diff --git a/devices/hololens/hololens-checklist.md b/devices/hololens/hololens-checklist.md new file mode 100644 index 0000000000..d1eb5f80d4 --- /dev/null +++ b/devices/hololens/hololens-checklist.md @@ -0,0 +1,30 @@ +--- +title: Checklist for HoloLens in the enterprise (HoloLens) +description: tbd +ms.prod: w10 +ms.mktglfcycl: manage +ms.pagetype: hololens, devices +ms.sitesec: library +author: jdeckerMS +--- + +# Checklist: HoloLens in the enterprise + +[Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers) + + +Windows Store for Business + +Requirements + +- IT Admins: Before you sign up for the Store for Business, at a minimum, you'll need an Azure Active Directory (AAD) account for your organization, and you'll need to be the global administrator for your organization. Once the Global Admin has signed in, they can give permissions to other employees. +- End Users: Need Azure AD account when they access Store for Business content from Windows-based devices. + +[Getting started with Azure Active Directory Premium](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/) + +[Get started with Intune](https://docs.microsoft.com/en-us/intune/understand-explore/get-started-with-a-30-day-trial-of-microsoft-intune) + +[Enroll devices for management in Intune](https://docs.microsoft.com/en-us/intune/deploy-use/enroll-devices-in-microsoft-intune#supported-device-platforms) + +[Azure AD editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/) + diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index eff3b9bb69..aa9fee3d31 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -1,5 +1,6 @@ # [Surface](index.md) ## [Deploy Surface devices](deploy.md) +### [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md) ### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) ### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md) ### [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md) @@ -21,5 +22,6 @@ ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) ## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) ## [Surface Data Eraser](microsoft-surface-data-eraser.md) +## [Change history for Surface documentation](change-history-for-surface.md) diff --git a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md index 7b231f3562..6caa1ce23a 100644 --- a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md +++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md @@ -28,7 +28,8 @@ To update the UEFI on Surface Pro 3, you can download and install the Surface UE ## Manually configure additional security settings ->**Note:**  To enter firmware setup on a Surface device, begin with the device powered off, press and hold the **Volume Up** button, then press and release the **Power** button, then release the **Volume Up** button after the device has begun to boot. +>[!NOTE] +>To enter firmware setup on a Surface device, begin with the device powered off, press and hold the **Volume Up** button, then press and release the **Power** button, then release the **Volume Up** button after the device has begun to boot. After the v3.11.760.0 UEFI update is installed on a Surface device, an additional UEFI menu named **Advanced Device Security** becomes available. If you click this menu, the following options are displayed: diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md new file mode 100644 index 0000000000..6128cfbbfa --- /dev/null +++ b/devices/surface/change-history-for-surface.md @@ -0,0 +1,23 @@ +--- +title: Change history for Surface documentation (Windows 10) +description: This topic lists new and updated topics in the Surface documentation library. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerMS +--- + +# Change history for Surface documentation + +This topic lists new and updated topics in the Surface documentation library. + +## October 2016 + +| New or changed topic | Description | +| --- | --- | +| [Long-term servicing branch for Surface devices](ltsb-for-surface.md) | New | + + + + +  \ No newline at end of file diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md index 517aca2f0b..03cdc49f49 100644 --- a/devices/surface/deploy.md +++ b/devices/surface/deploy.md @@ -16,6 +16,7 @@ Get deployment guidance for your Surface devices including information about MDT | Topic | Description | | --- | --- | +| [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md) | Explains that LTSB is not supported for general-purpose Surface devices and should be used for specialized devices only. | | [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) | Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.| | [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)| Find out how to perform a Windows 10 upgrade deployment to your Surface devices. | | [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)| Walk through the process of customizing the Surface out-of-box experience for end users in your organization.| diff --git a/devices/surface/index.md b/devices/surface/index.md index 1b70df3e57..4843bb6970 100644 --- a/devices/surface/index.md +++ b/devices/surface/index.md @@ -29,6 +29,7 @@ For more information on planning for, deploying, and managing Surface devices in | [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. | | [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) | Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device. | | [Surface Data Eraser](microsoft-surface-data-eraser.md) | Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. | +| [Change history for Surface documentation](change-history-for-surface.md) | This topic lists new and updated topics in the Surface documentation library. | diff --git a/devices/surface/ltsb-for-surface.md b/devices/surface/ltsb-for-surface.md new file mode 100644 index 0000000000..91ae3a566b --- /dev/null +++ b/devices/surface/ltsb-for-surface.md @@ -0,0 +1,44 @@ +--- +title: Long-Term Servicing Branch for Surface devices (Surface) +description: LTSB is not supported for general-purpose Surface devices and should be used for specialized devices only. +ms.prod: w10 +ms.mktglfcycl: manage +ms.pagetype: surface, devices +ms.sitesec: library +author: jdeckerMS +--- + +# Long-Term Servicing Branch (LTSB) for Surface devices + + +General-purpose Surface devices running Long-Term Servicing Branch (LTSB) are not supported. As a general guideline, if a Surface device runs productivity software, such as Microsoft Office, it is a general-purpose device that does not qualify for LTSB and should instead run Current Branch (CB) or Current Branch for Business (CBB). + +>[!NOTE] +>For more information about the servicing branches, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview). + +LTSB prevents Surface devices from receiving critical Windows 10 feature updates and certain non-security servicing updates. Customers with poor experiences using Surface devices in the LTSB configuration will be instructed to upgrade to CB or CBB. Furthermore, the Windows 10 Enterprise LTSB edition removes core features of Surface devices, including seamless inking and touch-friendly applications. It does not contain key in-box applications including Microsoft Edge, OneNote, Calendar or Camera. Therefore, productivity is impacted and functionality is limited. LTSB is not supported as a suitable servicing solution for general-purpose Surface devices. + +General-purpose Surface devices are intended to run CB or CBB to receive full servicing and firmware updates and forward compatibility with the introduction of new Surface features. With CB, feature updates are available as soon as Microsoft releases them. Customers in the CBB servicing model receive the same build of Windows 10 as those in CB, at a later date. + +Surface devices in specialized scenarios–such as PCs that control medical equipment, point-of-sale systems, and ATMs–may consider the use of LTSB. These special-purpose systems typically perform a single task and do not require feature updates as frequently as other devices in the organization. + + + + + +## Related topics + +- [Surface TechCenter](https://technet.microsoft.com/windows/surface) + +- [Surface for IT pros blog](http://blogs.technet.com/b/surface/) + + + +  + +  + + + + + diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 099b0efc5b..bcf28c02a2 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -1,4 +1,4 @@ -> --- +--- title: Chromebook migration guide (Windows 10) description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md index f86fc0f308..1d08d1f5cb 100644 --- a/windows/deploy/upgrade-analytics-get-started.md +++ b/windows/deploy/upgrade-analytics-get-started.md @@ -2,33 +2,31 @@ title: Get started with Upgrade Analytics (Windows 10) description: Explains how to get started with Upgrade Analytics. ms.prod: w10 -author: MaggiePucciEvans +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay --- # Get started with Upgrade Analytics -Use Upgrade Analytics to plan and manage your upgrade project end to end. After you’ve established communications between user computers and Microsoft, Upgrade Analytics collects computer, application, and driver data for analysis. We use this data to identify compatibility issues that can block your upgrade and suggest fixes that are known to Microsoft. +This topic explains how to obtain and set up Upgrade Analytics components. If you haven’t done so already, see [Upgrade Analytics requirements](https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements) for information about requirements for using Upgrade Analytics. Also, check out the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/UpgradeAnalytics) for new announcements and helpful tips for using Upgrade Analytics. -For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see: +You can use Upgrade Analytics to plan and manage your upgrade project end to end. After you’ve established communications between user computers and Microsoft, Upgrade Analytics collects computer, application, and driver data for analysis. This data is used to identify compatibility issues that can block your upgrade and to suggest fixes that are known to Microsoft. + +To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see the following topics: - [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) - - [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services) - - [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) - -This topic explains how to obtain and set up Upgrade Analytics components. If you haven’t done so already, see [Upgrade Analytics requirements](https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements) for information about requirements for using Upgrade Analytics. - To configure Upgrade Analytics, you’ll need to: - Add the Upgrade Analytics solution to a workspace in the Operations Management Suite portal - - Establish communications and enable data sharing between your organization and Microsoft Each task is explained in detail in the following sections. - ## Add Upgrade Analytics to Operations Management Suite Upgrade Analytics is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/). @@ -101,7 +99,7 @@ IMPORTANT: Restart user computers after you install the compatibility update KBs | **Site discovery** | **KB** | |----------------------|-----------------------------------------------------------------------------| -| [Review site discovery](upgrade-analytics-review-site-discovery.md) | Site discovery requires the [Cumulative Security Update for Internet Explorer 11](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=internet%20explorer%2011%20cumulative%20update), starting with the July 2016 update (KB3170106). | +| [Review site discovery](upgrade-analytics-review-site-discovery.md) | Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. | ### Automate data collection @@ -109,9 +107,7 @@ IMPORTANT: Restart user computers after you install the compatibility update KBs To ensure that user computers are receiving the most up to date data from Microsoft, we recommend that you establish the following data sharing and analysis processes. - Enable automatic updates for the compatibility update and related KBs. These KBs are updated frequently to include the latest application and driver issue information as we discover it during testing. - - Schedule the Upgrade Analytics deployment script to automatically run so that you don’t have to manually initiate an inventory scan each time the compatibility update KBs are updated. Computers are re-scanned only when the compatibility KBs are updated, so if your inventory changes significantly between KB releases you won’t see the changes in Upgrade Analytics until you run the script again. - - Schedule monthly user computer scans to view monthly active computer and usage information. ## Run the Upgrade Analytics deployment script @@ -170,6 +166,40 @@ To run the Upgrade Analytics deployment script: 6. After you finish editing the parameters in RunConfig.bat, run the script as an administrator. +The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered. + +
+ + +
Exit codeMeaning +
0Success +
1Unexpected error occurred while executing the script +
2Error when logging to console. $logMode = 0. +
3Error when logging to console and file. $logMode = 1. +
4Error when logging to file. $logMode = 2. +
5Error when logging to console and file. $logMode = unknown. +
6The commercialID parameter is set to unknown. Modify the script. +
7Function -CheckCommercialId: Unexpected failure. +
8Failure to create registry key path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection. +
9Error when writing CommercialId to registry. +
10Error when writing CommercialDataOptIn to registry. +
11Function -SetupCommercialId: Unexpected failure. +
12Can’t connect to Microsoft – Vortex. Check your network/proxy settings. +
13Can’t connect to Microsoft – setting. Check your network/proxy settings. +
14Can’t connect to Microsoft – compatexchange. Check your network/proxy settings. +
15Error connecting to Microsoft. Check your network/proxy settings. +
16Machine requires reboot. +
17Function -CheckRebootRequired: Unexpected failure. +
18Outdated compatibility update KB package. Update via Windows Update/WSUS. +
19This machine doesn’t have the proper KBs installed. Make sure you have recent compatibility update KB downloaded. +
20Error writing RequestAllAppraiserVersions registry key. +
21Function – SetRequestAllAppraiserVersions: Unexpected failure. +
22Error when running inventory scan. +
23Error finding system variable %WINDIR%. +
+ +
+ ## Seeing data from computers in Upgrade Analytics After data is sent from computers to Microsoft, it generally takes 48 hours for the data to populate in Upgrade Analytics. The compatibility update KB takes several minutes to run. If the KB does not get a chance to finish running or if the computers are inaccessible (turned off or sleeping for example), data will take longer to populate in Upgrade Analytics. For this reason, you can expect most your computers to be populated in OMS in about 1-2 weeks after deploying the KB and configuration to user computers. diff --git a/windows/deploy/upgrade-analytics-review-site-discovery.md b/windows/deploy/upgrade-analytics-review-site-discovery.md index 8a1835573e..5f0e5067ad 100644 --- a/windows/deploy/upgrade-analytics-review-site-discovery.md +++ b/windows/deploy/upgrade-analytics-review-site-discovery.md @@ -15,7 +15,7 @@ This section of the Upgrade Analytics workflow provides an inventory of web site Ensure the following prerequisites are met before using site discovery: -1. Install the latest Internet Explorer 11 Cumulative Security Update. This update provides the capability for site discovery and is available in the [Internet Explorer 11 Cumulative Security Update](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=internet%20explorer%2011%20cumulative%20update), starting with the July 2016 update. +1. Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. 2. Install the update for customer experience and diagnostic telemetery ([KB3080149](https://support.microsoft.com/kb/3080149)). 3. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Analytics deployment script](upgrade-analytics-get-started.md#run-the-upgrade-analytics-deployment-script) to allow Internet Explorer data collection before you run it. diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index dada97fc72..bba6f8cedc 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,7 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md | New or changed topic | Description | | --- | --- | -|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) and [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the text about the icon overlay option. This icon now only appears on corporate files in the Save As and File Explore views. | +|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) and [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the text about the icon overlay option. This icon now only appears on corporate files in the Save As and File Explore views | |[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added content about using ActiveX controls.| |[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |New | |[VPN technical guide](vpn-guide.md) | Multiple new topics, replacing previous **VPN profile options** topic | diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 2ed94b71f9..d31167eaf6 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -94,9 +94,8 @@ The following tables describes additional hardware and firmware requirements, an ### 2017 Additional Qualification Requirements for Credential Guard (announced as options for future Windows operating systems for 2017) -| Protections for Improved Security - requirement | Description | +| Protection for Improved Security - requirement | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **UEFI NX Protections** | **Requirements**:
- All UEFI memory that is marked executable must be read only. Memory marked writable must not be executable.

UEFI Runtime Services:
- Must implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table.
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.
- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable.

**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware. | | Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM. | ## Manage Credential Guard diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md index bf63f5df7f..f9a6a62792 100644 --- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md +++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md @@ -104,7 +104,12 @@ Unfortunately, it would be time consuming to perform these steps manually on eve > **Important**  These settings include **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.
In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled.
For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). -6. For **Virtualization Based Protection of Code Integrity**, select the appropriate option: +6. For **Virtualization Based Protection of Code Integrity**, select the appropriate option. + + > [!WARNING] + > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). + + Select an option as follows: - With Windows 10, version 1607 or Windows Server 2016, choose an appropriate option:
For an initial deployment or test deployment, we recommend **Enabled without lock**.
When your deployment is stable in your environment, we recommend changing to **Enabled with lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person. diff --git a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md index f2741165ce..d1d0b00b2e 100644 --- a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md +++ b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md @@ -35,7 +35,7 @@ A malicious user might install malware that looks like the standard logon dialog ### Best practices -- It is advisable to set **Disable CTRL+ALT+DEL requirement for logon** to **Disabled**. Unless they are using a smart card to log on, users will have to simultaneously press three keys before the logon dialog box appears. +- It is advisable to set **Disable CTRL+ALT+DEL requirement for logon** to **Not configured**. ### Location diff --git a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md index 0790236e3f..2846134874 100644 --- a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md +++ b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md @@ -53,5 +53,9 @@ This topic provides a roadmap for planning and getting started on the Device Gua - [Enforce code integrity policies](deploy-code-integrity-policies-steps.md#enforce-code-integrity-policies) - [Deploy and manage code integrity policies with Group Policy](deploy-code-integrity-policies-steps.md#deploy-and-manage-code-integrity-policies-with-group-policy)
-8. **Enable desired hardware (VBS) security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies, as described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). For information about enabling VBS features, see [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md). +8. **Enable desired hardware (VBS) security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies, as described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). + > [!WARNING] + > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). + + For information about enabling VBS features, see [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md). diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index 4cad3f619c..13754fa34c 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -36,6 +36,9 @@ For example, hardware that includes CPU virtualization extensions and SLAT will You can deploy Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh. +> [!WARNING] +> Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). + The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. > **Notes** diff --git a/windows/keep-secure/windows-security-baselines.md b/windows/keep-secure/windows-security-baselines.md index ee48d1325c..872f3dd541 100644 --- a/windows/keep-secure/windows-security-baselines.md +++ b/windows/keep-secure/windows-security-baselines.md @@ -11,6 +11,11 @@ author: brianlic-msft # Windows security baselines +**Applies to** + +- Windows 10 +- Windows Server 2012 R2 + Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines. We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs. @@ -54,7 +59,6 @@ To help faster deployments and increase the ease of managing Windows, Microsoft - [Windows 10, Version 1511 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799381) - [Windows 10, Version 1507 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799380) - ### Windows Server security baselines - [Windows Server 2012 R2 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799382) diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index b3a2c2b025..71157f3110 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -17,7 +17,9 @@ #### [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) ### [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) ### [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +### [Manage device restarts after updates](waas-restart.md) ## [Manage corporate devices](manage-corporate-devices.md) +### [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) ### [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) ### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) ### [New policies for Windows 10](new-policies-for-windows-10.md) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index 1473c47207..56fb55ced0 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -16,9 +16,12 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | New or changed topic | Description | | --- | --- | +| [Manage device restarts after updates](waas-restart.md) | New | +| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | New | | [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |Added an important note about Cortana and Office 365 integration. | | [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added link to the Windows Restricted Traffic Limited Functionality Baseline. Added Teredo Group Policy. | + ## September 2016 | New or changed topic | Description | diff --git a/windows/manage/images/waas-active-hours-policy.PNG b/windows/manage/images/waas-active-hours-policy.PNG new file mode 100644 index 0000000000..af80ef6652 Binary files /dev/null and b/windows/manage/images/waas-active-hours-policy.PNG differ diff --git a/windows/manage/images/waas-active-hours.PNG b/windows/manage/images/waas-active-hours.PNG new file mode 100644 index 0000000000..c262c302ed Binary files /dev/null and b/windows/manage/images/waas-active-hours.PNG differ diff --git a/windows/manage/images/waas-auto-update-policy.PNG b/windows/manage/images/waas-auto-update-policy.PNG new file mode 100644 index 0000000000..52a1629cbf Binary files /dev/null and b/windows/manage/images/waas-auto-update-policy.PNG differ diff --git a/windows/manage/images/waas-restart-policy.PNG b/windows/manage/images/waas-restart-policy.PNG new file mode 100644 index 0000000000..936f9aeb08 Binary files /dev/null and b/windows/manage/images/waas-restart-policy.PNG differ diff --git a/windows/manage/images/windows-10-management-cyod-byod-flow.png b/windows/manage/images/windows-10-management-cyod-byod-flow.png new file mode 100644 index 0000000000..6121e93832 Binary files /dev/null and b/windows/manage/images/windows-10-management-cyod-byod-flow.png differ diff --git a/windows/manage/images/windows-10-management-gp-intune-flow.png b/windows/manage/images/windows-10-management-gp-intune-flow.png new file mode 100644 index 0000000000..c9e3f2ea31 Binary files /dev/null and b/windows/manage/images/windows-10-management-gp-intune-flow.png differ diff --git a/windows/manage/images/windows-10-management-range-of-options.png b/windows/manage/images/windows-10-management-range-of-options.png new file mode 100644 index 0000000000..d295aa6947 Binary files /dev/null and b/windows/manage/images/windows-10-management-range-of-options.png differ diff --git a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md index 6c398d7d27..eae687dfc0 100644 --- a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md +++ b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md @@ -81,9 +81,9 @@ An added work account provides the same SSO experience in browser apps like Offi An MDM service is required for managing Azure AD-joined devices. You can use MDM to push settings to devices, as well as application and certificates used by VPN, Wi-Fi, etc. Azure AD Premium or [Enterprise Mobility Suite (EMS)](https://go.microsoft.com/fwlink/p/?LinkID=723984) licenses are required to set up your Azure AD-joined devices to automatically enroll in MDM. [Learn more about setting up your Azure AD tenant for MDM auto-enrollment.](https://go.microsoft.com/fwlink/p/?LinkID=691615) -- **Microsoft Passport** +- **Windows Hello** - Creating a Microsoft Passport (PIN) is required on Windows 10 Mobile by default and cannot be disabled. [You can control Microsoft Passport policies](https://go.microsoft.com/fwlink/p/?LinkId=735079) using controls in MDM, such as Intune. Because the device is joined using organizational credentials, the device must have a PIN to unlock the device. Windows Hello (biometrics such as fingerprint or iris) can be used for Passport authentication. Creating a Microsoft Passport requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential. [Learn more about Microsoft Passport for Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=735004) + Creating a Windows Hello (PIN) is required on Windows 10 Mobile by default and cannot be disabled. You can control Windows Hello policiesusing controls in MDM, such as Intune. Because the device is joined using organizational credentials, the device must have a PIN to unlock the device. Biometrics such as fingerprint or iris can be used for authentication. Creating a Windows Hello requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential. [Learn more about Windows Hello for Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=735004) - **Conditional access** diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md index f96628d60a..c282a281cf 100644 --- a/windows/manage/manage-corporate-devices.md +++ b/windows/manage/manage-corporate-devices.md @@ -19,81 +19,22 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions. +You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10. -There are several options for managing Windows 10 on corporate-owned devices in an enterprise. +## In this section -## Identity and management options +| Topic | Description | +| --- | --- | +| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment | +| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC | +| [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | Options to manage user experiences to provide a consistent and predictable experience for employees | +| [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 | +| [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education | +| [Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md) | Changes to the Group Policy settings that you use to manage Start | +| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | How to plan for and deploy Windows 10 Mobile devices | +| [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations | -Your employees using devices that are owned by the organization can connect to Active Directory or Azure Active Directory (Azure AD). Windows 10 does not require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain. - -![choose active directory or azure ad for identity](images/identitychoices.png) - -### Active Directory join - -You can join a device running Windows 10 to an on-premises Active Directory domain after the first-run experience (sometimes called out-of-box experience or OOBE). You can add devices running Windows 10 to your existing Active Directory infrastructure and manage them just as you've always been used to managing PCs running Windows. - -Desktop devices running Windows 10 that are joined to an Active Directory domain can be managed using Group Policy and System Center Configuration Manager (current branch). The following table shows the management support for Windows 10 in Configuration Manager. - - ---- - - - - - - - - - - - - - - - - - - - - -
Product versionWindows 10 support

[System Center Configuration Manager (current branch) ](https://technet.microsoft.com/en-us/library/mt346023.aspx)

Client deployment, upgrade, and management with new and existing features

Configuration Manager and Configuration Manager SP1

Deployment, upgrade, and management with existing features

Configuration Manager 2007

Management with existing features

- -  - -### Azure AD join - -Devices joined to Azure AD can be managed using Microsoft Intune or other mobile device management (MDM) solutions. MDM infrastructure for Windows 10 is consistent across device types. Configuration capabilities may vary based on device platform. - -![mdm options for mobile, desktop, and iot through device lifecycle](images/mdm.png) - -For flexibility in identity and management, you can combine Active Directory and Azure AD. Learn about [integrating Active Directory and Azure Active Directory for a hybrid identity solution](https://go.microsoft.com/fwlink/p/?LinkId=613209). - -## How setting conflicts are resolved - - -A device or user might receive policies from multiple sources, such as MDM, Exchange, or provisioning packages. In any policy conflict, the most secure policy value is applied. Policy settings take precedence over settings applied in a provisioning package. - -**Note**   -Provisioning packages can be applied either during device setup or after setup for runtime configuration. For more information about runtime provisioning packages, see [Configure devices without MDM](configure-devices-without-mdm.md). - -  - -When setting values that do not have a security implication conflict, last write wins. When settings are configured from both a provisioning package and another configuration source, the non-provisioning package configuration source has higher priority. - -![](images/configconflict.png) - -## MDM enrollment - - -Devices running Windows 10 include a built-in agent that can be used by MDM servers to enroll and manage devices. MDM servers do not need to create a separate agent or client to install on devices running Windows 10. - -For more information about the MDM protocols, see [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkID=533172). - ## Learn more [How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx) @@ -114,16 +55,8 @@ For more information about the MDM protocols, see [Mobile device management](htt Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=613208) -## Related topics -[Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) -- [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)  -- [New policies for Windows 10](new-policies-for-windows-10.md) -- [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) -- [Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md) -- [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) -- [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) diff --git a/windows/manage/manage-tips-and-suggestions.md b/windows/manage/manage-tips-and-suggestions.md index 2fbb2e3cda..547f77a1aa 100644 --- a/windows/manage/manage-tips-and-suggestions.md +++ b/windows/manage/manage-tips-and-suggestions.md @@ -1,6 +1,6 @@ --- title: Manage Windows 10 and Windows Store tips, tricks, and suggestions (Windows 10) -description: Windows 10 provides organizations with various options to manage auser experiences to provide a consistent and predictable experience for employees. +description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees. keywords: ["device management"] ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/manage/manage-windows-10-in-your-organization-modern-management.md b/windows/manage/manage-windows-10-in-your-organization-modern-management.md new file mode 100644 index 0000000000..97f4cc4e6f --- /dev/null +++ b/windows/manage/manage-windows-10-in-your-organization-modern-management.md @@ -0,0 +1,120 @@ +--- +title: Manage Windows 10 in your organization - transitioning to modern management +description: This topic offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. +keywords: ["MDM", "device management", "group policy", "Azure Active Directory"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: devices +author: jdeckerMS +localizationpriority: medium +--- + +# Manage Windows 10 in your organization - transitioning to modern management + +Use of personal devices for work, as well as employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization. + +Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it’s easy for versions to coexist. + +Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as System Center Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster. + +This topic offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. The topic covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle: + +- [Deployment and Provisioning](#deployment-and-provisioning) + +- [Identity and Authentication](#identity-and-authentication) + +- [Configuration](#settings-and-configuration) + +- [Updating and Servicing](#updating-and-servicing) + +## Reviewing the management options with Windows 10 + +Windows 10 offers a range of management options, as shown in the following diagram: + +The path to modern IT + +As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Rights Management Service, Office 365, and the Windows Store for Business. + +## Deployment and Provisioning + +With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can: + + + +- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services like Microsoft Intune. + +- Create self-contained provisioning packages built with the [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113(v=vs.85).aspx). + +- Use traditional imaging techniques such as deploying custom images using [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction). + +You have multiple options for [upgrading to Windows 10](https://technet.microsoft.com/itpro/windows/deploy/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This can mean significantly lower deployment costs, as well as improved productivity as end users can be immediately productive – everything is right where they left it. Of course, you can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7. + +## Identity and Authentication + +You can use Windows 10 and services like [Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-whatis/) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them. + +You can envision user and device management as falling into these two categories: + +- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices: + + - For corporate devices, they can set up corporate access with [Azure AD Join](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-overview/). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://blogs.technet.microsoft.com/ad/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/), all from the cloud.
Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources. + + - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices/) to add their work account to Windows, then access work resources on the device. + +- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These may be traditional applications and resources that require authentication or accessing highly sensitive or classified resources on-premises. + With Windows 10, if you have an on-premises [Active Directory](https://technet.microsoft.com/windows-server-docs/identity/whats-new-active-directory-domain-services) domain that’s [integrated with Azure AD](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/), when employee devices are joined, they automatically register with Azure AD. This provides: + + - Single sign-on to cloud and on-premises resources from everywhere + + - [Enterprise roaming of settings](https://azure.microsoft.com/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) + + - [Conditional access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access/) to corporate resources based on the health or configuration of the device + + - [Windows Hello for Business](https://technet.microsoft.com/itpro/windows/keep-secure/manage-identity-verification-using-microsoft-passport) + + - Windows Hello + + Domain joined PCs and tablets can continue to be managed with the [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction) client or Group Policy. + +For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-windows10-devices/). + +As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD. + +![Decision tree for device authentication options](images/windows-10-management-cyod-byod-flow.png) + +## Settings and Configuration + +Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.  + +**MDM**: [MDM](https://www.microsoft.com/en-us/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. This makes MDM the best choice for devices that are constantly on the go. + +**Group Policy** and **System Center Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings, or very specific Windows Firewall rules. If so, Group Policy and System Center Configuration Manager continue to be excellent management choices: + +- Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows. + +- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment. + +You can use the following generalized decision tree to review the management choices for devices in your organization: + +![Decision tree for device configuration options](images/windows-10-management-gp-intune-flow.png) + +## Updating and Servicing + +With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple – often automatic – patching processes. For more information, see [Windows 10 deployment scenarios](https://technet.microsoft.com/itpro/windows/deploy/windows-10-deployment-scenarios). + +MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules. + +## Next steps + +There are a variety of steps you can take to begin the process of modernizing device management in your organization: + +- **Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. + +- **Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs. + +- **Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario. + +- **Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. + +- **Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. As additional capabilities become available in the cloud-identity/MDM model, Microsoft is committed to providing a clear path from traditional to modern management. diff --git a/windows/manage/uev-whats-new-in-uev-for-windows.md b/windows/manage/uev-whats-new-in-uev-for-windows.md index a7759f623e..a360c496d8 100644 --- a/windows/manage/uev-whats-new-in-uev-for-windows.md +++ b/windows/manage/uev-whats-new-in-uev-for-windows.md @@ -78,6 +78,8 @@ While earlier versions of UE-V roamed taskbar settings between Windows 10 device In addition, UE-for Windows does not synchronize settings between the Microsoft Calculator in Windows 10 and the Microsoft Calculator in previous versions of Windows. +The Windows modern apps settings (DontSyncWindows8AppSettings) group policy is enabled by default and therefore, modern apps will not roam unless this policy is changed to disabled. + ## Support Added for Roaming Network Printers Users can now print to their saved network printers from any network device, including their default network printer. diff --git a/windows/manage/waas-branchcache.md b/windows/manage/waas-branchcache.md index 9bbd3db6e4..d40091a5ce 100644 --- a/windows/manage/waas-branchcache.md +++ b/windows/manage/waas-branchcache.md @@ -64,3 +64,4 @@ In addition to these steps, there is one requirement for WSUS to be able to use - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) - [Manage Windows 10 updates using Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/manage/waas-configure-wufb.md b/windows/manage/waas-configure-wufb.md index e6c1f6e142..b8b3caef74 100644 --- a/windows/manage/waas-configure-wufb.md +++ b/windows/manage/waas-configure-wufb.md @@ -215,4 +215,5 @@ Enabling allows user to set deferral periods for upgrades and updates. It also - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) \ No newline at end of file +- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md index d518eb27de..0a4d81406e 100644 --- a/windows/manage/waas-delivery-optimization.md +++ b/windows/manage/waas-delivery-optimization.md @@ -249,3 +249,4 @@ On devices that are not preferred, you can choose to set the following policy to - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) - [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/manage/waas-deployment-rings-windows-10-updates.md b/windows/manage/waas-deployment-rings-windows-10-updates.md index 87b46bd064..a29b84d76e 100644 --- a/windows/manage/waas-deployment-rings-windows-10-updates.md +++ b/windows/manage/waas-deployment-rings-windows-10-updates.md @@ -73,4 +73,5 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/manage/waas-integrate-wufb.md b/windows/manage/waas-integrate-wufb.md index 63914b38ff..425b974656 100644 --- a/windows/manage/waas-integrate-wufb.md +++ b/windows/manage/waas-integrate-wufb.md @@ -106,4 +106,5 @@ For Windows 10, version 1607, organizations already managing their systems with - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) - [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/manage/waas-manage-updates-configuration-manager.md b/windows/manage/waas-manage-updates-configuration-manager.md index 6a560d09d0..af90f73616 100644 --- a/windows/manage/waas-manage-updates-configuration-manager.md +++ b/windows/manage/waas-manage-updates-configuration-manager.md @@ -404,3 +404,4 @@ or Manage Windows 10 updates using System Center Configuration Manager (this top - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/manage/waas-manage-updates-wsus.md b/windows/manage/waas-manage-updates-wsus.md index 43121c0f0d..2586e69e82 100644 --- a/windows/manage/waas-manage-updates-wsus.md +++ b/windows/manage/waas-manage-updates-wsus.md @@ -348,4 +348,5 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) \ No newline at end of file +- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file diff --git a/windows/manage/waas-manage-updates-wufb.md b/windows/manage/waas-manage-updates-wufb.md index 8cf7dfc5f2..a729beb244 100644 --- a/windows/manage/waas-manage-updates-wufb.md +++ b/windows/manage/waas-manage-updates-wufb.md @@ -132,5 +132,6 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) - [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/manage/waas-mobile-updates.md b/windows/manage/waas-mobile-updates.md index 615e3ec321..f87eb7c461 100644 --- a/windows/manage/waas-mobile-updates.md +++ b/windows/manage/waas-mobile-updates.md @@ -75,6 +75,7 @@ If a device running Windows 10 Mobile Enterprise, version 1511, has Windows Upda - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) - [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/manage/waas-optimize-windows-10-updates.md b/windows/manage/waas-optimize-windows-10-updates.md index e094d5389a..20c26545c4 100644 --- a/windows/manage/waas-optimize-windows-10-updates.md +++ b/windows/manage/waas-optimize-windows-10-updates.md @@ -70,5 +70,6 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/manage/waas-overview.md b/windows/manage/waas-overview.md index 03729bd0a4..1a27b6ce30 100644 --- a/windows/manage/waas-overview.md +++ b/windows/manage/waas-overview.md @@ -177,6 +177,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/manage/waas-restart.md b/windows/manage/waas-restart.md new file mode 100644 index 0000000000..adfad1657b --- /dev/null +++ b/windows/manage/waas-restart.md @@ -0,0 +1,90 @@ +--- +title: Manage device restarts after updates (Windows 10) +description: tbd +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Manage device restarts after updates + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +You can use Group Policy settings or mobile device management (MDM) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both. + +## Schedule update installation + +When you set the **Configure Automatic Updates** policy to **Auto download and schedule the install**, you also configure the day and time for installation or you specify that installation will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**). + +When **Configure Automatic Updates** is enabled, you can enable one of the following additional policies to manage device restart: + +- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours. +- **Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur. +- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. + +## Configure active hours + +You can configure active hours for devices without setting the **Configure Automatic Updates** policy. *Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours. + +By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually. Additionally, administrators can use Group Policy or MDM to set active hours for managed devices. + +To configure active hours using Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours. + +![Use Group Policy to configure active hours](images/waas-active-hours-policy.png) + +MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours. + +To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**. + +![Change active hours](images/waas-active-hours.png) + +## Limit restart delays + +After an update is installed, Windows 10 attemtps automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14. + +## Group Policy settings for restart + +In the Group Policy editor, you will see a number of policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10. + +| Policy | Applies to Windows 10 | Notes | +| --- | --- | --- | +| Turn off auto-restart for updates during active hours | ![yes](images/checkmark.png) | Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. | +| Always automatically restart at the scheduled time | ![yes](images/checkmark.png) | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. | +| Specify deadline before auto-restart for update installation | ![yes](images/checkmark.png) | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. | +| No auto-restart with logged on users for scheduled automatic updates installations | ![yes](images/checkmark.png) | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates.
There is no equivalent MDM policy setting for Windows 10 Mobile. | +| Re-prompt for restart with scheduled installations | ![no](images/crossmark.png) | | +| Delay Restart for scheduled installations | ![no](images/crossmark.png) | | +| Reschedule Automatic Updates scheduled installations | ![no](images/crossmark.png) | | + +>[!NOTE] +>If you set conflicting restart policies, the actual restart behavior may not be what you expected. + + + + + +## Related topics + +- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Overview of Windows as a service](waas-overview.md) +- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) + + + + + + + + diff --git a/windows/manage/waas-servicing-branches-windows-10-updates.md b/windows/manage/waas-servicing-branches-windows-10-updates.md index 56bade4088..951dbf5b2a 100644 --- a/windows/manage/waas-servicing-branches-windows-10-updates.md +++ b/windows/manage/waas-servicing-branches-windows-10-updates.md @@ -25,7 +25,8 @@ Current Branch is the default servicing branch for all Windows 10 devices except | --- | --- | --- | --- | --- | | Home | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | | Pro | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | -| Enterprise | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | +| Enterprise | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | +| Enterprise LTSB | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | | Pro Education | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | | Education | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | | Mobile | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | @@ -124,5 +125,6 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/manage/waas-servicing-strategy-windows-10-updates.md b/windows/manage/waas-servicing-strategy-windows-10-updates.md index aa4a14694e..3d0c53d0b5 100644 --- a/windows/manage/waas-servicing-strategy-windows-10-updates.md +++ b/windows/manage/waas-servicing-strategy-windows-10-updates.md @@ -65,3 +65,4 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/manage/waas-update-windows-10.md b/windows/manage/waas-update-windows-10.md index 210676c642..459edddd80 100644 --- a/windows/manage/waas-update-windows-10.md +++ b/windows/manage/waas-update-windows-10.md @@ -34,6 +34,7 @@ Windows as a service provides a new way to think about building, deploying, and | [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. | | [Manage Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. | | [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. | +| [Manage device restarts after updates](waas-restart.md) | Explains how to use Group Policy to manage device restarts. | >[!TIP] >Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. @@ -52,3 +53,4 @@ Windows as a service provides a new way to think about building, deploying, and + diff --git a/windows/manage/waas-wufb-group-policy.md b/windows/manage/waas-wufb-group-policy.md index 9d5bf8c874..952e283c6a 100644 --- a/windows/manage/waas-wufb-group-policy.md +++ b/windows/manage/waas-wufb-group-policy.md @@ -345,4 +345,5 @@ The **Ring 3 Broad IT** deployment ring has now been configured. Finally, config - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) \ No newline at end of file +- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file diff --git a/windows/manage/waas-wufb-intune.md b/windows/manage/waas-wufb-intune.md index 8ce9bae60a..be4b721572 100644 --- a/windows/manage/waas-wufb-intune.md +++ b/windows/manage/waas-wufb-intune.md @@ -268,6 +268,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to receive CBB f - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) - [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/whats-new/security.md b/windows/whats-new/security.md index f2d45edd95..4cf480e9d7 100644 --- a/windows/whats-new/security.md +++ b/windows/whats-new/security.md @@ -10,8 +10,8 @@ ms.pagetype: security author: TrudyHa --- - # What's new in Windows 10 security + There are several key client security improvements Microsoft has made in Windows 10. These improvements focus on three key areas — threat resistance, information protection, and identity protection and access control. In addition to an overview of the features themselves, this article discusses the hardware requirements for each new feature and offers configuration recommendations and links to more detailed resources. Microsoft designed the Windows 10 operating system to be the most secure version of the Windows operating system to date. To achieve this goal, Windows 10 employs advanced and now widely available hardware features to help protect users and devices against modern cyber threats. With thousands of new malware variants discovered daily and malicious hacking techniques evolving rapidly, never before has Windows client security been more important. In Windows 10, organizations can deploy new threat-resistant security features that harden the operating system in ways that can benefit Bring Your Own Device (BYOD) and corporate-owned device scenarios, as well as devices for special use cases, such as kiosks, ATMs, and point-of-sale (PoS) systems. These new threat-resistant features are modular—that is, they’re designed to be deployed together, although you can also implement them individually. With all these new features enabled together, organizations can protect themselves immediately against a majority of today’s most sophisticated threats and malware. @@ -26,26 +26,27 @@ Today’s security threat landscape is one of aggressive and tenacious threats. Windows 10 introduces several new security features that help mitigate modern threats and protect organizations against cyber attackers, regardless of their motive. Microsoft has made significant investments in Windows 10 to make it the most malware-resistant Windows operating system to date. Rather than simply adding defenses to the operating system, as was the case in previous Windows releases, Microsoft introduces architectural changes in Windows 10 that address entire classes of threats. By fundamentally changing the way the operating system works, Microsoft seeks to make Windows 10 much more difficult for modern attackers to exploit. New features in Windows 10 include Device Guard, configurable code integrity, virtualization-based security (VBS), and improvements to Windows Defender, to name just a few. By enabling all these new features together, organizations can immediately protect themselves against the types of malware responsible for approximately 95 percent of modern attacks. -### Virtualization-based security +### Virtualization-based security In the server world, virtualization technologies like Microsoft Hyper-V have proven extremely effective in isolating and protecting virtual machines (VMs) in the data center. Now, with those virtualization capabilities becoming more pervasive in modern client devices, there is an incredible opportunity for new Windows client security scenarios. Windows 10 can use virtualization technology to isolate core operating system services in a segregated, virtualized environment, similar to a VM. This additional level of protection, called virtualization-based security, ensures that no one can manipulate those services, even if the kernel mode of the host operating system is compromised. Just like with client Hyper-V, Windows itself can now take advantage of processors equipped with second-level address translation (SLAT) technology and virtualization extensions, such as Intel Virtualization Technology (VT) x and AMD V, to create a secure execution environment for sensitive Windows functions and data. This VBS environment protects the following services: -- **Hypervisor Code Integrity (HVCI).** The HVCI service in Windows 10 determines whether code executing in kernel mode is securely designed and trustworthy. It offers Zero Day and vulnerability exploit protection capabilities by ensuring that all software running in kernel mode, including drivers, securely allocate memory and operate as they are intended. In Windows 10, kernel mode code integrity is configurable, which allows organizations to scope preboot code execution to their desired configuration. For more information about configurable code integrity in Windows 10, see the [Configurable code integrity](#config-code) section. -- **Local Security Authority (LSA).** The LSA service in Windows manages authentication operations, including NT LAN Manager (NTLM) and Kerberos mechanisms. In Windows 10, the Credential Guard feature isolates a portion of this service and helps mitigate the pass-the-hash and pass-the-ticket techniques by protecting domain credentials. In addition to logon credentials, this protection is extended to credentials stored within Credential Manager. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section. -**Note**   +- **Hypervisor Code Integrity (HVCI).** The HVCI service in Windows 10 determines whether code executing in kernel mode is securely designed and trustworthy. It offers Zero Day and vulnerability exploit protection capabilities by ensuring that all software running in kernel mode, including drivers, securely allocate memory and operate as they are intended. In Windows 10, kernel mode code integrity is configurable, which allows organizations to scope preboot code execution to their desired configuration. For more information about configurable code integrity in Windows 10, see the [Configurable code integrity](#configurable-code-integrity) section. +- **Local Security Authority (LSA).** The LSA service in Windows manages authentication operations, including NT LAN Manager (NTLM) and Kerberos mechanisms. In Windows 10, the Credential Guard feature isolates a portion of this service and helps mitigate the pass-the-hash and pass-the-ticket techniques by protecting domain credentials. In addition to logon credentials, this protection is extended to credentials stored within Credential Manager. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section. + +**Note**
To determine whether virtualization is supported for a client machine model, simply run **systeminfo** from a command prompt window.   VBS provides the core framework for some of the most impactful mitigations Windows 10 offers. Having client machines within your organization that can employ this functionality is crucial to modern threat resistance. For more information about the specific hardware features that each Windows 10 feature requires, including VBS, see the [Windows 10 hardware considerations](#hardware) section. ### Device Guard -Microsoft Device Guard is a feature set that combines system integrity–hardening features that revolutionize Windows security by taking advantage of new VBS options to protect the system core and a trust-nothing model often seen in mobile operating systems. This feature set takes advantage of the best preexisting Windows hardening features (for example, Unified Extensible Firmware Interface \[UEFI\] Secure Boot, Windows Trusted Boot), and then combines them with powerful new app control features like the VBS-powered HVCI service and configurable code integrity, which together help prevent vulnerability exploits and unauthorized apps from running on the device in both user and kernel modes. For more information about VBS in Windows 10 and the additional features that use it, see the [Virtualization-based security](#virtualization-security) section. For more information about configurable code integrity, see the [Configurable code integrity](#config-code) section. +Microsoft Device Guard is a feature set that combines system integrity–hardening features that revolutionize Windows security by taking advantage of new VBS options to protect the system core and a trust-nothing model often seen in mobile operating systems. This feature set takes advantage of the best preexisting Windows hardening features (for example, Unified Extensible Firmware Interface \[UEFI\] Secure Boot, Windows Trusted Boot), and then combines them with powerful new app control features like the VBS-powered HVCI service and configurable code integrity, which together help prevent vulnerability exploits and unauthorized apps from running on the device in both user and kernel modes. For more information about VBS in Windows 10 and the additional features that use it, see the [Virtualization-based security](#virtualization-based-security) section. For more information about configurable code integrity, see the [Configurable code integrity](#configurable-code-integrity) section. Although Microsoft intends the Device Guard feature set to run alongside new Windows security features such as Credential Guard, it can run independently. Depending on your organization’s client resources, you can selectively choose which features make sense for your environment and device compatibility. For information about the hardware requirements for Device Guard and other Windows 10 security features, see the [Windows 10 hardware considerations](#hardware) section. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section. -For most organizations, implementing specific Device Guard functionality will depend on the role of the device and its primary user, employing more features on single-workload devices, such as kiosks, and fewer features on administrative machines over which users are allowed full control. By using this model, IT organizations can categorize users into groups that align with Device Guard security policies relating to device security and code integrity restrictions. For more information about configurable code integrity, see the [Configurable code integrity](#config-code) section. +For most organizations, implementing specific Device Guard functionality will depend on the role of the device and its primary user, employing more features on single-workload devices, such as kiosks, and fewer features on administrative machines over which users are allowed full control. By using this model, IT organizations can categorize users into groups that align with Device Guard security policies relating to device security and code integrity restrictions. For more information about configurable code integrity, see the [Configurable code integrity](#configurable-code-integrity) section. New desktops and laptops will be available to expedite your Device Guard implementation efforts. Device Guard-ready devices will require the least amount of physical interaction with the actual device before it’s ready for use. @@ -56,19 +57,19 @@ Going forward, all devices will fall into one of the following three categories: For more information about how to prepare for, manage, and deploy Device Guard, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md). -### Configurable code integrity +### Configurable code integrity *Code integrity* is the Windows component that verifies that the code Windows is running is trusted and safe. Like the operating modes found in Windows itself, Windows code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). Microsoft has used KMCI in recent versions of Windows to prevent the Windows kernel from executing unsigned drivers. Although this approach is effective, drivers aren’t the only route malware can take to penetrate the operating system’s kernel mode space. So, for Windows 10, Microsoft has raised the standard for kernel mode code out of the box by requiring the use of security best practices regarding memory management and has provided enterprises with a way to set their own UMCI and KMCI standards. Historically, UMCI has been available only for Windows RT and Windows Phone devices, which made it difficult for attackers to infect such devices with viruses and malware. This reduced infection rate results from the way the operating system determines which code to execute. Natively, binaries follow a process to prove to the operating system that they are trustworthy before the operating system allows them to execute. This process is intended to restrict the execution of arbitrary code and thereby decrease the risk of malware infection. This successful trust-nothing operating system model is now available in Windows 10 through a feature called *configurable code integrity*. Configurable code integrity allows IT organizations to create and deploy code integrity policies that stipulate exactly which binaries can run in their environment. Administrators can manage this trust at a certification authority or publisher level down to the individual hash values for each executed binary. This level of customization allows organizations to create policies that are as restrictive as they desire. In addition, organizations can choose to provide different levels of restriction for certain types of machines. For example, fixed-workload devices such as kiosks and PoS systems would likely receive a strict policy, because their purpose is to provide the same service day after day. Administrators can manage devices that have more variable workloads, such as users’ PCs, at a higher level, providing certain software publishers’ applications for installation or aligning those devices with the organization’s software catalog. -**Note**   +**Note**
Configurable code integrity is not intended to replace technologies that allow or block programs such as AppLocker or an organization’s antivirus software. Rather, it complements such technologies by establishing a baseline of security, and then using those additional technologies to fine-tune client security.   Configurable code integrity is not limited to Windows Store applications. In fact, it is not even limited to existing signed applications. Windows 10 gives you a way to sign line-of-business or third-party applications without having to repackage them: you can monitor the application’s installation and initial execution to create a list of binaries called a catalog file. When created, you sign these catalog files and add the signing certificate to the code integrity policy so that those binaries contained within the catalog files are allowed to execute. Then, you can use Group Policy, Configuration Manager, or any other familiar management tool to distribute these catalog files to your client machines. Historically, most malware has been unsigned; simply by deploying code integrity policies, your organization can immediately protect itself against unsigned malware, which is responsible for most modern attacks. -**Note**   +**Note**
For detailed deployment and planning information about configurable code integrity, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md).   The process to create, test, and deploy a code integrity policy is as follows: @@ -78,7 +79,7 @@ The process to create, test, and deploy a code integrity policy is as follows: 4. **Enforce and sign the policy.** After you create, audit, and merge the resulting code integrity policies, it’s time to enforce your policy. To do so, run the **Set-RuleOption** cmdlet to remove the **Unsigned Policy** rule. When enforced, no binaries that are exceptions to the policy will be allowed to run. In addition to enforcing a policy, signed policies offer an additional level of protection. Signed code integrity policies inherently protect themselves against manipulation and deletion, even by administrators. 5. **Deploy the code integrity policy.** When you have enforced and optionally signed your code integrity policy, it’s ready for deployment. To deploy your code integrity policies, you can use Microsoft client management technologies, mobile device management solutions, or Group Policy, or you can simply copy the file to the correct location on your client computers. For Group Policy deployment, a new administrative template is available in Windows 10 and the Windows Server 2016 operating system to simplify the deployment process. -**Note**   +**Note**
Configurable code integrity is available in Windows 10 Enterprise and Windows 10 Education.   You can enable configurable code integrity as part of a Device Guard deployment or as a stand-alone component. In addition, you can run configurable code integrity on hardware that is compatible with the Windows 7 operating system, even if such hardware is not Device Guard ready. Code integrity policies can align with an existing application catalog, existing corporate imaging strategy, or with any other method that provides the organization’s desired levels of restriction. For more information about configurable code integrity with Device Guard, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md). @@ -96,6 +97,7 @@ Measured Boot by itself does not prevent malware from loading during the startup For Windows 10, Microsoft has revamped Windows Defender and combined it with Microsoft System Center Endpoint Protection. Unlike with Microsoft System Center 2012 R2, there will be no System Center Endpoint Protection client to deploy to Windows 10 machines because Windows Defender is built into the operating system and enabled by default. In addition to simplified deployment, Windows Defender contains several improvements. The most important improvements to Windows Defender are: + - **Early Launch Antimalware (ELAM) compatible.** After Secure Boot has verified that the loading operating system is trusted, ELAM can start a registered and signed antimalware application before any other operating system components. Windows Defender is compatible with ELAM. - **Local context for detections and centralized sensory data.** Unlike most antimalware software and previous versions of Windows Defender, Windows Defender in Windows 10 reports additional information about the context of discovered threats. This information includes the source of the content that contains the threat as well as the historical movement of the malware throughout the system. When collection is complete, Windows Defender reports this information (when users elect to enable cloud-based protection) and uses it to mitigate threats more quickly. - **User Account Control (UAC) integration.** Windows Defender is now closely integrated with the UAC mechanism in Windows 10. Whenever a UAC request is made, Windows Defender automatically scans the threat before prompting the user, which helps prevent users from providing elevated privileges to malware. @@ -103,19 +105,19 @@ In addition to simplified deployment, Windows Defender contains several improvem ## Information protection -Protecting the integrity of company data as well as preventing the inappropriate disclosure and sharing of that data are a top priority for IT organizations. Trends like BYOD and mobility make the task of information protection more challenging than ever before. Windows 10 includes several improvements to built-in information protection, including a new Enterprise Data Protection (EDP) feature that offers DLP capability. This feature allows an organizations’ users to classify data themselves and gives you the ability to automatically classify data as it ingresses from business resources. It can also help prevent users from copying business content to unauthorized locations such as personal documents or websites. +Protecting the integrity of company data as well as preventing the inappropriate disclosure and sharing of that data are a top priority for IT organizations. Trends like BYOD and mobility make the task of information protection more challenging than ever before. Windows 10 includes several improvements to built-in information protection, including a new Windows Information Protection (WIP) feature that offers DLP capability. This feature allows an organizations’ users to classify data themselves and gives you the ability to automatically classify data as it ingresses from business resources. It can also help prevent users from copying business content to unauthorized locations such as personal documents or websites. -Unlike some current DLP solutions, EDP does not require users to switch modes or apps or work within containers to protect data, and the protection happens behind the scenes without altering the user experience that your users have grown accustomed to in Windows. For more information about EDP in Windows 10, see the [Enterprise Data Protection](#enterprise) section. +Unlike some current DLP solutions, WIP does not require users to switch modes or apps or work within containers to protect data, and the protection happens behind the scenes without altering the user experience that your users have grown accustomed to in Windows. For more information about WIP in Windows 10, see the [Windows Information Protection](#windows-information-protection) section. -In addition to EDP, Microsoft has made substantial improvements to BitLocker, including simplified manageability through Microsoft BitLocker Administration and Monitoring (MBAM), used-space-only encryption, and single sign-on (SSO) capability. For more information about BitLocker improvements in Windows 10, see the [Improvements to BitLocker](#bitlocker) section. +In addition to WIP, Microsoft has made substantial improvements to BitLocker, including simplified manageability through Microsoft BitLocker Administration and Monitoring (MBAM), used-space-only encryption, and single sign-on (SSO) capability. For more information about BitLocker improvements in Windows 10, see the [Improvements in BitLocker](#bitlocker) section. -### Enterprise Data Protection +### Windows Information Protection -DLP systems are intended to protect sensitive corporate data through encryption and managed use while the data is in use, in motion, or at rest. Traditional DLP software is typically invasive and frustrating for users and can be complicated for administrators to configure and deploy. Windows 10 now includes an EDP feature that offers DLP capabilities and is built in and simple to use. This solution gives you the flexibility to define policies that will help determine what kind of data to protect as business data and what should be considered personal. Based on these policies, you can also choose what to do, either automatically or manually, whenever you suspect that data is about to be or has been compromised. For example, if an employee has a personal but managed device that contains business data, an IT organization could block that user from copying and pasting business data to nonbusiness documents and locations or could even selectively wipe the business data from the device at any time without affecting the personal data on the device. +DLP systems are intended to protect sensitive corporate data through encryption and managed use while the data is in use, in motion, or at rest. Traditional DLP software is typically invasive and frustrating for users and can be complicated for administrators to configure and deploy. Windows 10 now includes a Windows Information Protection (WIP) feature that offers DLP capabilities and is built in and simple to use. This solution gives you the flexibility to define policies that will help determine what kind of data to protect as business data and what should be considered personal. Based on these policies, you can also choose what to do, either automatically or manually, whenever you suspect that data is about to be or has been compromised. For example, if an employee has a personal but managed device that contains business data, an IT organization could block that user from copying and pasting business data to nonbusiness documents and locations or could even selectively wipe the business data from the device at any time without affecting the personal data on the device. -You can configure EDP policies to encrypt and protect files automatically based on the network source from which the content was acquired, such as an email server, file share, or a Microsoft SharePoint site. The policies can work with on-premises resources as well as those that originate from the Internet. When specified, any data retrieved from internal network resources will always be protected as business data; even if that data is copied to portable storage, such as a flash drive or CD, the protection remains. In an effort to allow easy corrections of misclassified data, users who feel that EDP has incorrectly protected their personal data can modify the data’s classification. When such a modification occurs, you have access to audit data on the client machine. You can also use a policy to prevent users from reclassifying data. The EDP feature in Windows 10 also includes policy controls that allow you to define which apps have access to business data and even which have access to the corporate virtual private network (VPN). +You can configure WIP policies to encrypt and protect files automatically based on the network source from which the content was acquired, such as an email server, file share, or a Microsoft SharePoint site. The policies can work with on-premises resources as well as those that originate from the Internet. When specified, any data retrieved from internal network resources will always be protected as business data; even if that data is copied to portable storage, such as a flash drive or CD, the protection remains. In an effort to allow easy corrections of misclassified data, users who feel that WIP has incorrectly protected their personal data can modify the data’s classification. When such a modification occurs, you have access to audit data on the client machine. You can also use a policy to prevent users from reclassifying data. The WIP feature in Windows 10 also includes policy controls that allow you to define which apps have access to business data and even which have access to the corporate virtual private network (VPN). -To manage EDP, you use the same system management tools you probably already use to manage your Windows client computers, such as Configuration Manager and Intune. For more information about EDP, see [Enterprise data protection (EDP) overview](edp-whats-new-overview.md). +To manage WIP, you use the same system management tools you probably already use to manage your Windows client computers, such as Configuration Manager and Intune. For more information about WIP, see [Protect your enterprise data using Windows Information Protection](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip). ### Improvements in BitLocker @@ -162,8 +164,9 @@ Pass the hash is the most commonly used derived credential attack today. This at Credential Guard is another new feature in Windows 10 Enterprise that employs VBS to protect domain credentials against theft, even when the host operating system is compromised. To achieve such protection, Credential Guard isolates a portion of the LSA service, which is responsible for managing authentication, inside a virtualized container. This container is similar to a VM running on a hypervisor but is extremely lightweight and contains only those files and components required to operate the LSA and other isolated services. By isolating a portion of the LSA service within this virtualized environment, credentials are protected even if the system kernel is compromised, removing the attack vector for pass the hash. -For more information about the hardware requirements for Credential Guard, see the [Windows 10 hardware considerations](#hardware) section. For more information about VBS in Windows 10, see the [Virtualization-based security](#virtualization-security) section. -**Note**   +For more information about the hardware requirements for Credential Guard, see the [Windows 10 hardware considerations](#hardware) section. For more information about VBS in Windows 10, see the [Virtualization-based security](#virtualization-based-security) section. + +**Note**
Because it requires isolated user mode and a Hyper-V hypervisor, you cannot configure Credential Guard on a VM, only on a physical computer.   The Credential Guard feature is targeted at resisting the use of pass-the-hash and pass-the-ticket techniques. By employing a MFA option such as Microsoft Passport with Credential Guard, you can gain additional protection against such threats. For more in-depth information about how Credential Guard works and the specific mitigations it provides, see [Protect derived domain credentials with Credential Guard](../keep-secure/credential-guard.md). @@ -171,6 +174,7 @@ The Credential Guard feature is targeted at resisting the use of pass-the-hash a ## Windows 10 hardware considerations Most of the features this article describes rely on specific hardware to maximize their capabilities. By purchasing hardware that includes these features during your next purchase cycle, you will be able to take advantage of the most comprehensive client security package Windows 10 has to offer. Careful consideration about which hardware vendor and specific models to purchase is vital to the success of your organization’s client security portfolio. Table 1 contains a list of each new Windows 10 security feature and its hardware requirements. + Table 1. Windows 10 hardware requirements | Windows 10 feature | TPM | Input/output memory management unit | Virtualization extensions | SLAT | UEFI 2.3.1 | x64 architecture only | @@ -186,15 +190,15 @@ Table 1. Windows 10 hardware requirements | Device health attestation through Measured Boot | Y\* | N | N | N | Y | Y |   \* Requires use of TPM 2.0. -**Note**   + +**Note**
In this table, **R** stands for *recommended*, **Y** means that the hardware component is *required* for that Windows 10 feature, and **N** means that the hardware component is *not used* with that Windows 10 feature.   ## Related topics -[Windows 10 Specifications](https://go.microsoft.com/fwlink/p/?LinkId=717550) -[Making Windows 10 More Personal and More Secure with Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=717551) -[Protect BitLocker from pre-boot attacks](../keep-secure/protect-bitlocker-from-pre-boot-attacks.md) -[BitLocker Countermeasures](../keep-secure/bitlocker-countermeasures.md) -[Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md) -[Protect derived domain credentials with Credential Guard](../keep-secure/credential-guard.md) -  -  + +- [Windows 10 Specifications](https://go.microsoft.com/fwlink/p/?LinkId=717550) +- [Making Windows 10 More Personal and More Secure with Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=717551) +- [Protect BitLocker from pre-boot attacks](../keep-secure/protect-bitlocker-from-pre-boot-attacks.md) +- [BitLocker Countermeasures](../keep-secure/bitlocker-countermeasures.md) +- [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md) +- [Protect derived domain credentials with Credential Guard](../keep-secure/credential-guard.md)