deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-07-03 11:13:50 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/jdrs' into rs1

Browse Source
This commit is contained in:
jdeckerMS
2016-07-15 14:01:42 -07:00
parent c10a91e5e0 39ccc2fd44
commit 6b89182d44
8 changed files with 196 additions and 170 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -9,3 +9,4 @@ Tools/NuGet/
.openpublishing.build.mdproj .openpublishing.build.mdproj
.openpublishing.buildcore.ps1 .openpublishing.buildcore.ps1
packages.config packages.config
*.zip

2
education/windows/set-up-school-pcs-technical.md
View File

@ -16,7 +16,7 @@ author: jdeckerMS
The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode, available in Windows 10, version 1607. **Set up School PCs** also configures school-specific settings and policies, described in this topic. The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode, available in Windows 10, version 1607. **Set up School PCs** also configures school-specific settings and policies, described in this topic.
If your school uses Azure Active Directory (Azure AD) or Office 365, the **Set up School PCs** app will create a setup file that connects the computer to your subscription. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity. If your school uses Azure Active Directory (Azure AD) or Office 365, the **Set up School PCs** app will create a setup file that connects the computer to your subscription. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity.

BIN
windows/deploy/images/package.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.4 KiB

17
windows/deploy/provision-pcs-with-apps-and-certificates.md
View File

@ -52,7 +52,7 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
2. Add all the files required for the app install, including the data files and the installer. 2. Add all the files required for the app install, including the data files and the installer.
3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the msiexec /quiet option. 3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the `msiexec /quiet` option.
> **Note**: If you are installing more than one app, then use CommandLine to invoke the script or batch file that orchestrates installation of the files. For more information, see [Install a Win32 app using a provisioning package](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703295%28v=vs.85%29.aspx). > **Note**: If you are installing more than one app, then use CommandLine to invoke the script or batch file that orchestrates installation of the files. For more information, see [Install a Win32 app using a provisioning package](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703295%28v=vs.85%29.aspx).
@ -61,13 +61,13 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**. 1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**.
2. For **UserContextApp**, specify the **PackageFamilyName** for the app. (how to find package family name) 2. For **UserContextApp**, specify the **PackageFamilyName** for the app. `(how to find package family name)`
3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). 3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. (how will they know?) 4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. `(how will they know?)`
5. For **UserContextAppLicense**, enter the **LicenseProductID**. (where to get) 5. For **UserContextAppLicense**, enter the **LicenseProductID**. `(where to get)`
### Add a certificate to your package ### Add a certificate to your package
@ -147,6 +147,8 @@ If your build is successful, the name of the provisioning package, output direct
## Apply package ## Apply package
**During initial setup, from a USB drive**
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
![The first screen to set up a new PC](images/oobe.jpg) ![The first screen to set up a new PC](images/oobe.jpg)
@ -187,6 +189,13 @@ If your build is successful, the name of the provisioning package, output direct
![Sign in](images/sign-in-prov.png) ![Sign in](images/sign-in-prov.png)
**After setup, from a USB drive, network folder, or SharePoint site**
On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and select the package to install.
![add a package option](images/package.png)
## Learn more ## Learn more
- [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651) - [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651)

BIN
windows/manage/images/oma-uri-shared-pc.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 211 KiB

303
windows/manage/set-up-shared-or-guest-pc.md
View File

@ -15,18 +15,58 @@ author: jdeckerMS
- Windows 10 - Windows 10
Windows 10, Version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise.
> **Note:** If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/en-us/edu/windows/use-set-up-school-pcs-app). > **Note:** If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/en-us/edu/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education.
A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. After setup, the device is ready for multiple users. Users only have non-administrator rights, and they cant block other users from accessing the device. With a standard Windows PC, accounts would have to be manually cleaned by an administrator (both signed out and deleted). In shared PC mode, accounts that sign in to the PC are either deleted when the user signs out or are deleted when available disk space reaches a set threshold, depending on how you configure the settings for shared PC mode. ##Shared PC mode concepts
A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen. Users who sign-in are signed in as standard users, not admin users.
You can put a PC in shared PC mode by applying a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Imaging and Configuration Designer (ICD). Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294.aspx). ###Account models
It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC as a standard user. The user who originally joined the PC to the domain will have administrative rights when they sign in. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Start without an account** option on the sign-in screen, which doesn't require any user credentials or authentication and creates a new local account.
###Account management
When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Start without an account** option. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low.
###Maintenance and sleep
Shared PC mode is configured to take advantage of maintenance time periods which run while the PC is not in use. Therefore, sleep is strongly recommended so that the PC can wake up when it is not is use to perform maintenance, clean up accounts, and run Windows Update. The recommended settings can be set by choosing **SetPowerPolicies** in the list of shared PC options. Additionally, on devices without Advanced Configuration and Power Interface (ACPI) wake alarms, shared PC mode will always override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods.
While shared PC mode does not configure Windows Update itself, it is strongly recommended to configure Windows Update to automatically install updates and reboot (if necessary) during maintenance hours. This will help ensure the PC is always up to date and not interrupting users with updates. Use one of the following methods to configure Windows Update:
- Group Policy: Set **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** to `4` and check **Install during automatic maintenance**.
- MDM: Set **Update/AllowAutoUpdate** to `4`.
- Provisioning: In Windows Imaging and Configuration Designer (ICD), set **Policies/Update/AllowAutoUpdate** to `4`.
[Learn more about the AllowAutoUpdate settings](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_AllowAutoUpdate)
###Customization
Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring shared PC mode on Windows](#configuring-shared-pc-mode-on-windows). The options are listed in the following table.
| Setting | Value |
|:---|:---|
| EnableSharedPCMode | Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. Some of the remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**. |
| AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the **Start without an account** option to the sign-in screen and enable anonymous guest access to the PC. <br/> - **Only guest** allows anyone to use the PC as a local standard (non-admin) account.<br/> - **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.<br/>- **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. |
| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out. <br/>- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed. <br/><br/>Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not. |
| AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. |
| AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. |
| AccountManagement: EnableAccountManager | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done. |
| Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. |
| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. When **SetEduPolicies** is **True**, the following additional settings are applied:<br/>- Local storage locations are restricted. Users can only save files to the cloud. <br/>- Custom Start and taskbar layouts are set.\* <br/>- A custom sign-in screen background image is set.\* <br/>- Additional educational policies are applied (see full list below).<br/><br/>\*Only applies to Windows 10 Pro Education, Enterprise, and Education |
| Customization: SetPowerPolicies | When set as **True**:<br/>- Prevents users from changing power settings<br/>- Turns off hibernate<br/>- Overrides all power state transitions to sleep (e.g. lid close) |
| Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. |
| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |
##Configuring shared PC mode on Windows
You can configure Windows to be in shared PC mode in a couple different ways:
- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294.aspx). Your MDM policy can contain any of the options listed in the [Customization](#customization) section. The following image shows a Microsoft Intune policy with the shared PC options added as OMA-URI settings. [Learn more about Windows 10 policy settings in Microsoft Intune.](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune)
![custom OMA-URI policy in Intune](images/oma-uri-shared-pc.png)
- A provisioning package created with the Windows Imaging and Configuration Designer (ICD): You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Imaging and Configuration Designer (ICD). Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294.aspx), exposed in ICD as SharedPC.
![Shared PC settings in ICD](images/icd-adv-shared-pc.png) ![Shared PC settings in ICD](images/icd-adv-shared-pc.png)
## Create a provisioning package for shared use ### Create a provisioning package for shared use
Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device for shared PC mode. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device for shared PC mode. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
@ -40,24 +80,40 @@ Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (
5. Click **Finish**. Your project opens in Windows ICD. 5. Click **Finish**. Your project opens in Windows ICD.
6. Go to **Runtime settings** > **SharedPC**. The following table describes the settings you can configure for **SharedPC**. 6. Go to **Runtime settings** > **SharedPC**. [Select the desired settings for shared PC mode.](#customization)
Setting | Value | 7. On the **File** menu, select **Save.**
:---|:---| 8. On the **Export** menu, select **Provisioning package**.
EnableSharedPCMode | Set as **True**. The remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**.</br></br>If you do not set **EnableSharedPCMode** as **True**, you can create a provisioning package using the remaining settings in **SharedPC** but none of the other settings will be applied. | 9. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
AccountManagement: AccountModel | For a shared or guest PC, choose between **Only guest** and **Domain-joined and guest**.<br/> - **Only guest** allows anyone to use the PC as a local standard (non-admin) account. When the account is signed out, it is deleted immediately. <br/> - **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.<br/>- **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. | 10. Set a value for **Package Version**.
AccountManagement: DeletionPolicy | - **Delete immediately** will delete all accounts on sign-out. <br/>- **Delete at disk space threshold** will start deleting Active Directory and Azure AD accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed. | > **Tip**  
AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. | You can make changes to existing packages and change the version number to update previously applied packages.
AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. |  
AccountManagement: EnableAccountManager | Set as **True** if you want to set any other account management policies. | 11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. | - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. When **SetEduPolicies** is **True**, the following additional policies are applied:<br/>- Local storage locations are restricted. Users can only save files to the cloud. <br/>- Custom Start and taskbar layouts are set.\* <br/>- A custom sign-in screen background image is set.\*<br/><br/>\*Only applies to Windows 10 Pro for Education, Enterprise, and Education | - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
Customization: SetPowerPolicies | When set as **True**:<br/>- Prevents users from changing power settings<br/>- Turns off hibernate<br/>- Enables wake timers for Windows Update<br/>- Turns off all state transitions to sleep | > **Important**  
Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. | We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |  
<br/> 12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**.
14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
## Apply the provisioning package - Shared network folder
- SharePoint site
- Removable media (USB/SD) (select this option to apply to a PC during initial setup)
### Apply the provisioning package
You can apply the provisioning package to a PC during initial setup or to a PC that has already been set up. You can apply the provisioning package to a PC during initial setup or to a PC that has already been set up.
@ -66,7 +122,7 @@ You can apply the provisioning package to a PC during initial setup or to a PC t
![The first screen to set up a new PC](images/oobe.jpg) ![The first screen to set up a new PC](images/oobe.jpg)
2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. 2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. If there is only one provisioning package on the USB drive, you don't need to press the Windows key five times, Windows will automatically ask you if you want to set up the device. Select **Set up**.
![Set up device?](images/setupmsg.jpg) ![Set up device?](images/setupmsg.jpg)
@ -118,14 +174,14 @@ On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work ac
* On a Windows PC joined to Azure Active Directory: * On a Windows PC joined to Azure Active Directory:
* By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
* With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
* Local accounts that already exist on a PC wont be deleted when turning on shared PC mode. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out. * Local accounts that already exist on a PC wont be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out.
* If admin accounts are necessary on the PC * If admin accounts are necessary on the PC
* Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
* Create admin accounts before setting up shared PC mode, or * Create admin accounts before setting up shared PC mode, or
* Create exempt accounts before signing out. * Create exempt accounts before signing out when turning shared pc mode on.
* The account management service supports accounts that are exempt from deletion. * The account management service supports accounts that are exempt from deletion.
* An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key. * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key.
* To add the account SID to the registry key using PowerShell: * To add the account SID to the registry key using PowerShell:<br/>
``` ```
$adminName = "LocalAdmin" $adminName = "LocalAdmin"
$adminPass = 'Pa$$word123' $adminPass = 'Pa$$word123'
@ -136,142 +192,85 @@ On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work ac
New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
``` ```
## Policies set by shared PC mode ## Policies set by shared PC mode
Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options.
> **Important**: It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required. > **Important**: It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
<table border="1"> <table border="1">
<thead><tr><th colspan="2"><p>Policy path</p></th></tr>
<tr><th><p>Policy name</p></th><th><p>Value</p></th> <tr><th><p>Policy name</p></th><th><p>Value</p></th><th><p>When set?</p></th></tr> </thead>
</tr> </thead>
<tbody> <tbody>
<tr><td colspan="2"><p><strong>Admin Templates</strong> > <strong>Control Panel</strong> > <strong>Personalization</strong></p></td> <tr><td colspan="3"><p><strong>Admin Templates</strong> > <strong>Control Panel</strong> > <strong>Personalization</strong></p></td></tr>
<tr><td><p>Prevent enabling lock screen slide show</p></td><td><p>Enabled</p></td><td><p>Always</p></td></tr>
<tr><td><p>Prevent changing lock screen and logon image</p></td><td><p>Enabled</p></td><td><p>Always</p></td></tr>
<tr><td colspan="3"><p><strong>Admin Templates</strong> > <strong>System</strong> > <strong>Power Management</strong> > <strong>Button Settings</strong></p></td></tr>
<tr><td><p>Select the Power button action (plugged in)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr><td><p>Select the Power button action (on battery)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr><td><p>Select the Sleep button action (plugged in)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr><td><p>Select the lid switch action (plugged in)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr><td><p>Select the lid switch action (on battery)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr><td colspan="3"><p><strong>Admin Templates</strong> > <strong>System</strong> > <strong>Power Management</strong> > <strong>Sleep Settings</strong></p></td></tr>
<tr><td><p>Require a password when a computer wakes (plugged in)</p></td><td><p>Enabled</p></td><td><p>SignInOnResume=True</p></td></tr>
<tr><td><p>Require a password when a computer wakes (on battery)</p></td><td><p>Enabled</p></td><td><p>SignInOnResume=True</p></td></tr>
<tr><td><p>Specify the system sleep timeout (plugged in)</p></td><td><p>*SleepTimeout*</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr><td><p>Specify the system sleep timeout (on battery)</p></td><td><p>*SleepTimeout*</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td> <p>Turn off hybrid sleep (plugged in)</p></td> <td> <p>Enabled</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td> <p>Turn off hybrid sleep (on battery)</p></td> <td> <p>Enabled</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td> <p>Specify the unattended sleep timeout (plugged in)</p></td> <td> <p>*SleepTimeout*</p> </td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td> <p>Specify the unattended sleep timeout (on battery)</p></td> <td> <p>*SleepTimeout*</p> </td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td> <p>Allow standby states (S1-S3) when sleeping (plugged in)</p></td> <td> <p>Enabled</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td> <p>Allow standby states (S1-S3) when sleeping (on battery)</p></td> <td> <p>Enabled</p></td> <td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td> <p>Specify the system hibernate timeout (plugged in)</p></td> <td> <p>Enabled, 0</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td> <p>Specify the system hibernate timeout (on battery)</p></td> <td> <p>Enabled, 0</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>System</strong>><strong>Power Management</strong>><strong>Video and Display Settings</strong></p></td></tr>
<tr> <td> <p>Turn off the display (plugged in)</p></td> <td> <p>*SleepTimeout*</p> </td></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td> <p>Turn off the display (on battery</p></td> <td> <p>*SleepTimeout*</p> </td></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>System</strong>><strong>Logon</strong></p></td></tr>
<tr> <td> <p>Show first sign-in animation</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Hide entry points for Fast User Switching</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Turn on convenience PIN sign-in</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Turn off picture password sign-in</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Turn off app notification on the lock screen</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Allow users to select when a password is required when resuming from connected standby</p></td> <td> <p>Disabled</p></td><td><p>SignInOnResume=True</p></td>
</tr> </tr>
<tr><td><p>Prevent enabling lock screen slide show</p></td><td><p>Enabled</p></td> <tr> <td> <p>Block user from showing account details on sign-in</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>System</strong>><strong>User Profiles</strong></p></td></tr>
<tr> <td> <p>Turn off the advertising ID</p></td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components </strong></p></td></tr>
<tr> <td> <p>Do not show Windows Tips </p>*Only on Pro, Enterprise, and Education* </td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr>
<tr> <td> <p>Turn off Microsoft consumer experiences </p>*Only on Pro, Enterprise, and Education* </td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr>
<tr> <td> <p>Microsoft Passport for Work</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Prevent the usage of OneDrive for file storage</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Biometrics</strong></p></td></tr>
<tr> <td> <p>Allow the use of biometrics</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Allow users to log on using biometrics</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Allow domain users to log on using biometrics</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Data Collection and Preview Builds</strong></p></td></tr>
<tr> <td> <p>Toggle user control over Insider builds</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Disable pre-release features or settings</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Do not show feedback notifications</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>File Explorer</strong></p></td></tr>
<tr> <td> <p>Show lock in the user tile menu</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Maintenance Scheduler</strong></p></td></tr>
<tr> <td> <p>Automatic Maintenance Activation Boundary</p></td> <td> <p>*MaintenanceStartTime*</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Automatic Maintenance Random Delay</p></td> <td> <p>Enabled, 2 hours</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Automatic Maintenance WakeUp Policy</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Microsoft Edge</strong></p></td></tr>
<tr> <td> <p>Open a new tab with an empty tab</p></td> <td> <p>Disabled</p></td><td><p>SetEduPolicies=True</p></td></tr>
<tr> <td> <p>Configure corporate home pages</p></td> <td> <p>Enabled, about:blank</p></td><td><p>SetEduPolicies=True</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Search</strong></p></td></tr>
<tr> <td> <p>Allow Cortana</p> </td> <td> <p>Disabled</p> </td><td><p>SetEduPolicies=True</p></td></tr>
<tr> <td colspan="3"> <p><strong>Windows Settings</strong>><strong>Security Settings</strong>><strong>Local Policies</strong>><strong>Security Options</strong></p></td>
</tr> </tr>
<tr><td><p>Prevent changing lock screen and logon image</p></td><td><p>Enabled</p></td> <tr> <td> <p>Interactive logon: Do not display last user name</p> </td> <td> <p>Enabled, Disabled when account model is only guest</p> </td><td><p>Always</p></td></tr>
</tr> <tr> <td> <p>Interactive logon: Sign-in last interactive user automatically after a system-initiated restart</p> </td> <td> <p>Disabled</p> </td> <td><p>Always</p></td>
<tr><td colspan="2"><p><strong>Admin Templates</strong> > <strong>System</strong> > <strong>Power Management</strong> > <strong>Button Settings</strong></p></td>
</tr>
<tr><td><p>Select the Power button action (plugged in)</p></td><td><p>Sleep</p></td>
</tr>
<tr><td><p>Select the Power button action (on battery)</p></td><td><p>Sleep</p></td>
</tr>
<tr><td><p>Select the Sleep button action (plugged in)</p></td><td><p>Sleep</p></td>
</tr>
<tr><td><p>Select the lid switch action (plugged in)</p></td><td><p>Sleep</p></td>
</tr>
<tr><td><p>Select the lid switch action (on battery)</p></td><td><p>Sleep</p></td>
</tr>
<tr><td colspan="2"><p><strong>Admin Templates</strong> > <strong>System</strong> > <strong>Power Management</strong> > <strong>Sleep Settings</strong></p></td>
</tr>
<tr><td><p>Require a password when a computer wakes (plugged in)</p></td><td><p>Enabled</p></td>
</tr>
<tr><td><p>Require a password when a computer wakes (on battery)</p></td><td><p>Enabled</p></td>
</tr>
<tr><td><p>Specify the system sleep timeout (plugged in)</p></td><td><p>1 hour</p></td>
</tr>
<tr><td><p>Specify the system sleep timeout (on battery)</p></td><td><p>1 hour</p></td>
</tr>
<tr> <td> <p> Turn off hybrid sleep (plugged in) </p> </td> <td> <p> Enabled </p> </td>
</tr>
<tr> <td> <p> Turn off hybrid sleep (on battery) </p> </td> <td> <p> Enabled </p> </td>
</tr>
<tr> <td> <p> Specify the unattended sleep timeout (plugged in) </p> </td> <td> <p> 1 hour </p> </td>
</tr>
<tr> <td> <p> Specify the unattended sleep timeout (on battery) </p> </td> <td> <p> 1 hour </p> </td>
</tr>
<tr> <td> <p> Allow standby states (S1-S3) when sleeping (plugged in) </p> </td> <td> <p> Enabled </p> </td>
</tr>
<tr> <td> <p> Allow standby states (S1-S3) when sleeping (on battery) </p> </td> <td> <p> Enabled </p> </td>
</tr>
<tr> <td> <p> Specify the system hibernate timeout (plugged in) </p> </td> <td> <p> Enabled, 0 </p> </td>
</tr>
<tr> <td> <p> Specify the system hibernate timeout (on battery) </p> </td> <td> <p> Enabled, 0 </p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>System</strong>><strong>Power Management</strong>><strong>Video and Display Settings</strong> </p> </td> </tr>
<tr> <td> <p> Turn off the display (plugged in) </p> </td> <td> <p> 1 hour </p> </td>
</tr>
<tr> <td> <p> Turn off the display (on battery </p> </td> <td> <p> 1 hour </p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>System</strong>><strong>Logon</strong> </p> </td>
</tr>
<tr> <td> <p> Show first sign-in animation </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td> <p> Hide entry points for Fast User Switching </p> </td> <td> <p> Enabled </p> </td>
</tr>
<tr> <td> <p> Turn on convenience PIN sign-in </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td> <p> Turn off picture password sign-in </p> </td> <td> <p> Enabled </p> </td>
</tr>
<tr> <td> <p> Turn off app notification on the lock screen </p> </td> <td> <p> Enabled </p> </td>
</tr>
<tr> <td> <p> Allow users to select when a password is required when resuming from connected standby </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td> <p> Block user from showing account details on sign-in </p> </td> <td> <p> Enabled </p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>System</strong>><strong>User Profiles</strong> </p> </td>
</tr>
<tr> <td> <p> Turn off the advertising ID </p> </td> <td> <p> Enabled </p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components </strong> </p> </td>
</tr>
<tr> <td> <p> Do not show Windows Tips </p> </td> <td> <p> Enabled </p> </td>
</tr>
<tr> <td> <p> Turn off Microsoft consumer experiences </p> </td> <td> <p> Enabled </p> </td>
</tr>
<tr> <td> <p> Microsoft Passport for Work </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td> <p> Prevent the usage of OneDrive for file storage </p> </td> <td> <p> Enabled </p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Biometrics</strong> </p> </td>
</tr>
<tr> <td> <p> Allow the use of biometrics </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td> <p> Allow users to log on using biometrics </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td> <p> Allow domain users to log on using biometrics </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Data Collection and Preview Builds</strong> </p> </td>
</tr>
<tr> <td> <p> Toggle user control over Insider builds </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td> <p> Disable pre-release features or settings </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td> <p> Do not show feedback notifications </p> </td> <td> <p> Enabled </p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>File Explorer</strong> </p> </td>
</tr>
<tr> <td> <p> Show lock in the user tile menu </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Maintenance Scheduler</strong> </p> </td>
</tr>
<tr> <td> <p> Automatic Maintenance Activation Boundary </p> </td> <td> <p> 12am </p> </td>
</tr>
<tr> <td> <p> Automatic Maintenance Random Delay </p> </td> <td> <p> Enabled, 2 hours </p> </td>
</tr>
<tr> <td> <p> Automatic Maintenance WakeUp Policy </p> </td> <td> <p> Enabled </p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Microsoft Edge</strong> </p> </td>
</tr>
<tr> <td> <p> Open a new tab with an empty tab </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td> <p> Configure corporate home pages </p> </td> <td> <p> Enabled, about:blank </p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Search</strong> </p> </td>
</tr>
<tr> <td> <p> Allow Cortana </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Windows Settings</strong>><strong>Security Settings</strong>><strong>Local Policies</strong>><strong>Security Options</strong> </p> </td>
</tr>
<tr> <td> <p> Interactive logon: Do not display last user name </p> </td> <td> <p> Enabled </p> </td>
</tr>
<tr> <td> <p> Interactive logon: Sign-in last interactive user automatically after a system-initiated restart </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td> <p> Shutdown: Allow system to be shut down without having to log on </p> </td> <td> <p> Disabled </p> </td>
</tr>
<tr> <td> <p> User Account Control: Behavior of the elevation prompt for standard users </p> </td> <td> <p> Auto deny </p> </td>
</tr> </tr>
<tr> <td> <p>Shutdown: Allow system to be shut down without having to log on</p> </td> <td> <p>Disabled</p> </td><td><p>Always</p></td></tr>
<tr> <td> <p>User Account Control: Behavior of the elevation prompt for standard users</p> </td> <td> <p>Auto deny</p> </td><td><p>Always</p></td></tr>
</tbody> </tbody>
</table> </br></br> </table> </br></br>

22
windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
View File

@ -83,13 +83,13 @@ Microsoft Passport lets users authenticate to a Microsoft account, an Active Dir
- The [WindowsSecurityAuditing](http://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](http://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices. - The [WindowsSecurityAuditing](http://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](http://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices.
## New features in Windows 10, version 1507 #### New features in Windows 10, version 1507
In Windows 10, security auditing has added some improvements: In Windows 10, security auditing has added some improvements:
- [New audit subcategories](#bkmk-auditsubcat) - [New audit subcategories](#bkmk-auditsubcat)
- [More info added to existing audit events](#bkmk-moreinfo) - [More info added to existing audit events](#bkmk-moreinfo)
### <a href="" id="bkmk-auditsubcat"></a>New audit subcategories ##### <a href="" id="bkmk-auditsubcat"></a>New audit subcategories
In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
- [Audit Group Membership](../keep-secure/audit-group-membership.md) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. - [Audit Group Membership](../keep-secure/audit-group-membership.md) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
@ -98,7 +98,7 @@ In Windows 10, two new audit subcategories were added to the Advanced Audit Pol
Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play.
A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event. A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event.
### <a href="" id="bkmk-moreinfo"></a>More info added to existing audit events ##### <a href="" id="bkmk-moreinfo"></a>More info added to existing audit events
With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:
- [Changed the kernel default audit policy](#bkmk-kdal) - [Changed the kernel default audit policy](#bkmk-kdal)
@ -109,16 +109,16 @@ With Windows 10, version 1507, we've added more info to existing audit events t
- [Added new BCD events](#bkmk-bcd) - [Added new BCD events](#bkmk-bcd)
- [Added new PNP events](#bkmk-pnp) - [Added new PNP events](#bkmk-pnp)
### <a href="" id="bkmk-kdal"></a>Changed the kernel default audit policy ##### <a href="" id="bkmk-kdal"></a>Changed the kernel default audit policy
In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts.
### <a href="" id="bkmk-lsass"></a>Added a default process SACL to LSASS.exe ##### <a href="" id="bkmk-lsass"></a>Added a default process SACL to LSASS.exe
In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**.
This can help identify attacks that steal credentials from the memory of a process. This can help identify attacks that steal credentials from the memory of a process.
### <a href="" id="bkmk-logon"></a>New fields in the logon event ##### <a href="" id="bkmk-logon"></a>New fields in the logon event
The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:
1. **MachineLogon** String: yes or no 1. **MachineLogon** String: yes or no
@ -136,7 +136,7 @@ The logon event ID 4624 has been updated to include more verbose information to
If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes. If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes.
For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx). For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx).
### <a href="" id="bkmk-process"></a>New fields in the process creation event ##### <a href="" id="bkmk-process"></a>New fields in the process creation event
The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688:
1. **TargetUserSid** String 1. **TargetUserSid** String
@ -152,7 +152,7 @@ The logon event ID 4688 has been updated to include more verbose information to
6. **ParentProcessId** String 6. **ParentProcessId** String
A pointer to the actual parent process if it's different from the creator process. A pointer to the actual parent process if it's different from the creator process.
### <a href="" id="bkmk-sam"></a>New Security Account Manager events ##### <a href="" id="bkmk-sam"></a>New Security Account Manager events
In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited:
- SamrEnumerateGroupsInDomain - SamrEnumerateGroupsInDomain
@ -168,7 +168,7 @@ In Windows 10, new SAM events were added to cover SAM APIs that perform read/qu
- SamrGetMembersInAlias - SamrGetMembersInAlias
- SamrGetUserDomainPasswordInformation - SamrGetUserDomainPasswordInformation
### <a href="" id="bkmk-bcd"></a>New BCD events ##### <a href="" id="bkmk-bcd"></a>New BCD events
Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD):
- DEP/NEX settings - DEP/NEX settings
@ -179,7 +179,7 @@ Event ID 4826 has been added to track the following changes to the Boot Configur
- Integrity Services - Integrity Services
- Disable Winload debugging menu - Disable Winload debugging menu
### <a href="" id="bkmk-pnp"></a>New PNP events ##### <a href="" id="bkmk-pnp"></a>New PNP events
Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesnt expect this type of action, such as a domain controller. Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesnt expect this type of action, such as a domain controller.
@ -199,7 +199,7 @@ The following sections describe the new and changed functionality in the TPM for
- [Device Guard](device-guard-overview.md) support - [Device Guard](device-guard-overview.md) support
- [Credential Guard](../keep-secure/credential-guard.md) support - [Credential Guard](../keep-secure/credential-guard.md) support
## <a href="" id="bkmk-dha"></a>Device health attestation ### <a href="" id="bkmk-dha"></a>Device health attestation
Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
Some things that you can check on the device are: Some things that you can check on the device are:

19
windows/whats-new/whats-new-windows-10-version-1607.md
View File

@ -43,10 +43,27 @@ Additional changes for Windows Hello in Windows 10, version 1607:
[Learn more about Windows Hello for Business.](../keep-secure/manage-identity-verification-using-microsoft-passport.md) [Learn more about Windows Hello for Business.](../keep-secure/manage-identity-verification-using-microsoft-passport.md)
### VPN profile options
User Convenience Features
- Name-based Connection Triggering
- DA-comparable AutoVPN Configuration
Authentication Options
- VPN with Phone Sign0in
- One Time Password (OTP) Settings Exposed Through the UI
Remote Access Integration
- Device Compliance Options
- Enterprise Data Protection (EDP) Integration
Updated Client and Configuration Options
- Universal Windows Platform (UWP) VPN Plugins
- New VPNv2 CSP Configuration Settings
- Microsoft Intune VPN Policy Updates
- VPNv2 CSP Configuration using the SCCM/WMI Bridge
   
## Management ## Management
## Use Remote Desktop Connection for PCs joined to Azure Active Directory ### Use Remote Desktop Connection for PCs joined to Azure Active Directory
From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](../manage/connect-to-remote-aadj-pc.md) From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](../manage/connect-to-remote-aadj-pc.md)