VPN profile. This will enable the user to obtain Kerberos tickets in order to access resources on-premises. Kerberos currently does not support the use of Azure AD certificates.
|
||||
|
||||
## Client connection flow
|
||||
The VPN client side connection flow works as follows:
|
||||
@ -89,7 +86,7 @@ The VPN client side connection flow works as follows:
|
||||
|
||||
When a VPNv2 Profile is configured with \<DeviceCompliance> \<Enabled>true<\/Enabled> the VPN client uses this connection flow:
|
||||
|
||||
1. The VPN client calls into Windows 10’s AAD Token Broker, identifying itself as a VPN client.
|
||||
1. The VPN client calls into Windows 10’s Azure AD Token Broker, identifying itself as a VPN client.
|
||||
2. The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. The Azure AD Server checks if the device is in compliance with the policies.
|
||||
3. If compliant, Azure AD requests a short-lived certificate
|
||||
4. Azure AD pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing.
|
||||
|
||||
@ -8,7 +8,7 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: brianlic-msft
|
||||
ms.date: 09/17/2018
|
||||
ms.date: 01/26/2019
|
||||
---
|
||||
|
||||
# BitLocker Management for Enterprises
|
||||
@ -25,11 +25,11 @@ Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](h
|
||||
|
||||
## Managing devices joined to Azure Active Directory
|
||||
|
||||
Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
|
||||
Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
|
||||
|
||||
Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones.
|
||||
|
||||
For hardware that is compliant with Modern Standby and HSTI, when using either of these features, BitLocker Device Encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
|
||||
For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
|
||||
|
||||
|
||||
## Managing workplace-joined PCs and phones
|
||||
|
||||
@ -36,9 +36,9 @@ Windows Defender Antivirus is part of the [next generation](https://www.youtub
|
||||
|
||||
The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
|
||||
|
||||
- September - October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) <sup>**Latest**</sup>
|
||||
- September - October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD) <sup>**Latest**</sup>
|
||||
|
||||
Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 21,568 malware samples tested.
|
||||
Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, protecting against 21,566 of 21,568 tested malware samples.
|
||||
|
||||
- July - August 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2018/microsoft-windows-defender-antivirus-4.12--4.18-183212/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y)
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user