deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 04:43:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

removing Win10 Mobile

Browse Source
This commit is contained in:
MandiOhlinger
2021-12-20 18:20:47 -05:00
parent 3eb651448e
commit 63f8fc68f9
22 changed files with 127 additions and 545 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
windows/security/identity-protection/index.md
View File

@ -1,6 +1,6 @@
---
title: Identity and access management (Windows 10)
description: Learn more about identity and access protection technologies in Windows 10 and Windows 10 Mobile.
description: Learn more about identity and access protection technologies in Windows.
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
@ -17,18 +17,18 @@ ms.date: 02/05/2018
# Identity and access management
Learn more about identity and access management technologies in Windows 10 and Windows 10 Mobile.
Learn more about identity and access management technologies in Windows 10.
| Section | Description |
|-|-|
| [Technical support policy for lost or forgotten passwords](password-support-policy.md)| Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so. |
| [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
| [Configure S/MIME for Windows 10](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
| [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard helps prevent these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
| [Configure S/MIME for Windows 10](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
| [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard helps prevent these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
| [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. |
| [User Account Control](user-account-control/user-account-control-overview.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
| [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
| [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
| [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
| [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
| [Windows Hello for Business](hello-for-business/index.yml) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
| [Windows Hello for Business](hello-for-business/index.yml) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on client devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
| [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. |

76
windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md
View File

@ -1,76 +0,0 @@
---
title: Install digital certificates on Windows 10 Mobile (Windows 10)
description: Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information.
ms.assetid: FF7B1BE9-41F4-44B0-A442-249B650CEE25
ms.reviewer:
keywords: S/MIME, PFX, SCEP
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
---
# Install digital certificates on Windows 10 Mobile
**Applies to**
- Windows 10 Mobile
Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services.
Certificates in Windows 10 Mobile are primarily used for the following purposes:
- To create a secure channel using Secure Sockets Layer (SSL) between a phone and a web server or service.
- To authenticate a user to a reverse proxy server that is used to enable Microsoft Exchange ActiveSync (EAS) for email.
- For installation and licensing of applications (from the Windows Phone Store or a custom company distribution site).
>[!WARNING]
>In Windows 10, Version 1607, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. [Learn more about this known issue in Version 1607](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management)
## Install certificates using Microsoft Edge
A certificate can be posted on a website and made available to users through a device-accessible URL that they can use to download the certificate. When a user accesses the page and taps the certificate, it opens on the device. The user can inspect the certificate, and if they choose to continue, the certificate is installed on the Windows 10 Mobile device.
## Install certificates using email
The Windows 10 Mobile certificate installer supports .cer, .p7b, .pem, and .pfx files. Some email programs block .cer files for security reasons. If this is the case in your organization, use an alternative method to deploy the certificate. Certificates that are sent via email appear as message attachments. When a certificate is received, a user can tap to review the contents and then tap to install the certificate. Typically, when an identity certificate is installed, the user is prompted for the password (or passphrase) that protects it.
## Install certificates using mobile device management (MDM)
Windows 10 Mobile supports root, CA, and client certificate to be configured via MDM. Using MDM, an administrator can directly add, delete, or query root and CA certificates, and configure the device to enroll a client certificate with a certificate enrollment server that supports Simple Certificate Enrollment Protocol (SCEP). SCEP enrolled client certificates are used by Wi-Fi, VPN, email, and browser for certificate-based client authentication. An MDM server can also query and delete SCEP enrolled client certificate (including user installed certificates), or trigger a new enrollment request before the current certificate is expired.
>[!WARNING]
>Do not use SCEP for encryption certificates for S/MIME. You must use a PFX certificate profile to support S/MIME on Windows 10 Mobile. For instructions on creating a PFX certificate profile in Microsoft Intune, see [Enable access to company resources using certificate profiles with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkID=718216).
**Process of installing certificates using MDM**
1. The MDM server generates the initial cert enroll request including challenge password, SCEP server URL, and other enrollment related parameters.
2. The policy is converted to the OMA DM request and sent to the device.
3. The trusted CA certificate is installed directly during MDM request.
4. The device accepts certificate enrollment request.
5. The device generates private/public key pair.
6. The device connects to Internet-facing point exposed by MDM server.
7. MDM server creates a certificate that is signed with proper CA certificate and returns it to device.
>[!NOTE]
>The device supports the pending function to allow server side to do additional verification before issuing the cert. In this case, a pending status is sent back to the device. The device will periodically contact the server, based on preconfigured retry count and retry period parameters. Retrying ends when either:
>
>- A certificate is successfully received from the server
>- The server returns an error
>- The number of retries reaches the preconfigured limit
8. The cert is installed in the device. Browser, Wi-Fi, VPN, email, and other first party applications have access to this certificate.
>[!NOTE]
>If MDM requested private key stored in Trusted Process Module (TPM) (configured during enrollment request), the private key will be saved in TPM. Note that SCEP enrolled cert protected by TPM isnt guarded by a PIN. However, if the certificate is imported to the Windows Hello for Business Key Storage Provider (KSP), it is guarded by the Hello PIN.
## Related topics
[Configure S/MIME](configure-s-mime.md)

2
windows/security/identity-protection/vpn/vpn-connection-type.md
View File

@ -56,7 +56,7 @@ There are many options for VPN clients. In Windows 10 and Windows 11, the built-
## Universal Windows Platform VPN plug-in
The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10 and Windows 11, although there were originally separate versions available for the Windows 8.1 Mobile and Windows 8.1 PC platforms. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.
The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10 and Windows 11, although there was originally separate version available for the Windows 8.1 PC platform. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.
There are a number of Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution.

44
windows/security/identity-protection/vpn/vpn-profile-options.md
View File

@ -17,8 +17,9 @@ ms.date: 05/17/2018
# VPN profile options
**Applies to**
- Windows 10
- Windows 11
- Windows 10
- Windows 11
Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
@ -298,36 +299,31 @@ The following is a sample plug-in VPN profile. This blob would fall under the Pr
## Apply ProfileXML using Intune
After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 or Windows 11 Desktop and Mobile and later)** policy.
After you configure the settings that you want using ProfileXML, you can create a custom profile in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). After it's created, you deploy this profile to your devices.
1. Sign into the [Azure portal](https://portal.azure.com).
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
3. Enter the following properties:
2. Go to **Intune** > **Device Configuration** > **Profiles**.
- **Platform**: Select **Windows 10 and later**
- **Profile**: Select **Templates** > **Custom**.
3. Click **Create Profile**.
4. Select **Create**.
5. In **Basics**, enter the following properties:
4. Enter a name and (optionally) a description.
- **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later.
- **Description**: Enter a description for the profile. This setting is optional, but recommended.
5. Choose **Windows 10 and later** as the platform.
6. Select **Next**.
7. In **Configuration settings**, enter the following properties:
6. Choose **Custom** as the profile type and click **Add**.
- **OMA-URI**: Enter `./user/vendor/MSFT/VPNv2/Your_VPN profile name_/ProfileXML`.
- **Data type**: Select `String (XML file)`.
- **Value**: Browse to, and select your XML file.
8. Enter a name and (optionally) a description.
9. Enter the OMA-URI **./user/vendor/MSFT/VPNv2/_VPN profile name_/ProfileXML**.
10. Set Data type to **String (XML file)**.
11. Upload the profile XML file.
12. Click **OK**.
![Custom VPN profile.](images/custom-vpn-profile.png)
13. Click **OK**, then **Create**.
14. Assign the profile.
For more information on these settings, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).
8. Select **Next**, and continue configuring the policy. For the specific steps and recommendations, see [Create a profile with custom settings in Intune](/mem/intune/configuration/custom-settings-configure).
## Learn more