deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 04:13:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into removing-provisioned-apps-spacing-update

Browse Source
This commit is contained in:
Heidi Lohr
2018-06-06 09:08:25 -07:00
parent b5bd4952d3 38988f718d
commit 687e31b9b2
80 changed files with 160 additions and 291 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -10,13 +10,19 @@ ms.localizationpriority: high
author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.date: 05/31/2018
ms.date: 06/05/2018
---
# Change history for Configure Windows 10
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
## June 2018
New or changed topic | Description
--- | ---
[Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) and [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Updated instructions for using Microsoft Intune to configure a kiosk.
## May 2018
New or changed topic | Description

20
windows/configuration/lock-down-windows-10-to-specific-apps.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: high
ms.date: 04/30/2018
ms.date: 06/05/2018
ms.author: jdecker
ms.topic: article
---
@ -38,9 +38,6 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi
<span id="intune"/>
## Configure a kiosk in Microsoft Intune
Watch how to use Intune to configure a multi-app kiosk.
>[!VIDEO https://www.microsoft.com/videoplayer/embed/ce9992ab-9fea-465d-b773-ee960b990c4a?autoplay=false]
1. [Generate the Start layout for the kiosk device.](#startlayout)
2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
@ -49,14 +46,15 @@ Watch how to use Intune to configure a multi-app kiosk.
5. Select **Create profile**.
6. Enter a friendly name for the profile.
7. Select **Windows 10 and later** for the platform.
8. Select **Device restrictions** for the profile type.
9. Select **Kiosk**.
10. In **Kiosk Mode**, select **Multi app kiosk**.
11. Select **Add** to define a configuration, which specifies the apps that will run and the layout for the Start menu.
8. Select **Kiosk (Preview)** for the profile type.
9. Select **Kiosk - 1 setting available**.
10. Select **Add** to define a configuration, which specifies the apps that will run and the layout for the Start menu.
12. Enter a friendly name for the configuration.
13. Select an app type, either **Win32 App** for a classic desktop application or **UWP App** for a Universal Windows Platform app.
- For **Win32 App**, enter the fully qualified pathname of the executable, with respect to the device.
- For **UWP App**, enter the Application User Model ID for an installed app.
10. In **Kiosk Mode**, select **Multi app kiosk**.
13. Select an app type.
- For **Add Win32 app**, enter the **App Name** and **Identifier**.
- For **Add managed apps**, select an app that you manage through Intune.
- For **Add app by AUMID**, enter the Application User Model ID (AUMID) for an installed UWP app.
14. Select whether to enable the taskbar.
15. Browse to and select the Start layout XML file that you generated in step 1.
16. Add one or more accounts. When the account signs in, only the apps defined in the configuration will be available.

12
windows/configuration/setup-kiosk-digital-signage.md
View File

@ -10,7 +10,7 @@ author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: high
ms.date: 05/25/2018
ms.date: 06/05/2018
---
# Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education
@ -268,11 +268,11 @@ The following steps explain how to configure a kiosk in Microsoft Intune. For ot
5. Select **Create profile**.
6. Enter a friendly name for the profile.
7. Select **Windows 10 and later** for the platform.
8. Select **Device restrictions** for the profile type.
9. Select **Kiosk**.
10. In **Kiosk Mode**, select **Single app kiosk**.
1. Enter the user account (Azure AD or a local standard user account).
11. Enter the Application User Model ID for an installed app.
8. Select **Kiosk (Preview)** for the profile type.
9. Enter a friendly name for the kiosk configuration.
10. In **Kiosk Mode**, select **Single full-screen app kiosk**.
10. Select either **Select a managed app** to choose a kiosk app that is managed by Intune, or **Enter UWP app AUMID** to specify the kiosk app by AUMID, and then select the app or enter the AUMID as appropriate.
1. For the user account, select either **Autologon** to create a user account for the kiosk that will sign in automatically, or **Local user account** to configure an existing user account to run the kiosk. **Local user account** can be a local standard user account on the device or an Azure Active Directory account.
14. Select **OK**, and then select **Create**.
18. Assign the profile to a device group to configure the devices in that group as kiosks.

4
windows/deployment/windows-10-pro-in-s-mode.md
View File

@ -1,7 +1,7 @@
---
title: Windows 10 Pro in S mode
description: Overview of Windows 10 Pro in S mode, switching options, and system requirements
keywords: S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode
description: Overview of Windows 10 Pro/Enterprise in S mode. S mode switch options are also outlined in this document. Switching out of S mode is optional.
keywords: Windows 10 S switch, S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.prod: w10

9
windows/privacy/basic-level-windows-diagnostic-events-and-fields.md
View File

@ -1509,15 +1509,20 @@ This event sends data about the processor (architecture, speed, number of cores,
The following fields are available:
- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system.
- **KvaShadow** Microcode info of the processor.
- **MMSettingOverride** Microcode setting of the processor.
- **MMSettingOverrideMask** Microcode setting override of the processor.
- **ProcessorArchitecture** Processor architecture of the installed operating system.
- **ProcessorClockSpeed** Clock speed of the processor in MHz.
- **ProcessorCores** Number of logical cores in the processor.
- **ProcessorIdentifier** Processor Identifier of a manufacturer.
- **ProcessorManufacturer** Name of the processor manufacturer.
- **ProcessorModel** Name of the processor model.
- **ProcessorPhysicalCores** Number of physical cores in the processor.
- **ProcessorUpdateRevision** Microcode revision
- **ProcessorUpdateRevision** Microcode revision.
- **ProcessorUpdateStatus** The status of the microcode update.
- **SocketCount** Count of CPU sockets.
- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability.
### Census.Security

4
windows/privacy/index.yml
View File

@ -46,7 +46,7 @@ sections:
items:
- href: \windows\privacy\gdpr-win10-whitepaper
- href: \windows\privacy\gdpr-it-guidance
html: <p>Learn about GDPR and how Microsoft helps you get started towards compliance</p>
@ -54,7 +54,7 @@ sections:
src: https://docs.microsoft.com/media/common/i_advanced.svg
title: Begin your GDPR journey
title: Start with GDPR basics
- href: \windows\privacy\configure-windows-diagnostic-data-in-your-organization

24
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -7,16 +7,16 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
author: brianlic-msft
ms.author: brianlic-msft
ms.date: 04/09/2018
author: danihalfin
ms.author: daniha
ms.date: 06/05/2018
---
# Manage connections from Windows operating system components to Microsoft services
**Applies to**
- Windows 10 Enterprise edition
- Windows 10 Enterprise, version 1607 and newer
- Windows Server 2016
If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
@ -32,7 +32,10 @@ This baseline was created in the same way as the [Windows security baselines](/w
Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document.
However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended.
Make sure should you've chosen the right settings configuration for your environment before applying.
You should not extract this package to the windows\\system32 folder because it will not apply correctly.
You should not extract this package to the windows\\system32 folder because it will not apply correctly.
>[!IMPORTANT]
> As part of the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887), MDM functionallity is disabled. If you manage devices through MDM, make sure [cloud notifications are enabled](#bkmk-priv-notifications).
Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article.
It is recommended that you restart a device after making configuration changes to it.
@ -87,12 +90,12 @@ Here's a list of changes that were made to this article for Windows 10, version
The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections.
>[!NOTE]
>For some settings, MDM policies only partly cover capabilities available through Group Policy. See each settings section for more details.
### Settings for Windows 10 Enterprise edition
The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1703.
The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1607.
>[!NOTE]
>For some settings, MDM policies only partly cover capabilities available through Group Policy. See each settings section for more details.
| Setting | UI | Group Policy | MDM policy | Registry | Command line |
| - | :-: | :-: | :-: | :-: | :-: |
@ -1075,6 +1078,9 @@ To turn off **Choose apps that can use your microphone**:
### <a href="" id="bkmk-priv-notifications"></a>17.5 Notifications
>[!IMPORTANT]
>Disabling notifications will also disable the ability to manage the device through MDM. If you are using an MDM solution, make sure cloud notifications are enabled through one of the options below.
To turn off notifications network usage:
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn off Notifications network usage**

2
windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
View File

@ -218,7 +218,7 @@ Windows PowerShell
``` syntax
New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow Group “Telnet Management”
New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow Group “Telnet Management”
New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow Group “Telnet Management”
```
If the group is not specified at rule creation time, the rule can be added to the rule group using dot notation in Windows PowerShell. You cannot specify the group using `Set-NetFirewallRule` since the command allows querying by rule group.

60
windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
ms.date: 06/04/2018
---
# Prepare your organization for BitLocker: Planning and policies
@ -157,18 +157,13 @@ Full drive encryption means that the entire drive will be encrypted, regardless
## <a href="" id="bkmk-addscons"></a>Active Directory Domain Services considerations
BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure Group Policy settings to enable backup of BitLocker or TPM recovery information. Before configuring these settings verify that access permissions have been granted to perform the backup.
BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following Group Policy setting to enable backup of BitLocker recovery information:
By default, domain administrators are the only users that will have access to BitLocker recovery information. When you plan your support process, define what parts of your organization need access to BitLocker recovery information. Use this information to define how the appropriate rights will be delegated in your AD DS environment.
Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Turn on BitLocker backup to Active Directory Domain Services
It is a best practice to require backup of recovery information for both the TPM and BitLocker to AD DS. You can implement this practice by configuring the Group Policy settings below for your BitLocker-protected computers.
By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](https://blogs.technet.microsoft.com/craigf/2011/01/26/delegating-access-in-ad-to-bitlocker-recovery-information/).
| BitLocker Group Policy setting | Configuration |
| - | - |
| BitLocker Drive Encryption: Turn on BitLocker backup to Active Directory Domain Services| Require BitLocker backup to AD DS (Passwords and key packages)|
| Trusted Platform Module Services: Turn on TPM backup to Active Directory Domain Services | Require TPM backup to AD DS|
 
The following recovery data will be saved for each computer object:
The following recovery data is saved for each computer object:
- **Recovery password**
@ -178,51 +173,6 @@ The following recovery data will be saved for each computer object:
With this key package and the recovery password, you will be able decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package will only work with the volume it was created on, which can be identified by the corresponding volume ID.
- **TPM owner authorization password hash**
When ownership of the TPM is taken a hash of the ownership password can be taken and stored in AD DS. This information can then be used to reset ownership of the TPM.
Starting in Windows 8, a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 and later schemas.
To take advantage of this integration, you must upgrade your domain controllers to Windows Server 2012 or extend the Active Directory schema and configure BitLocker-specific Group Policy objects.
>**Note:**  The account that you use to update the Active Directory schema must be a member of the Schema Admins group.
 
Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change.
**To support Windows 8 and later computers that are managed by a Windows Server 2003 or Windows 2008 domain controller**
There are two schema extensions that you can copy down and add to your AD DS schema:
- **TpmSchemaExtension.ldf**
This schema extension brings parity with the Windows Server 2012 schema. With this change, the TPM owner authorization information is stored in a separate TPM object linked to the corresponding computer object. Only the Computer object that has created the TPM object can update it. This means that any subsequent updates to the TPM objects will not succeed in dual boot scenarios or scenarios where the computer is reimaged resulting in a new AD computer object being created. To support such scenarios, an update to the schema was created.
- **TpmSchemaExtensionACLChanges.ldf**
This schema update modifies the ACLs on the TPM object to be less restrictive so that any subsequent operating system which takes ownership of the computer object can update the owner authorization value in AD DS. However, this is less secure as any computer in the domain can now update the OwnerAuth of the TPM object (although it cannot read the OwnerAuth) and DOS attacks can be made from within the enterprise. The recommended mitigation in such a scenario is to do regular backup of TPM objects and enable auditing to track changes for these objects.
To download the schema extensions, see [AD DS schema extensions to support TPM backup](https://technet.microsoft.com/library/jj635854.aspx).
If you have a Windows Server 2012 domain controller in your environment, the schema extensions are already in place and do not need to be updated.
>**Caution:**  To configure Group Policy objects to backup TPM and BitLocker information in AD DS at least one of the domain controllers in your forest must be running at least Windows Server 2008 R2.
If Active Directory backup of the TPM owner authorization value is enabled in an environment without the required schema extensions, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8 and later.
 
**Setting the correct permissions in AD DS**
To initialize the TPM successfully so that you can turn on BitLocker requires that the correct permissions for the SELF account in be set in AD DS for the **ms-TPMOwnerInformation** attribute. The following steps detail setting these permissions as required by BitLocker:
1. Open **Active Directory Users and Computers**.
2. Select the organizational unit (OU) which contains the computer accounts that will have BitLocker turned on.
3. Right-click the OU and click **Delegate Control** to open the **Delegation of Control** wizard.
4. Click **Next** to go to the **Users or Groups** page and then click **Add**.
5. In the **Select Users, Computers, or Groups** dialog box, type **SELF** as the object name and then click **OK** Once the object has been validated you will be returned to the **Users or Groups** wizard page and the SELF account will be listed. Click **Next**.
6. On the **Tasks to Delegate** page, choose **Create a custom task to delegate** and then click **Next**.
7. On the **Active Directory Object Type** page, choose **Only the following objects in the folder** and then check **Computer Objects** and then click **Next**.
8. On the **Permissions** page, for **Show these permissions**, check **General**, **Property-specific**, and **Creation/deletion of specific child objects**. Scroll down the **Permissions** list and check both **Write msTPM-OwnerInformation** and **Write msTPM-TpmInformationForComputer** then click **Next**.
9. Click **Finish** to apply the permissions settings.
## <a href="" id="bkmk-fipssupport"></a>FIPS support for recovery password protector
Functionality introduced in Windows Server 2012 R2 and Windows 8.1, allows BitLocker to be fully functional in FIPS mode.

10
windows/security/threat-protection/security-policy-settings/create-global-objects.md
View File

@ -76,6 +76,16 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
The **Create global objects** user right is required for a user account to create global objects in Remote Desktop sessions. Users can still create session-specfic objects without being assigned this user right. Assigning this right can be a security risk.
By default, members of the **Administrators** group, the System account, and services that are started by the Service Control Manager are assigned the **Create global objects** user right. Users who are added to the **Remote Desktop Users** group also have this user right.
### Countermeasure
When non-administrators need to access a server using Remote Desktop, add the users to the **Remote Desktop Users** group rather than assining them this user right.
### Vulnerability
>**Caution:**  A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts.
 
Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users log on to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any currently logged on account. They could escalate their privileges or create a denial-of-service (DoS) condition.

2
windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
View File

@ -630,7 +630,7 @@ Here are the minimum steps for WEF to operate:
</Query>
<Query Id="12" Path="Microsoft-Windows-PowerShell/Operational">
<!-- PowerShell execute block activity (4103), Remote Command(4104), Start Command(4105), Stop Command(4106) -->
<Select Path="Microsoft-Windows-PowerShell/Operational">*[System[(EventID=4103 or EventId=4104 or EventId=4105 or EventId=4106)]]</Select>
<Select Path="Microsoft-Windows-PowerShell/Operational">*[System[(EventID=4103 or EventID=4104 or EventID=4105 or EventID=4106)]]</Select>
</Query>
<Query Id="13" Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">
<!-- Detect User-Mode drivers loaded - for potential BadUSB detection. -->

4
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -78,7 +78,7 @@ For October 2017, we are announcing an update to system.management.automation.dl
Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet:
```
<?xml version="1.0" encoding="utf-8" ?>
<?xml version="1.0" encoding="utf-8" ?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
@ -132,6 +132,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
<Deny ID="ID_DENY_INFINSTALL" FriendlyName="infdefaultinstall.exe" FileName="infdefaultinstall.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_LXRUN" FriendlyName="lxrun.exe" FileName="lxrun.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_PWRSHLCUSTOMHOST" FriendlyName="powershellcustomhost.exe" FileName="powershellcustomhost.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_TEXTTRANSFORM" FriendlyName="texttransform.exe" FileName="texttransform.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="02BE82F63EE962BCD4B8303E60F806F6613759C6"/>
<Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="13765D9A16CC46B2113766822627F026A68431DF"/>
@ -508,6 +509,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
<FileRuleRef RuleID="ID_DENY_INFINSTALL"/>
<FileRuleRef RuleID="ID_DENY_LXRUN"/>
<FileRuleRef RuleID="ID_DENY_PWRSHLCUSTOMHOST"/>
<FileRuleRef RuleID="ID_DENY_TEXTTRANSFORM"/>
<FileRuleRef RuleID="ID_DENY_WMIC"/>
<FileRuleRef RuleID="ID_DENY_D_1"/>
<FileRuleRef RuleID="ID_DENY_D_2"/>