deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into rs1

Browse Source 
# Conflicts:
#	windows/deploy/index.md
This commit is contained in:
jdeckerMS
2016-06-27 07:07:28 -07:00
parent a465c8d3d8 58aa1c9fcb
commit 684d151a07
20 changed files with 596 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
windows/deploy/TOC.md
View File

@ -35,6 +35,7 @@
## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
## [Windows 10 upgrade paths](windows-10-upgrade-paths.md)
## [Windows 10 edition upgrade](windows-10-edition-upgrades.md)
## [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md)
## [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md)

3
windows/deploy/change-history-for-deploy-windows-10.md
View File

@ -15,7 +15,8 @@ This topic lists new and updated topics in the [Deploy Windows 10](index.md) doc
| New or changed topic | Description |
|----------------------|-------------|
| [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New |
| [User State Migration Tool Technical Reference](usmt-technical-reference.md) | Updated |
| [User State Migration Tool Technical Reference](usmt-technical-reference.md) | Updated support statement for Office 2016 |
| [Windows 10 upgrade paths](windows-10-upgrade-paths.md) | New |
## May 2016
| New or changed topic | Description |

BIN
windows/deploy/images/check_grn.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/deploy/images/x_blk.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

14
windows/deploy/windows-10-edition-upgrades.md
View File

@ -15,17 +15,17 @@ author: greg-lindsay
- Windows 10
- Windows 10 Mobile
With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkID=690882).
With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md).
The following table shows the methods you can use to upgrade editions of Windows 10.
The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer.
|Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile > Mobile Enterprise |
|-------|-----------|-----------------|----------------|-----------------|----------------|--------|
| Using mobile device management (MDM) |![unsupported](images/crossmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |
| Using a provisioning package |![unsupported](images/crossmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |
| Using a command-line tool |![unsupported](images/crossmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![unsupported](images/crossmark.png) |
| Entering a product key manually |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![unsupported](images/crossmark.png) |
| Purchasing a license from the Windows Store |![supported](images/checkmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) |
| Using mobile device management (MDM) |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |
| Using a provisioning package |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |
| Using a command-line tool |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |
| Entering a product key manually |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |
| Purchasing a license from the Windows Store |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |
**Note**<br>Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods.

416
windows/deploy/windows-10-upgrade-paths.md Normal file
View File

@ -0,0 +1,416 @@
---
title: Windows 10 upgrade paths (Windows 10)
description: You can upgrade to Windows 10 from a previous version of Windows, providing the upgrade path is supported.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay
---
# Windows 10 upgrade paths
**Applies to**
- Windows 10
- Windows 10 Mobile
## Upgrade paths
This topic provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. For more information about migrating to a different edition of Windows 10, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md).
>**Windows N/KN**: Windows "N" and "KN" editions follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
>**Free upgrade**: Some upgrade paths qualify for a free upgrade using Windows Update. For a list of upgrade paths that are available as part of the free upgrade offer, see [Free upgrade paths](#Free-upgrade-paths).
✔ = Full upgrade is supported including personal data, settings, and applications.<BR>
D = Edition downgrade; personal data is maintained, applications and settings are removed.
<table border="1" cellpadding="3">
<tr>
<td>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>
<td></td>
<td>Windows 10 Home</td>
<td>Windows 10 Pro</td>
<td>Windows 10 Pro for Education</td>
<td>Windows 10 Education</td>
<td>Windows 10 Enterprise</td>
<td>Windows 10 Mobile</td>
<td>Windows 10 Mobile Enterprise</td>
</tr>
<tr>
<td rowspan="7" nowrap="nowrap">Windows 7</td>
</tr>
<tr>
<td>Starter</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Home Basic</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Home Premium</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Professional</td>
<td>D</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Ultimate</td>
<td>D</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enterprise</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td rowspan="8" nowrap="nowrap">Windows 8</td>
</tr>
<tr>
<td>(Core)</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Professional</td>
<td>D</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Professional WMC</td>
<td>D</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enterprise</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Embedded Industry</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Windows RT</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Windows Phone 8</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td rowspan="10" nowrap="nowrap">Windows 8.1</td>
</tr>
<tr>
<td>(Core)</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Connected</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Professional</td>
<td>D</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Professional Student</td>
<td>D</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Professional WMC</td>
<td>D</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enterprise</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Embedded Industry</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Windows RT</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Windows Phone 8.1</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td rowspan="7" nowrap="nowrap">Windows 10</td>
</tr>
<tr>
<td>Home</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Professional</td>
<td>D</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Education</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>D</td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enterprise</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Mobile</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Mobile Enterprise</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</table>
## Free upgrade paths
Windows 10 is offered as a free upgrade for the first year after launch of Windows 10, with the following restrictions:
- The offer expires on July 29th, 2016.
- The offer applies to devices connected to the Internet with Windows Update enabled.
- Upgrading to Windows 10 Pro requires a computer running the Pro or Ultimate version of Windows 7/8/8.1.
- Windows Phone 8.0 users must update to Windows 8.1 before upgrading to Windows 10 Mobile<sup>1</sup>.
- Editions that are excluded from the free upgrade offer include: Windows 7 Enterprise, Windows 8/8.1 Enterprise, and Windows RT/RT 8.1<sup>2</sup>.
><sup>1</sup>The availability of Windows 10 Mobile for Windows 8.1 devices will vary by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. For a list of eligible phones and important info about the upgrade and Windows 10 Mobile, see [Windows 10 specifications](http://windows.com/specsmobile).
><sup>2</sup>Active Software Assurance customers in volume licensing have the benefit to upgrade to Windows 10 Enterprise outside of this offer. Windows 10 is not supported on devices running the RT versions of Windows 8.
The following table summarizes the free upgrade paths to Windows 10. For a list of frequently asked questions about the free upgrade to Windows 10, see [Upgrade to Windows 10: FAQ](http://windows.microsoft.com/en-us/windows-10/upgrade-to-windows-10-faq).
<table border="1" cellpadding="3">
<tr>
<td>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>
<td>From</td>
<td>To</td>
</tr>
<tr>
<td BGCOLOR="#a0e4fa" colspan="3">Windows 7</td>
</tr>
<tr>
<td></td>
<td>Windows 7 Starter</td>
<td rowspan="3">Windows 10 Home</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>Windows 7 Home Basic</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>Windows 7 Home Premium</td>
</tr>
<tr>
<td></td>
<td>Windows 7 Professional</td>
<td rowspan="2">Windows 10 Pro</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>Windows 7 Ultimate</td>
</tr>
<tr>
<td BGCOLOR="#a0e4fa" colspan="3">Windows 8/8.1</td>
</tr>
<tr>
<td></td>
<td>Windows Phone 8.1</td>
<td>Windows 10 Mobile</td>
</tr>
<tr>
<td></td>
<td>Windows 8/8.1</td>
<td>Windows 10 Home</td>
</tr>
<tr>
<td></td>
<td>Windows 8/8.1 Pro Professional</td>
<td rowspan="2">Windows 10 Pro</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>Windows 8/8.1 Pro for Students</td>
</tr>
</table>
## Related Topics
[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)<BR>
[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
 
 

19
windows/deploy/windows-upgrade-and-migration-considerations.md
View File

@ -8,13 +8,13 @@ ms.sitesec: library
author: greg-lindsay
---
# Windows Upgrade and Migration Considerations
# Windows upgrade and migration considerations
Files and application settings can be migrated to new hardware running the Windows® operating system, or they can be maintained during an operating system upgrade on the same computer. This topic summarizes the Microsoft® tools you can use to move files and settings between installations in addition to special considerations for performing an upgrade or migration.
## Upgrade from a Previous Version of Windows
## Upgrade from a previous version of Windows
You can upgrade from an earlier version of Windows, which means you can install the new version of Windows and retain your applications, files, and settings as they were in your previous version of Windows. If you decide to perform a custom installation of Windows instead of an upgrade, your applications and settings will not be maintained. Your personal files, and all Windows files and directories, will be moved to a Windows.old folder. You can access your data in the Windows.old folder after Windows Setup is complete.
## Migrate Files and Settings
## Migrate files and settings
Migration tools are available to transfer settings from one computer that is running Windows to another. These tools transfer only the program settings, not the programs themselves.
For more information about application compatibility, see the [Application Compatibility Toolkit (ACT)](http://go.microsoft.com/fwlink/p/?LinkId=131349).
@ -29,13 +29,13 @@ With Windows Easy Transfer, files and settings can be transferred using a netwo
### Migrate with the User State Migration Tool
You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded.
## Upgrade and Migration Considerations
## Upgrade and migration monsiderations
Whether you are upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations:
### Application Compatibility
### Application compatibility
For more information about application compatibility in Windows, see the [Application Compatibility Toolkit (ACT)](http://go.microsoft.com/fwlink/p/?LinkId=131349).
### Multilingual Windows Image Upgrades
### Multilingual Windows image upgrades
When performing multilingual Windows upgrades, cross-language upgrades are not supported by USMT. If you are upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English.
If you are using a single-language Windows image that matches the system default UI language of your multilingual operating system, the migration will work. However, all of the language packs will be removed, and you will have to reinstall them after the upgrade is completed.
@ -43,7 +43,7 @@ If you are using a single-language Windows image that matches the system default
### Errorhandler.cmd
When upgrading from an earlier version of Windows, if you intend to use Errorhandler.cmd, you must copy this file into the %WINDIR%\\Setup\\Scripts directory on the old installation. This makes sure that if there are errors during the down-level phase of Windows Setup, the commands in Errorhandler.cmd will run.
### Data Drive ACL Migration
### Data drive ACL migration
During the configuration pass of Windows Setup, the root access control list (ACL) on drives formatted for NTFS that do not appear to have an operating system will be changed to the default Windows XP ACL format. The ACLs on these drives are changed to enable authenticated users to modify access on folders and files.
Changing the ACLs may affect the performance of Windows Setup if the default Windows XP ACLs are applied to a partition with a large amount of data. Because of these performance concerns, you can change the following registry value to disable this feature:
@ -57,7 +57,10 @@ Value: "DDACLSys_Disabled" = 1
This feature is disabled if this registry key value exists and is configured to `1`.
## Related topics
- [User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)<BR>
[Windows 10 upgrade paths](windows-10-upgrade-paths.md)<BR>
[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
 

2
windows/keep-secure/TOC.md
View File

@ -28,6 +28,7 @@
#### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md)
## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
## [VPN profile options](vpn-profile-options.md)
## [Windows security baselines](windows-security-baselines.md)
## [Security technologies](security-technologies.md)
### [Access Control Overview](access-control.md)
#### [Dynamic Access Control Overview](dynamic-access-control.md)
@ -680,7 +681,6 @@
#### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
#### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
#### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md)
<!--##### [Service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
##### [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
##### [Additional configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)

1
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -19,6 +19,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Added an update about needing to reconfigure your enterprise data protection app rules after delivery of the June service update. |
| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) (multiple topics) | New |
| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) (mutiple topics) | New security monitoring reference topics |
| [Windows security baselines](windows-security-baselines.md) | New |
## May 2016

8
windows/keep-secure/device-guard-deployment-guide.md
View File

@ -752,7 +752,7 @@ To modify the policy rule options of an existing code integrity policy, use the
You can set several rule options within a code integrity policy. Table 2 lists each rule and its high-level meaning.
Table 2. Code integrity policy - policy rule options
#### Table 2. Code integrity policy - policy rule options
| Rule option | Description |
|------------ | ----------- |
@ -769,15 +769,15 @@ Table 2. Code integrity policy - policy rule options
| **10 Enabled:Boot Audit on Failure** | Used when the code integrity policy is in enforcement mode. When a driver fails during startup, the code integrity policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as low as the hash of each binary and as high as a PCA certificate. File rule levels are specified both when you create a new code integrity policy from a scan and when you create a policy from audit events. In addition, to combine rule levels found in multiple policies, you can merge the policies. When merged, code integrity policies combine their file rules. Each file rule level has its benefit and disadvantage. Use Table 3 to select the appropriate protection level for your available administrative resources and Device Guard deployment scenario.
Table 3. Code integrity policy - file rule levels
#### Table 3. Code integrity policy - file rule levels
| Rule level | Description |
|----------- | ----------- |
| **Hash** | Specifies individual hash values for each discovered binary. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
| **FileName** | Specifies individual binary file names. Although the hash values for an application are modified when updated, the file names are typically not. This offers less specific security than the hash level but does not typically require a policy update when any binary is modified. |
| **SignedVersion** | This combines the publisher rule with a file version number. This option allows anything from the specified publisher, with a file version at or above the specified version number, to run. |
| **SignedVersion** | This combines the publisher rule with a version number. This option allows anything from the specified publisher, with a version at or above the specified version number, to run. |
| **Publisher** | This is a combination of the PCA certificate and the common name (CN) on the leaf certificate. In the scenario that a PCA certificate is used to sign multiple companies applications (such as VeriSign), this rule level allows organizations to trust the PCA certificate but only for the company whose name is on the leaf certificate (for example, Intel for device drivers). This level trusts a certificate with a long validity period but only when combined with a trusted leaf certificate. |
| **FilePublisher** | This is a combination of the publisher file rule level and the SignedVersion rule level. Any signed file from the trusted publisher that is the specified version or newer is trusted. |
| **FilePublisher** | This is a combination of “FileName” plus “Publisher” (PCA certificate with CN of leaf) plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. Using this level, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than PCA certificates, so additional administrative overhead is associated with updating the code integrity policy when these certificates expire. |
| **PcaCertificate** | Adds the highest certificate in the provided certificate chain to signers. This is typically one certificate below the root certificate, because the scan does not validate anything above the presented signature by going online or checking local root stores. |
| **RootCertificate** | Currently unsupported. |

1
windows/keep-secure/index.md
View File

@ -27,6 +27,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
| [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) | With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. |
| [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
| [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
| [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. |
| [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. |
| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |
 

56
windows/keep-secure/windows-security-baselines.md Normal file
View File

@ -0,0 +1,56 @@
---
title: Windows security baselines (Windows 10)
description: Use this topic to learn what security baselines are and how you can use them in your organization to help keep your devices secure.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Windows security baselines
Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Mirosoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.
## What are security baselines?
Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting their Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
A security baseline is a collection of settings that have a security impact and include Microsofts recommended value for configuring those settings along with guidance on the security impact of those settings. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and
customers.
## Why are security baselines needed?
Security baselines are an essential benefit to customers because they bring together expert knowlege from Microsoft, partners, and customers.
For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of those 3,800 settings, only some of them are security-related. While Microsoft provides extensive guidance on different security features, going through each of them can take a long time. You would have to determine the security impact of each setting on your own. After you've done that, you still need to determine what values each of these settings should be.
In modern organizations, the security threat landscape is constantly evolving. IT pros and policy makers must keep current with security threats and changes to Windows security settings to help mitigate these threats.
To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups.
## How can you use security baselines?
You can use security baselines to:
- Ensure that user and device configuration settings are compliant with the baseline.
- Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
## Where can I get the security baselines?
Here's a list of security baselines that are currently available.
> **Note:** If you want to know what has changed with each security baseline, or if you want to stay up-to-date on whats happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog.
### Windows 10 security baselines
- [Windows 10, Version 1511 security baseline](http://go.microsoft.com/fwlink/p/?LinkID=799381)
- [Windows 10, Version 1507 security baseline](http://go.microsoft.com/fwlink/p/?LinkID=799380)
### Windows Server security baselines
- [Windows Server 2012 R2 security baseline](http://go.microsoft.com/fwlink/p/?LinkID=799382)