deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/rs1' into jdprov

Browse Source
This commit is contained in:
jdeckerMS 2016-07-06 13:25:54 -07:00
commit 6bb615fd68
77 changed files with 872 additions and 540 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -2,3 +2,5 @@
This repo hosts the WDG ITPro content that is published to TechNet.
This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
English Handoff Folder Structure Demo!

66
devices/surface-hub/create-a-device-account-using-office-365.md
View File

@ -29,7 +29,7 @@ If you prefer to use a graphical user interface, you can create a device account
1. Sign in to Office 365 by visiting http://portal.office.com/admin/
2. Provide the admin credentials for your Office 365 tenant. This will take you to your Office 365 Admin Center.
![office 365 admin center. ](images/setupdeviceaccto365-02.png)
![Office 365 admin center.](images/setupdeviceaccto365-02.png)
3. Once you are at the Office 365 Admin Center, navigate to **Users** in the left panel, and then click **Active Users**.
@ -37,13 +37,13 @@ If you prefer to use a graphical user interface, you can create a device account
4. On the controls above the list of users, click **+** to create a new user. You'll need to enter a **Display name**, **User name**, **Password** and an email address for the recipient of the password. Optionally you can change the password manually, but we recommend that you use the auto-generated option. You also need to assign this account a license that gives the account access to Exchange and Skype for Business services.
![screen to create a new user account. ](images/setupdeviceaccto365-04.png)
![screen to create a new user account.](images/setupdeviceaccto365-04.png)
Click **Create**.
5. Once the account has been successfully created, click **Close** on the resulting dialog box, and you will see the admin center Active Users list again.
![confirmation screen for creating a new account. ](images/setupdeviceaccto365-05.png)
![Confirmation screen for creating a new account.](images/setupdeviceaccto365-05.png)
6. Select the user you just created from the **Active Users** list. You need to disable the Skype for Business license, because you cant create a Skype Meeting Room with this option.
@ -51,7 +51,7 @@ If you prefer to use a graphical user interface, you can create a device account
In the right panel you can see the account properties and several optional actions. The process so far has created a regular Skype account for this user, which you need to disable. Click **Edit** for the **Assigned license** section, then click the dropdown arrow next to the license to expand the details.
![assign license for skype for business online.](images/setupdeviceaccto365-07.png)
![assign license for Skype for Business online.](images/setupdeviceaccto365-07.png)
From the list, uncheck **Skype for Business Online (plan 2)** (this license may vary depending on your organization), and click **SAVE**.
@ -59,39 +59,39 @@ If you prefer to use a graphical user interface, you can create a device account
1. In the Office 365 Admin Centers left panel, click **ADMIN**, and then click **Exchange**.
![office 365 admin center, showing exchange active users. ](images/setupdeviceaccto365-08.png)
![Office 365 admin center, showing exchange active users.](images/setupdeviceaccto365-08.png)
2. This will open another tab on your browser to take you to the Exchange Admin Center, where you can create and set the Mailbox Setting for Surface Hub.
![exchange admin center. ](images/setupdeviceaccto365-09.png)
![Exchange admin center.](images/setupdeviceaccto365-09.png)
3. To create a Mobile Device Mailbox Policy, click **Mobile** from the left panel and then click **Mobile device mailbox policies**. Surface Hubs require an account with a mobile device mailbox policy that does not require a password, so if you already have an existing policy that matches this requirement, you can apply that policy to the account. Otherwise use the following steps to create a new one to be used only for Surface Hub device accounts.
![excahnge admin center - creating a mobile device mailbox policy. ](images/setupdeviceaccto365-10.png)
![Excahnge admin center - creating a mobile device mailbox policy.](images/setupdeviceaccto365-10.png)
4. To create a New Surface Hub mobile device mailbox policy, click the **+** button from the controls above the list of policies to add a new policy. For the name, provide a name that will help you distinguish this policy from other device accounts (for example, *SurfaceHubDeviceMobilePolicy*). Make sure the policy does not require a password for the devices assigned to, so make sure **Require a Password** remains unchecked, then click **Save**.
![image showing new mobile device policy](images/setupdeviceaccto365-11.png)
![Image showing new mobile device policy.](images/setupdeviceaccto365-11.png)
5. After you have created the new mobile device mailbox policy, go back to the **Exchange Admin Center** and you will see the new policy listed.
![image with new mobile device mailbox policy in exchange admin center. ](images/setupdeviceaccto365-12.png)
![Image with new mobile device mailbox policy in Exchange admin center.](images/setupdeviceaccto365-12.png)
6. Now, to apply the ActiveSync policy without using PowerShell, you can do the following: In the EAC, click **Recipients** > **Mailboxes** and then select a mailbox.
![image showing mailbox in exchange admin center. ](images/setupdeviceaccto365-13.png)
![Image showing mailbox in Exchange admin center.](images/setupdeviceaccto365-13.png)
7. In the Details pane, scroll to **Phone and Voice Features** and click **View details** to display the **Mobile Device Details** screen.
![image showing mobile device details for the mailbox. ](images/setupdeviceaccto365-14.png)
![Image showing mobile device details for the mailbox.](images/setupdeviceaccto365-14.png)
8. The mobile device mailbox policy thats currently assigned is displayed. To change the mobile device mailbox policy, click **Browse**.
![image with details for the mobile device policy. ](images/setupdeviceaccto365-15.png)
![Image with details for the mobile device policy.](images/setupdeviceaccto365-15.png)
9. Choose the appropriate mobile device mailbox policy from the list, click **OK** and then click **Save**.
![image showing multiple mobile device mailbox policies. ](images/setupdeviceaccto365-16.png)
![Image showing multiple mobile device mailbox policies.](images/setupdeviceaccto365-16.png)
### <a href="" id="create-device-acct-o365-complete-acct"></a>Use PowerShell to complete device account creation
@ -107,11 +107,11 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
1. Run Windows PowerShell as Administrator.
![image showing how to start windows powershell and run as administrator. ](images/setupdeviceaccto365-17.png)
![Image showing how to start Windows PowerShell and run as administrator.](images/setupdeviceaccto365-17.png)
2. Create a Credentials object, then create a new session that connects to Skype for Business Online, and provide the global tenant administrator account, then click **OK**.
![image for windows powershell credential request. ](images/setupdeviceaccto365-18.png)
![Image for Windows PowerShell credential request. ](images/setupdeviceaccto365-18.png)
3. To connect to Microsoft Online Services, run:
@ -119,7 +119,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
Connect-MsolService -Credential $Cred
```
![image showing powershell cmdlet.](images/setupdeviceaccto365-19.png)
![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-19.png)
4. Now to connect to Skype for Business Online Services, run:
@ -127,7 +127,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
$sfbsession = New-CsOnlineSession -Credential $cred
```
![image showing powershell cmdlet.](images/setupdeviceaccto365-20.png)
![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-20.png)
5. Finally, to connect to Exchange Online Services, run:
@ -136,7 +136,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
"https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" AllowRedirection
```
![image showing powershell cmdlet.](images/setupdeviceaccto365-21.png)
![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-21.png)
6. Now you have to import the Skype for Business Online Session and the Exchange Online session you have just created, which will import the Exchange and Skype Commands so you can use them locally.
@ -147,7 +147,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
Note that this could take a while to complete.
![image showing powershell cmdlet.](images/setupdeviceaccto365-22.png)
![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-22.png)
7. Once youre connected to the online services you need to run a few more cmdlets to configure this account as a Surface Hub device account.
@ -180,11 +180,11 @@ Now that you're connected to the online services, you can finish setting up the
You will see the correct email address.
![image showing powershell cmdlet.](images/setupdeviceaccto365-23.png)
![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-23.png)
2. You need to convert the account into to a room mailbox, so run:
![image showing powershell cmdlet.](images/setupdeviceaccto365-24.png)
![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-24.png)
``` syntax
Set-Mailbox $strEmail -Type Room
@ -196,7 +196,7 @@ Now that you're connected to the online services, you can finish setting up the
Set-Mailbox $strEmail -RoomMailboxPassword (ConvertTo-SecureString -String "<your password>" -AsPlainText -Force) -EnableRoomMailboxAccount $true
```
![image showing powershell cmdlet.](images/setupdeviceaccto365-25.png)
![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-25.png)
4. Various Exchange properties can be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
@ -205,7 +205,7 @@ Now that you're connected to the online services, you can finish setting up the
Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a <tla rid="surface_hub"/> room!"
```
![image showing powershell cmdlet.](images/setupdeviceaccto365-26.png)
![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-26.png)
5. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.
@ -260,11 +260,11 @@ You can use the Exchange Admin Center to create a device account:
1. Sign in to your Exchange Admin Center using Exchange admin credentials.
2. Once you are at the Exchange Admin Center (EAC), navigate to **Recipients** in the left panel.
![image showing mailboxes in exchange admin center. ](images/setupdeviceacctexch-01.png)
![Image showing mailboxes in Exchange admin center.](images/setupdeviceacctexch-01.png)
3. On the controls above the list of mailboxess, choose **+** to create a new one, and provide a **Display name**, **Name**, and **User logon name**, and then click **Save**.
![image showing creating a new mailbox. ](images/setupdeviceacctexch-02.png)
![Image showing creating a new mailbox.](images/setupdeviceacctexch-02.png)
### <a href="" id="create-device-acct-exch-mbx-policy"></a>Create a mobile device mailbox policy from the Exchange Admin Center
@ -274,37 +274,37 @@ You can use the Exchange Admin Center to create a device account:
1. Go to the Exchange Admin Center.
![image showing exchange admin center. ](images/setupdeviceacctexch-03.png)
![Image showing Exchange admin center.](images/setupdeviceacctexch-03.png)
2. To create a mobile device mailbox policy, click **Mobile** from the left panel, then **Mobile device mailbox policies**. Surface Hubs require an account with a mobile device mailbox policy that does not require a password, so if you already have an existing policy that matches this requirement, you can apply that policy to the account. Otherwise use the following steps to create a new one to be used only for Surface Hub device accounts.
![image showing using exchange admin center to create a mobile device mailbox policy. ](images/setupdeviceacctexch-05.png)
![Image showing using Exchange admin center to create a mobile device mailbox policy.](images/setupdeviceacctexch-05.png)
3. To create a new mobile device account mailbox policy, click the **+** button from the controls above the list of policies to add a new policy. For the name provide a name that will help you distinguish this policy from other device accounts (for example, *SurfaceHubDeviceMobilePolicy*). The policy must not be password-protected, so make sure **Require a Password** remains unchecked, then click **Save**.
![image showing new mobile device mailbox policy. ](images/setupdeviceacctexch-06.png)
![Image showing new mobile device mailbox policy.](images/setupdeviceacctexch-06.png)
4. After you have created the new mobile device mailbox policy, go back to the Exchange Admin Center and you will see the new policy listed.
![image showing new mobile device mailbox policy in exchange admin center. ](images/setupdeviceacctexch-07.png)
![Image showing new mobile device mailbox policy in Exchange admin center.](images/setupdeviceacctexch-07.png)
5. To apply the ActiveSync policy without using PowerShell, you can do the following:
- In the EAC, click **Recipients** &gt; **Mailboxes** and select a mailbox.
![image showing exchange admin center. ](images/setupdeviceacctexch-08.png)
![image showing exchange admin center.](images/setupdeviceacctexch-08.png)
- In the **Details** pane, scroll to **Phone and Voice Features** and click **View details** to display the **Mobile Device Details** screen.
![image showing mailbox details. ](images/setupdeviceacctexch-09.png)
![image showing mailbox details.](images/setupdeviceacctexch-09.png)
- The mobile device mailbox policy thats currently assigned is displayed. To change the mobile device mailbox policy, click **Browse**.
![image showing the currently assigned mobile device mailbox policy. ](images/setupdeviceacctexch-10.png)
![image showing the currently assigned mobile device mailbox policy.](images/setupdeviceacctexch-10.png)
- Choose the appropriate mobile device mailbox policy from the list, click **OK** and then click **Save**.
![image showing list of mobile device mailbox policies. ](images/setupdeviceacctexch-11.png)
![image showing list of mobile device mailbox policies.](images/setupdeviceacctexch-11.png)
### <a href="" id="create-device-acct-exch-powershell-conf"></a>Use PowerShell to configure the account

2
devices/surface-hub/create-and-test-a-device-account-surface-hub.md
View File

@ -116,7 +116,7 @@ You can check online for updated versions at [Surface Hub device account scripts
Your infrastructure will likely fall into one of three configurations. Which configuration you have will affect how you prepare for device setup.
![](images/deploymentoptions-01.png)
![Image showing deployment options: online, on-premises, or hybrid.](images/deploymentoptions-01.png)
- [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md): Your organizations environment is deployed entirely on Office 365.
- [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md): Your organization has servers that it controls, where Active Directory, Exchange, and Skype for Business (or Lync) are hosted.

38
devices/surface-hub/first-run-program-surface-hub.md
View File

@ -46,7 +46,7 @@ This is the first screen you'll see when you power up the Surface Hub for the fi
 
![icd options checklist](images/setuplocale.png)
![Image showing ICD options checklist.](images/setuplocale.png)
### Details
@ -72,7 +72,7 @@ If no wired connection can be found, then the device will attempt to set up a wi
If your device does not detect a wired connection that it can use to connect to a network or the Internet, you will see this page. Here you can either connect to a wireless network, or skip making the network connection.
![](images/setupnetworksetup-1.png)
![Image shoring Network setup page.](images/setupnetworksetup-1.png)
### Details
@ -97,7 +97,7 @@ If you want to connect to a secured wireless network from this page, click on th
This page will be shown when you've selected a secured wireless network.
![](images/setupnetworksetup-3.png)
![Image showing wireless network setup page.](images/setupnetworksetup-3.png)
### Details
@ -121,11 +121,11 @@ This page will be shown when the device detects a wired connection with limited
- You can select **Enter proxy settings** which will allow you to specify how to use the network proxy. You'll be taken to the next screen.
![](images/setupnetworksetup-2.png)
![Image showing network proxy page.](images/setupnetworksetup-2.png)
This is the screen you'll see if you clicked **Enter proxy settings** on the previous screen.
![](images/setupnetworksetup-4.png)
![Image showing proxy server setting details.](images/setupnetworksetup-4.png)
### Details
@ -149,7 +149,7 @@ You can skip connecting to a network by selecting **Skip this step**. You'll be
This screen is purely informational, and shows which recommended settings have been enabled by default.
![](images/setupsetupforyou.png)
![Image showing set up for you page.](images/setupsetupforyou.png)
### Details
@ -170,7 +170,7 @@ On this page, the Surface Hub will ask for credentials for the device account th
 
![icd options checklist](images/setupdeviceacct.png)
![Image showing Enter device account info page.](images/setupdeviceacct.png)
### Details
@ -192,7 +192,7 @@ If you skip setting it up now, you can add a device account later by using the S
If you click **Skip setting up a device account**, the device will display a dialog box showing what will happen if the device doesn't have a device account. If you choose **Yes, skip this**, you will be sent to the [Name this device page](#name-this-device).
![icd options checklist](images/setupskipdeviceacct.png)
![Image showing message the is displaed to confirm you want to skip creating a device account.](images/setupskipdeviceacct.png)
### What happens?
@ -211,7 +211,7 @@ The device will use the UPN or DOMAIN\\User name and password for the device acc
This page will only be shown if there's a problem. Typically, it means that the device account that you provided was found in Active Directory (AD) or Azure Active Directory (Azure AD), but the Exchange server for the account was not discovered.
![icd options checklist](images/setupexchangeserver-01.png)
![Image showing Exchange server page.](images/setupexchangeserver-01.png)
### Details
@ -230,7 +230,7 @@ You can enable Exchange services for a device account later by using the Setting
If you click **Skip setting up Exchange services**, the device will display a dialog showing what will happen. If you choose **Yes, skip this**, then Exchange services will not be set up.
![icd options checklist](images/setupexchangeserver-02.png)
![Image showing confirmation message that is displayed when you skip setting up Exchange services.](images/setupexchangeserver-02.png)
### What happens?
@ -249,7 +249,7 @@ This page will be shown when:
- Exchange supported protocols are not supported by the Surface Hub.
- Exchange returns incorrect XML.
![icd options checklist](images/setupexchangepolicies.png)
![Image showing Exchange policis page.](images/setupexchangepolicies.png)
### Details
@ -273,7 +273,7 @@ If you choose to skip this check, the Surface Hub will stop looking for the Exch
This page asks you to provide two names that will be used for identifying the Surface Hub.
![icd options checklist](images/setupnamedevice.png)
![Image showing Name this device page.](images/setupnamedevice.png)
### Details
@ -307,7 +307,7 @@ Because every Surface Hub can be used by any number of authenticated employees,
 
![icd options checklist](images/setupsetupadmins.png)
![Image showing Set up admins for this device page.](images/setupsetupadmins.png)
### Details
@ -348,7 +348,7 @@ Joining Azure AD has two primary benefits:
1. Some employees from your organization will be able to access the device as admins, and will be able to start the Settings app and configure the device. People that have admin permissions will be defined in your Azure AD subscription.
2. If your Azure AD is connected to a mobile device management (MDM) solution, the device will enroll with that MDM solution so you can apply policies and configuration.
![](images/setupjoiningazuread-1.png)
![Image showing message when you join your Surface Hub to Azure Active Directory.](images/setupjoiningazuread-1.png)
### Details
@ -357,11 +357,11 @@ The following input is required:
- **User's UPN:** The user principal name (UPN) of an account that can join Azure AD.
- **Password:** The password of the account youre using to join Azure AD.
![](images/setupjoiningazuread-2.png)
![Image showing account log in info.](images/setupjoiningazuread-2.png)
If you get to this point and don't have valid credentials for an Azure AD account, the device will allow you to continue by creating a local admin account. Click **Set up Windows with a local account instead**.
![](images/setupjoiningazuread-3.png)
![Image showing Set up an admin account page.](images/setupjoiningazuread-3.png)
### What happens?
@ -373,7 +373,7 @@ This page will ask for credentials to join a domain so that the Surface Hub can
Once the device has been domain joined, you must specify a security group from the domain you joined. This security group will be provisioned as administrators on the Surface Hub, and anyone from the security group can enter their domain credentials to access Settings.
![icd options checklist](images/setupdomainjoin.png)
![Image showing Set up admins using domain join page.](images/setupdomainjoin.png)
### Details
@ -385,7 +385,7 @@ The following input is required:
After the credentials are verified, you will be asked to type a security group name. This input is required.
![icd options checklist](images/setupsecuritygroup-1.png)
![Image showing Enter a security group page.](images/setupsecuritygroup-1.png)
### What happens?
@ -401,7 +401,7 @@ If the join is successful, you'll see the **Enter a security group** page. When
If you decide not to use Azure Active Directory (Azure AD) or Active Directory (AD) to manage the Surface Hub, you'll need to create a local admin account.
![](images/setuplocaladmin.png)
![Image showing Set up an admin account for local admin.](images/setuplocaladmin.png)
### Details

12
devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
View File

@ -21,17 +21,17 @@ Use this procedure if you use Exchange on-prem.
- In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**.
- Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**.<p>
![new object box for creating a new user in active directory](images/hybriddeployment-01a.png)
![New object box for creating a new user in active directory.](images/hybriddeployment-01a.png)
- Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected.
>**Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
![image showing password dialog box](images/hybriddeployment-02a.png)
![Image showing password dialog box.](images/hybriddeployment-02a.png)
- Click **Finish** to create the account.
![image with account name, logon name, and password options for new user](images/hybriddeployment-03a.png)
![Image with account name, logon name, and password options for new user.](images/hybriddeployment-03a.png)
2. After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Office 365 admin center and verify that the account created in the previous steps has merged to online.
@ -223,17 +223,17 @@ Use this procedure if you use Exchange online.
- In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**.
- Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**.
![new object box for creating a new user in active directory](images/hybriddeployment-01a.png)
![New object box for creating a new user in Active Directory.](images/hybriddeployment-01a.png)
- Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected.
>**Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
![image showing password dialog box](images/hybriddeployment-02a.png)
![Image showing password dialog box.](images/hybriddeployment-02a.png)
- Click **Finish** to create the account.
![image with account name, logon name, and password options for new user](images/hybriddeployment-03a.png)
![Image with account name, logon name, and password options for new user.](images/hybriddeployment-03a.png)
6. Directory synchronization.

2
devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
View File

@ -30,7 +30,7 @@ If you joined your Surface Hub to an Azure Active Directory (Azure AD) subscript
Alternatively, the device can be enrolled like any other Windows device by going to **Settings** &gt; **Accounts** &gt; **Work access**.
![image showing enroll in device maagement page. ](images/managesettingsmdm-enroll.png)
![Image showing enroll in device maagement page.](images/managesettingsmdm-enroll.png)
### Manage a device through MDM

18
devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
View File

@ -58,9 +58,7 @@ In order to create and deploy provisioning packages, all of the following are re
### <a href="" id="installing-wicd-prov-pkg"></a>Install the Windows Imaging and Configuration Designer
1. The Windows Imaging and Configuration Designer (ICD) is installed as part of the Windows 10 ADK. The installer for the ADK can be downloaded from the [Microsoft Download Center](http://go.microsoft.com/fwlink/?LinkId=718147).
>**Note**  The ADK must be installed on a separate PC, not on the Surface Hub.
 
>**Note**  The ADK must be installed on a separate PC, not on the Surface Hub.  
2. Run the installer, and set your preferences for installation. When asked what features you want to install, you will see a checklist like the one in the following figure. Note that **Windows Performance Toolkit** and **Windows Assessment Toolkit** should be unchecked, as they are not needed to run the ICD.
@ -73,7 +71,7 @@ In order to create and deploy provisioning packages, all of the following are re
All four of these features are required to run the ICD and create a package for the Surfact Hub.
![icd options checklist](images/idcfeatureschecklist.png)
![Image showing Windows ADK install page - select features to install.](images/idcfeatureschecklist.png)
3. Continue with the installer until the ADK is installed. This may take a while, because the installer downloads remote content.
@ -83,29 +81,29 @@ This example will demonstrate how to create a provisioning package to install a
1. On the PC that had the Windows 10 ADK installed, open ICD and choose the **New provisioning package** tile from the main menu.
![icd tiles](images/wicd-screen01a.png)
![Image showing Start page in Windows Imaging and Configuration Designer.](images/wicd-screen01a.png)
2. When the **New project** dialog box opens, type whatever name you like in the **Name** box. The **Location** and **Description** boxes can also be filled at your discretion, though we recommend using the **Description** box to help you distinguish among multiple packages. Click **Next**.
![icd tiles](images/wicd-screen02a.png)
![Image showing New project screen for Windows Imaging and Configuration Designer.](images/wicd-screen02a.png)
Select the settings that are **Common to all Windows editions**, and click **Next**.
![icd tiles](images/wicd-screen02b.png)
![Image showing project settings in Windows Imaging and Configuration Designer.](images/wicd-screen02b.png)
When asked to import a provisioning package, just click **Finish.**
![icd tiles](images/wicd-screen02c.png)
![Image showing option for importing a provisioning package.](images/wicd-screen02c.png)
3. ICD's main screen will be displayed. This is where you create the provisioning package. In the **Available customizations** pane, expand **Runtime settings** and then expand **Certificates**. Click **Root certificates**.
![icd tiles](images/wicd-screen03a.png)
![Image showing Windows Imaging and Configuration Designer's man page.](images/wicd-screen03a.png)
In the center pane, youll be asked to specify a **CertificateName** for the Root certificate. You can set this to whatever you want. For the example, we've used the same name as the project. Click **Add**, and an entry will be added in the left pane.
4. In the **Available customizations** pane on the left, a new category has appeared for **CertificatePath** underneath the **CertificateName** you provided. Theres also a red exclamation icon indicating that there is a required field that needs to be set. Click **CeritficatePath**.
![icd tiles](images/wicd-screen04a.png)
![Image showing available customizations in Windows Imaging and Configuration Designer.](images/wicd-screen04a.png)
5. In the center pane, youll be asked to specify the path for the certificate. Enter the name of the .cer file that you want to deploy, either by typing or clicking **Browse**. It must be a root certificate. The provisioning package created will copy the .cer file into the package it creates.

2
devices/surface-hub/use-room-control-system-with-surface-hub.md
View File

@ -68,7 +68,7 @@ You can use a standard RJ-11 (6P6C) connector to connect the Surface Hub serial
This diagram shows the correct pinout used for an RJ-11 (6P6C) to DB9 cable.
![image showing the wiring diagram.](images/room-control-wiring-diagram.png)
![Image showing the wiring diagram.](images/room-control-wiring-diagram.png)
## Command sets

12
devices/surface-hub/wireless-network-management-for-surface-hub.md
View File

@ -25,33 +25,33 @@ If a wired network connection is not available, the Surface Hub can use a wirele
1. On the Surface Hub, open **Settings** and enter your admin credentials.
2. Click **System**, and then click **Network & Internet**. Under **Wi-Fi**, choose an access point. If you want Surface Hub to automatically connect to this access point, click **Connect automatically**. Click **Connect**.
![](images/networkmgtwireless-01.png)
![Image showing Wi-Fi settings, Network & Internet page.](images/networkmgtwireless-01.png)
3. If the network is secured, you'll be asked to enter the security key. Click **Next** to connect.
![](images/networkmgtwireless-02.png)
![Image showing security key and password prompts for connecting to secured Wi-Fi.](images/networkmgtwireless-02.png)
### Review wireless settings
1. On the Surface Hub, open **Settings** and enter your admin credentials.
2. Click **System**, click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**.
![](images/networkmgtwireless-03.png)
![Image showing where to find Advanced options for Network & Internect, Wi-Fi settings.](images/networkmgtwireless-03.png)
3. The system will show you the properties for the wireless network connection.
![](images/networkmgtwireless-04.png)
![Image showing properties for connected Wi-Fi.](images/networkmgtwireless-04.png)
### Review wired settings
1. On the Surface Hub, open **Settings** and enter your admin credentials.
2. Click **System**, click **Network & Internet**, then click on the network under Ethernet.
![](images/networkmgtwired-01.png)
![Image showing Network & Internet, Ethernet settings page.](images/networkmgtwired-01.png)
3. The system will show you the properties for the wired network connection.
![](images/networkmgtwired-02.png)
![Image showing properties for ethernet connection.](images/networkmgtwired-02.png)
## Related topics

14
windows/keep-secure/TOC.md
View File

@ -4,15 +4,15 @@
## [Device Guard certification and compliance](device-guard-certification-and-compliance.md)
### [Get apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md)
### [Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md)
## [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
### [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
## [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
### [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
### [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
### [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
### [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
### [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
### [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
### [Event ID 300 - Passport successfully created](passport-event-300.md)
## [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
### [Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
### [Windows Hello and password changes](microsoft-passport-and-password-changes.md)
### [Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
### [Event ID 300 - Windows Hello successfully created](passport-event-300.md)
### [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md)
## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
## [Protect derived domain credentials with Credential Guard](credential-guard.md)

22
windows/keep-secure/active-directory-accounts.md
View File

@ -68,7 +68,7 @@ In Active Directory, default local accounts are used by administrators to manage
Each default local account is automatically assigned to a security group that is preconfigured with the appropriate rights and permissions to perform specific tasks. Active Directory security groups collect user accounts, computer accounts, and other groups into manageable units. For more information, see [Active Directory Security Groups](active-directory-security-groups.md).
On an Active Directory domain controller, each default local account is referred to as a security principal. A security principal is a directory object that is used to secure and manage Active Directory services that provide access to domain controller resources. A security principal includes objects such as user accounts, computer accounts, security groups, or the threads or processes that run in the security context of a user or computer account. For more information, see [Security Principals Technical Overview](security-principals.md).
On an Active Directory domain controller, each default local account is referred to as a security principal. A security principal is a directory object that is used to secure and manage Active Directory services that provide access to domain controller resources. A security principal includes objects such as user accounts, computer accounts, security groups, or the threads or processes that run in the security context of a user or computer account. For more information, see [Security Principals](security-principals.md).
A security principal is represented by a unique security identifier (SID).The SIDs that are related to each of the default local accounts in Active Directory are described in the sections below.
@ -350,7 +350,7 @@ Because it is impossible to predict the specific errors that will occur for any
**Important**  
Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and user accounts to log back in again. Logging in again will request new TGTs that are valid with the new KRBTGT, correcting any KRBTGT related operational issues on that computer.
<!-- For information how to resolve issues and potential issues from a compromised KRBTGT account, see "Reset the KRBTGT account password." -->
For information about how to help mitigate the risks associated with a potentially compromised KRBTGT account, see [KRBTGT Account Password Reset Scripts now available for customers](http://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/).
### Read-only domain controllers and the KRBTGT account
@ -474,7 +474,7 @@ Each default local account in Active Directory has a number of account settings
<td><p>Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).</p>
<div class="alert">
<strong>Note</strong>  
<p>DES is not enabled by default in Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 7, Windows 8, and Windows 8.1. For these operating systems, you must configure your computers to use the DES-CBC-MD5 or DES-CBC-CRC cipher suites. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see [Hunting down DES in order to securely deploy Kerberos](http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx).</p>
<p>DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see [Hunting down DES in order to securely deploy Kerberos](http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx).</p>
</div>
<div>
 
@ -571,7 +571,7 @@ If the administrators in your environment can sign in locally to managed servers
- **Better**. Do not grant administrators membership in the local Administrator group on the computer in order to restrict the administrator from bypassing these protections.
- **Ideal**. Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications. For more information about AppLocker, see [AppLocker Overview](http://technet.microsoft.com/library/hh831440.aspx).
- **Ideal**. Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications. For more information about AppLocker, see [AppLocker](applocker-overview.md).
The following procedure describes how to block Internet access by creating a Group Policy Object (GPO) that configures an invalid proxy address on administrative workstations. These instructions apply only to computers running Internet Explorer and other Windows components that use these proxy settings.
@ -584,7 +584,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s
2. Create computer accounts for the new workstations.
> **Note**&nbsp;&nbsp;You might have to delegate permissions to join the domain by using [KB 932455](http://support.microsoft.com/kb/932455) if the account that joins the workstations to the domain does not already have permissions to join computers to the domain.
> **Note**&nbsp;&nbsp;You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](http://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx).
![Active Directory local accounts](images/adlocalaccounts-proc1-sample1.gif)
@ -846,14 +846,6 @@ In addition, installed applications and management agents on domain controllers
## See also
- [Security Principals](security-principals.md)
[Security Principals Technical Overview](security-principals.md)
 
 
- [Access Control Overview](access-control.md)

42
windows/keep-secure/active-directory-security-groups.md
View File

@ -986,7 +986,7 @@ This security group has not changed since Windows Server 2008.
Members of the Cloneable Domain Controllers group that are domain controllers may be cloned. In Windows Server 2012 R2 and Windows Server 2012, you can deploy domain controllers by copying an existing virtual domain controller. In a virtual environment, you no longer have to repeatedly deploy a server image that is prepared by using sysprep.exe, promote the server to a domain controller, and then complete additional configuration requirements for deploying each domain controller (including adding the virtual domain controller to this security group).
For more information, see [Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)](https://technet.microsoft.com/en-us/library/hh831734.aspx).
For more information, see [Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)](https://technet.microsoft.com/library/hh831734.aspx).
This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
@ -1302,7 +1302,7 @@ This security group has not changed since Windows Server 2008.
Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions.
For information about other means to secure the DNS server service, see [Securing the DNS Server Service](http://technet.microsoft.com/library/cc731367.aspx).
For more information about security and DNS, see [DNSSEC in Windows Server 2012](https://technet.microsoft.com/library/dn593694(v=ws.11).aspx).
This security group has not changed since Windows Server 2008.
@ -1742,7 +1742,7 @@ Members of this group are Read-Only Domain Controllers in the enterprise. Except
Read-only domain controllers address some of the issues that are commonly found in branch offices. These locations might not have a domain controller. Or, they might have a writable domain controller, but not the physical security, network bandwidth, or local expertise to support it.
For more information, see [AD DS: Read-Only Domain Controllers](http://technet.microsoft.com/library/cc732801.aspx).
For more information, see [What Is an RODC?](https://technet.microsoft.com/library/cc771030.aspx).
The Enterprise Read-Only Domain Controllers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
@ -1866,7 +1866,7 @@ This security group has not changed since Windows Server 2008.
This group is authorized to create, edit, or delete Group Policy Objects in the domain. By default, the only member of the group is Administrator.
For information about other features you can use with this security group, see [Group Policy Planning and Deployment Guide](http://technet.microsoft.com/library/cc754948.aspx).
For information about other features you can use with this security group, see [Group Policy Overview](https://technet.microsoft.com/library/hh831791.aspx).
The Group Policy Creators Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
@ -2525,7 +2525,7 @@ This group has no default members. Because members of this group can load and un
The Print Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
This security group has not changed since Windows Server 2008. However, in Windows Server 2008 R2, functionality was added to manage print administration. For more information, see [Assigning Delegated Print Administrator and Printer Permission Settings in Windows Server 2008 R2](http://technet.microsoft.com/library/ee524015(WS.10).aspx).
This security group has not changed since Windows Server 2008. However, in Windows Server 2008 R2, functionality was added to manage print administration. For more information, see [Assign Delegated Print Administrator and Printer Permission Settings in Windows Server 2012](https://technet.microsoft.com/library/jj190062(v=ws.11).aspx).
<table>
<colgroup>
@ -2602,7 +2602,7 @@ Depending on the accounts domain functional level, members of the Protected U
The Protected Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
This group was introduced in Windows Server 2012 R2. For more information about how this group works, see [Protected Users Security Group](https://technet.microsoft.com/en-us/library/dn466518.aspx).
This group was introduced in Windows Server 2012 R2. For more information about how this group works, see [Protected Users Security Group](https://technet.microsoft.com/library/dn466518.aspx).
The following table specifies the properties of the Protected Users group.
@ -2724,7 +2724,7 @@ This security group has not changed since Windows Server 2008.
Servers that are members in the RDS Endpoint Servers group can run virtual machines and host sessions where user RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.
For information about Remote Desktop Services, see [Remote Desktop Services Design Guide](http://technet.microsoft.com/library/gg750997.aspx).
For information about Remote Desktop Services, see [Host desktops and apps in Remote Desktop Services](https://technet.microsoft.com/library/mt718499.aspx).
This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
@ -2844,7 +2844,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
Servers in the RDS Remote Access Servers group provide users with access to RemoteApp programs and personal virtual desktops. In Internet facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers that are used in the deployment need to be in this group.
For information about RemoteApp programs, see [Overview of RemoteApp](http://technet.microsoft.com/library/cc755055.aspx)
For more information, see [Host desktops and apps in Remote Desktop Services](https://technet.microsoft.com/library/mt718499.aspx).
This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
@ -2978,7 +2978,7 @@ Because administration of a Read-only domain controller can be delegated to a do
- Read-only Domain Name System (DNS)
For information about deploying a Read-only domain controller, see [Read-Only Domain Controllers Step-by-Step Guide](http://technet.microsoft.com/library/cc772234.aspx).
For information about deploying a Read-only domain controller, see [Understanding Planning and Deployment for Read-Only Domain Controllers](https://technet.microsoft.com/library/cc754719(v=ws.10).aspx).
This security group was introduced in Windows Server 2008, and it has not changed in subsequent versions.
@ -3041,7 +3041,7 @@ Members of the Remote Management Users group can access WMI resources over manag
The Remote Management Users group is generally used to allow users to manage servers through the Server Manager console, whereas the [WinRMRemoteWMIUsers\_](#bkmk-winrmremotewmiusers-) group is allows remotely running Windows PowerShell commands.
For more information, see [WS-Management Protocol (Windows)](http://msdn.microsoft.com/library/aa384470.aspx) and [About WMI (Windows)](http://msdn.microsoft.com/library/aa384642.aspx).
For more information, see [What's New in MI?](https://msdn.microsoft.com/library/jj819828(v=vs.85).aspx) and [About WMI](http://msdn.microsoft.com/library/aa384642.aspx).
This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
@ -3105,9 +3105,10 @@ Computers that are members of the Replicator group support file replication in a
**Important**  
In Windows Server 2008 R2, FRS cannot be used for replicating DFS folders or custom (non-SYSVOL) data. A Windows Server 2008 R2 domain controller can still use FRS to replicate the contents of a SYSVOL shared resource in a domain that uses FRS for replicating the SYSVOL shared resource between domain controllers.
However, Windows Server 2008 R2 servers cannot use FRS to replicate the contents of any replica set apart from the SYSVOL shared resource. The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication. For more information, see [File Replication Service (FRS) Is Deprecated in Windows Server 2008 R2 (Windows).](http://msdn.microsoft.com/library/windows/desktop/ff384840.aspx)
However, Windows Server 2008 R2 servers cannot use FRS to replicate the contents of any replica set apart from the SYSVOL shared resource. The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication. For more information, see:
 
- [File Replication Service (FRS) Is Deprecated in Windows Server 2008 R2 (Windows)](http://msdn.microsoft.com/library/windows/desktop/ff384840.aspx)
- [DFS Namespaces and DFS Replication Overview](https://technet.microsoft.com/library/jj127250(v=ws.11).aspx)
This security group has not changed since Windows Server 2008.
@ -3581,21 +3582,10 @@ This security group was introduced in Windows Server 2012, and it has not chang
</tbody>
</table>
 
## See also
- [Security Principals](security-principals.md)
[Security Principals Technical Overview](security-principals.md)
[Special Identities](special-identities.md)
 
 
- [Special Identities](special-identities.md)
- [Access Control Overview](access-control.md)

8
windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
View File

@ -1,6 +1,6 @@
---
title: Add multiple apps to your enterprise data protection (EDP) Protected Apps list (Windows 10)
description: Add multiple apps to your enterprise data protection (EDP) Protected Apps list at the same time, by using the Microsoft Intune Custom URI functionality and the AppLocker.
title: Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality (Windows 10)
description: Add multiple apps to your enterprise data protection (EDP) allowed app list at the same time, by using the Microsoft Intune Custom URI functionality and AppLocker.
ms.assetid: b50db35d-a2a9-4b78-a95d-a1b066e66880
keywords: EDP, Enterprise Data Protection, protected apps, protected app list
ms.prod: w10
@ -10,7 +10,7 @@ ms.sitesec: library
author: eross-msft
---
# Add multiple apps to your enterprise data protection (EDP) Protected Apps list
# Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality
**Applies to:**
- Windows 10 Insider Preview
@ -18,7 +18,7 @@ author: eross-msft
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Add multiple apps to your enterprise data protection (EDP) **Protected Apps** list at the same time, by using the Microsoft Intune Custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, see [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330).
Add multiple apps to your enterprise data protection (EDP) allowed app list at the same time, by using the Microsoft Intune Custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, see [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330).
**Important**  
Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy.

7
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -12,6 +12,13 @@ author: brianlic-msft
# Change history for Keep Windows 10 secure
This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## July 2016
|New or changed topic | Description |
|----------------------|-------------|
|[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New |
## June 2016
|New or changed topic | Description |

457
windows/keep-secure/create-edp-policy-using-sccm.md
View File

@ -1,6 +1,6 @@
---
title: Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager (Windows 10)
description: Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
description: Configuration Manager (version 1606 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
keywords: EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager
ms.prod: w10
@ -15,28 +15,14 @@ author: eross-msft
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
- System Center Configuration Manager (version 1511 or later)
- System Center Configuration Manager (version 1605 Tech Preview or later)
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
System Center Configuration Manager (version 1605 Tech Preview or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection mode, and how to find enterprise data on the network.
## In this topic:
- [Add an EDP policy](#add-an-edp-policy)
- [Choose which apps can access your enterprise data](#choose-which-apps-can-access-your-enterprise-data)
- [Manage the EDP protection level for your enterprise data](#manage-the-edp-protection-level-for-your-enterprise-data)
- [Define your enterprise-managed identity domains](#define-your-enterprise-managed-identity-domains)
- [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data)
- [Choose your optional EDP-related settings](#choose-your-optional-EDP-related-settings)
- [Review your configuration choices in the Summary screen](#review-your-configuration-choices-in-the-summary-screen)
- [Deploy the EDP policy](#deploy-the-edp-policy)
>**Important**<br>
If you previously created an EDP policy using System Center Configuration Manager version 1511 or 1602, youll need to recreate it using version 1605 Tech Preview or later. Editing an EDP policy created in version 1511 or 1602 is not supported in version 1605 Tech Preview. There is no migration path between EDP policies across these versions.
## Add an EDP policy
After youve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for EDP, which in turn becomes your EDP policy.
@ -66,32 +52,57 @@ The **Create Configuration Item Wizard** starts.
![Create Configuration Item wizard, choose the supported platforms for the policy](images/edp-sccm-supportedplat.png)
6. On the **Device Settings** screen, click **Enterprise Data Protection**, and then click **Next**.
6. On the **Device Settings** screen, click **Enterprise data protection**, and then click **Next**.
![Create Configuration Item wizard, choose the enterprise data protection settings](images/edp-sccm-devicesettings.png)
The **Configure Enterprise Data Protection settings** page appears, where you'll configure your policy for your organization.
The **Configure enterprise data protection settings** page appears, where you'll configure your policy for your organization.
## Choose which apps can access your enterprise data
During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps or unprotected network locations.
### Add app rules to your policy
During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your apps are based on the type of app it is; either a Universal Windows Platform (UWP) app, or a signed Classic Windows application.
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file.
**Important**<br>EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data leaks during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.
>**Important**<br>
EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary, and EDP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
**To add a UWP app**
Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **App rules** list. If you dont get this statement, its possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
1. From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
#### Add a store app rule to your policy
For this example, were going to add Microsoft OneNote, a store app, to the **App Rules** list.
2. Click **Universal App**, type the **Publisher Name** and the **Product Name** into the associated boxes, and then click **OK**. If you don't have the publisher or product name, you can find them by following these steps.
**To add a store app**
**To find the Publisher and Product name values for Microsoft Store apps without installing them**
1. From the **App rules** area, click **Add**.
1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
The **Add app rule** box appears.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
![Create Configuration Item wizard, add a universal store app](images/edp-sccm-adduniversalapp.png)
3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/*9wzdncrfhvjl*/applockerdata, where *9wzdncrfhvjl* is replaced with your ID value.
2. Add a friendly name for your app into the **Title** box. In this example, its *Microsoft OneNote*.
3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
Allow turns on EDP, helping to protect that apps corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section.
4. Pick **Store App** from the **Rule template** drop-down list.
The box changes to show the store app rule options.
5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
**To find the Publisher and Product Name values for Store apps without installing them**
1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
>**Note**<br>
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
The API runs and opens a text editor with the app details.
@ -102,24 +113,65 @@ The steps to add your apps are based on the type of app it is; either a Universa
}
```
4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of the **Add app** box, and then click **OK**.
<p>**Important**<br>If you dont see the **Product Name** box, it could mean that your tenant is not on the latest build and that you need to wait until it's upgraded. Same applies if you see the **AppId** box. The **AppId** box has been removed in the latest build and should disappear (along with any entries) when your tenant is upgraded.
<p>**Important**<br>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:<br>  
4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
```
>**Important**<br>
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:
```json
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
![Create Configuration Item wizard, add a Universal Windows Platform (UWP) app](images/edp-sccm-adduniversalapp.png)
**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
**To add a Classic Windows application**
>**Note**<br>
Your PC and phone must be on the same wireless network.
1. From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
<p>A dialog box appears, letting you pick whether the app is a **Universal App** or a **Desktop App**.
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
2. Click **Desktop App**, pick the options you want (see table), and then click **OK**.
3. On the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
7. Start the app for which you're looking for the publisher and product name values.
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
>**Important**<br>
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:
```json
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
#### Add a desktop app rule to your policy
For this example, were going to add Internet Explorer, a desktop app, to the **App Rules** list.
**To add a desktop app to your policy**
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
![Create Configuration Item wizard, add a classic desktop app](images/edp-sccm-adddesktopapp.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Internet Explorer*.
3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
Allow turns on EDP, helping to protect that apps corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section.
4. Pick **Desktop App** from the **Rule template** drop-down list.
The box changes to show the desktop app rule options.
5. Pick the options you want to include for the app rule (see table), and then click **OK**.
<table>
<tr>
@ -139,21 +191,21 @@ The steps to add your apps are based on the type of app it is; either a Universa
<td>All files for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>File Name</strong> selected</td>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>Binary name</strong> selected</td>
<td>Any version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, Exactly</strong>, selected</td>
<td>Specified version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And above</strong> selected</td>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, and above</strong>, selected</td>
<td>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And below</strong> selected</td>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, And below</strong> selected</td>
<td>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, Exactly</strong> selected</td>
<td>Specified version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
</table>
If youre unsure about what to include for the publisher, you can run this PowerShell command:
@ -172,43 +224,166 @@ Path Publisher
```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
![Create Configuration Item wizard, add a Classic Windows app](images/edp-sccm-adddesktopapp.png)
#### Add an AppLocker policy file
For this example, were going to add an AppLocker XML file to the **App Rules** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/applocker-overview) content.
## Manage the EDP-protection level for your enterprise data
After you've added the apps you want to protect with EDP, you'll need to apply an app management mode.
**To create an app rule and xml file using the AppLocker tool**
1. Open the Local Security Policy snap-in (SecPol.msc).
We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your **Protected Apps** list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png)
3. Right-click in the right-hand pane, and then click **Create New Rule**.
The **Create Packaged app Rules** wizard appears.
4. On the **Before You Begin** page, click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png)
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png)
6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png)
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, were using Microsoft Photos.
![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png)
8. On the updated **Publisher** page, click **Create**.
![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png)
9. Review the Local Security Policy snap-in to make sure your rule is correct.
![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png)
10. In the left pane, right-click on **AppLocker**, and then click **Export policy**.
The **Export policy** box opens, letting you export and save your new policy as XML.
![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png)
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
The policy is saved and youll see a message that says 1 rule was exported from the policy.
**Example XML file**<br>
This is the XML file that AppLocker creates for Microsoft Photos.
```xml
<AppLockerPolicy Version="1">
<RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Script" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Appx" EnforcementMode="NotConfigured">
<FilePublisherRule Id="5e0c752b-5921-4f72-8146-80ad5f582110" Name="Microsoft.Windows.Photos, version 16.526.0.0 and above, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Photos" BinaryName="*">
<BinaryVersionRange LowSection="16.526.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
</AppLockerPolicy>
```
12. After youve created your XML file, you need to import it by using System Center Configuration Manager.
**To import your Applocker policy file app rule using 1System Center Configuration Manager**
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
![Create Configuration Item wizard, add an AppLocker policy](images/edp-sccm-addapplockerfile.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Allowed app list*.
3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
Allow turns on EDP, helping to protect that apps corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section.
4. Pick the **AppLocker policy file** from the **Rule template** drop-down list.
The box changes to let you import your AppLocker XML policy file.
5. Click the ellipsis (...) to browse for your AppLocker XML file, click **Open**, and then click **OK** to close the **Add app rule** box.
The file is imported and the apps are added to your **App Rules** list.
#### Exempt apps from EDP restrictions
If you're running into compatibility issues where your app is incompatible with EDP, but still needs to be used with enterprise data, you can exempt the app from the EDP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
**To exempt a store app, a desktop app, or an AppLocker policy file app rule**
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
2. Add a friendly name for your app into the **Title** box. In this example, its *Exempt apps list*.
3. Click **Exempt** from the **Enterprise data protection mode** drop-down list.
Be aware that when you exempt apps, theyre allowed to bypass the EDP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic.
4. Fill out the rest of the app rule info, based on the type of rule youre adding:
- **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic.
- **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic.
- **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps.
5. Click **OK**.
### Manage the EDP-protection level for your enterprise data
After you've added the apps you want to protect with EDP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
|Mode |Description |
|-----|------------|
|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise. |
|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything. |
|Off (not recommended) |EDP is turned off and doesn't help to protect or audit your data.
<p>After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives. |
|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or EDP-protected data, are still blocked.|
|Off (not recommended) |EDP is turned off and doesn't help to protect or audit your data.<p>After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives.|
![Create Configuration Item wizard, choose your EDP-protection level](images/edp-sccm-appmgmt.png)
## Define your enterprise-managed identity domains
Specify your companys enterprise identity, expressed as your primary internet domain. For example, if your company is Contoso, its enterprise identity might be contoso.com. The first listed domain (in this example, contoso.com) is the primary enterprise identity string used to tag files protected by any app on the **Protected App** list.
### Define your enterprise-managed identity domains
Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps youve marked as protected by EDP. For example, emails using contoso.com are identified as being corporate and are restricted by your enterprise data protection policies.
You can also specify all the domains owned by your enterprise that are used for user accounts, separating them with the "|" character. For example, if Contoso also has some employees with email addresses or user accounts on the fabrikam.com domain, you would use contoso.com|fabrikam.com.
You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. User identities (user@domain) that end in any of the domains on this list, are considered managed.
**To add your corporate identity**
![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/sccm-primary-domain.png)
- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
**To add your primary domain**
![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/edp-sccm-corp-identity.png)
- Type the name of your primary domain into the **Primary domain** field. For example, *contoso.com*.<p>
If you have multiple domains, you must separate them with the "|" character. For example, contoso.com|fabrikam.com.
### Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
## Choose where apps can access enterprise data
After you've added a management level to your protected apps, you'll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.
There are no default locations included with EDP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprises range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
**To specify where your protected apps can find and send enterprise data on the network**
>**Important**<br>
- Every EDP policy should include policy that defines your enterprise network locations.
- Classless Inter-Domain Routing (CIDR) notation isnt supported for EDP configurations.
**To define where your protected apps can find and send enterprise data on you network**
1. Add additional network locations your apps can access by clicking **Add**.
The **Add or edit corporate network definition** box appears.
2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
![Add or edit corporate network definition box, Add your enterprise network locations](images/edp-sccm-add-network-domain.png)
1. Add additional network locations your apps can access by clicking **Add**, and then choosing your location type, including:
<table>
<tr>
<th>Network location type</th>
@ -216,65 +391,145 @@ After you've added a management level to your protected apps, you'll need to dec
<th>Description</th>
</tr>
<tr>
<td>Enterprise Cloud Domain</td>
<td>contoso.sharepoint.com,proxy1.contoso.com|<br>office.com|proxy2.contoso.com</td>
<td>Specify the cloud resources traffic to restrict to your protected apps.<p>For each cloud resource, you may also specify an internal proxy server that routes your traffic from your **Enterprise Internal Proxy Server** policy. If you have multiple resources, you must use the &#x7C; delimiter. Include the "|" delimiter just before the "|" if you dont use proxies. For example: [URL,Proxy]|[URL,Proxy].</td>
<td>Enterprise Cloud Resources</td>
<td>**With proxy:** contoso.sharepoint.com,proxy.contoso.com|<br>contoso.visualstudio.com,proxy.contoso.com<p>**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by EDP.<p>For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`</td>
</tr>
<tr>
<td>Enterprise Network Domain</td>
<td>domain1.contoso.com,domain2.contoso.com</td>
<td>Specify the DNS suffix used in your environment. All traffic to the fully-qualified domains using this DNS suffix will be protected. If you have multiple resources, you must use the "," delimiter.<p>This setting works with the IP Ranges settings to detect whether a network endpoint is enterprise or personal on private networks.</td>
<td>Enterprise Network Domain Names (Required)</td>
<td>corp.contoso.com,region.contoso.com</td>
<td>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Enterprise Proxy Server</td>
<td>domain1.contoso.com:80;domain2.contoso.com:137</td>
<td>Specify the proxy server and the port traffic is routed through. If you have multiple resources, you must use the ";" delimiter.<p>This setting is required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when using certain Wi-Fi hotspots at hotels and restaurants.</td>
<td>Enterprise Proxy Servers</td>
<td>proxy.contoso.com:80;proxy2.contoso.com:137</td>
<td>Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with EDP.<p>This list shouldnt include any servers listed in the Enterprise Internal Proxy Servers list, which are used for EDP-protected traffic.<p>This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when youre visiting another company and not on that companys guest network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
<td>Enterprise Internal Proxy Server</td>
<td>proxy1.contoso.com;proxy2.contoso.com</td>
<td>Specify the proxy servers your cloud resources will go through. If you have multiple resources, you must use the ";" delimiter.</td>
<td>Enterprise Internal Proxy Servers</td>
<td>contoso.internalproxy1.com;contoso.internalproxy2.com</td>
<td>Specify the proxy servers your devices will go through to reach your cloud resources.<p>Using this server type indicates that the cloud resources youre connecting to are enterprise resources.<p>This list shouldnt include any servers listed in the Enterprise Proxy Servers list, which are used for non-EDP-protected traffic.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
<td>Enterprise IPv4 Range</td>
<td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,10.0.0.1-10.255.255.254</td>
<td>Specify the addresses for a valid IPv4 value range within your intranet.<p>If you are adding a single range, you can enter the starting and ending addresses into your management systems UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the "-" delimiter between start and end of a range, and the "," delimiter to separate ranges.</td>
<td>Enterprise IPv4 Range (Required)</td>
<td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
<td>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Enterprise IPv6 Range</td>
<td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
<td>Specify the addresses for a valid IPv6 value range within your intranet.<p>If you are adding a single range, you can enter the starting and ending addresses into your management systems UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the "-" delimiter between start and end of a range, and the "," delimiter to separate ranges.</td>
<td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
<td>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Neutral Resources</td>
<td>sts.contoso.com,sts.contoso2.com</td>
<td>Specify your authentication redirection endpoints for your company.<p>These locations are considered enterprise or personal, based on the context of the connection before the redirection.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
</tr>
</table>
![Create Configuration Item wizard, specify the network locations that can be accessed by the protected apps](images/edp-sccm-primarydomain2.png)
3. Add as many locations as you need, and then click **OK**.
2. Add as many locations as you need, and then click **OK**.<p>
The **Add or Edit Enterprise Network Locations box** closes.
The **Add or edit corporate network definition** box closes.
3. In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.<p>
Adding a data recovery certificate helps you to access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP-protected data from a Windows 10 company computer. This can also help recover data in case an employee's device is accidentally revoked. For more info about how to find and export your data recovery certificate, see the[Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.
4. Decide if you want to Windows to look for additional network settings.
## Choose your optional EDP-related settings
![Create Configuration Item wizard, Add whether to search for additional network settings](images/edp-sccm-optsettings.png)
- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
- **Show the enterprise data protection icon overlay on your allowed apps that are EDP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the enterprise data protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees local device drive. If somehow the employees local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.
![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/edp-sccm-dra.png)
#### Create and verify an Encrypting File System (EFS) DRA certificate for EDP
If you dont already have an EFS DRA certificate, youll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, well use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
>**Important**<br>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy.
**To manually create an EFS DRA certificate**
1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate.
2. Run this command:
`cipher /r:<EFSDRA>`<br>Where `<EFSDRA>` is the name of the .cer and .pfx files that you want to create.
3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file.
The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1.
**Important**<br>Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location.
4. Add your EFS DRA certificate to your EDP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic.
**To verify your data recovery certificate is correctly set up on an EDP client computer**
1. Open an app on your protected app list, and then create and save a file so that its encrypted by EDP.
2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
`cipher /c <filename>`<br>Where `<filename>` is the name of the file you created in Step 1.
3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
**To recover your data using the EFS DRA certificate in a test environment**
1. Copy your EDP-encrypted file to a location where you have admin access.
2. Install the EFSDRA.pfx file, using your password.
3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
`cipher /d <encryptedfile.extension>`<br>Where `<encryptedfile.extension>` is the name of your encrypted file. For example, corporatedata.docx.
### Choose your optional EDP-related settings
After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional EDP settings.
**To add your optional settings**
- Choose to set any or all of the optional EDP-related settings:
![Create Configuration Item wizard, Choose any additional, optional settings](images/edp-sccm-additionalsettings.png)
- **Block the user from decrypting data that was created or edited by the apps configured above.** Clicking **No**, or leaving the setting blank, lets your employees right-click to decrypt their protected app data, along with the option to decrypt data in the **Save As** box and the **Save As** file picker . Clicking **Yes** removes the **Decrypt** option and saves all data for protected apps as enterprise-encrypted.
**To set your optional settings**
1. Choose to set any or all of the optional settings:
- **Protect app content when the device is in a locked state for the apps configured above.** Clicking **Yes** lets EDP help to secure protected app content when a mobile device is locked. We recommend turning this option on to help prevent data leaks from things such as email text that appears on the **Lock** screen of a Windows 10 Mobile phone.
- **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are:
![Create Configuration Item wizard, choose additional optional settings for enterprise data protection](images/edp-sccm-optsettings.png)
- **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box.
## Review your configuration choices in the Summary screen
- **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether apps can show corporate data on a Windows 10 Mobile device **Lock** screen. The options are:
- **Yes (recommended).** Stop apps from reading corporate data on Windows 10 Mobile device when the screen is locked.
- **No, or not configured.** Allows apps to read corporate data on Windows 10 Mobile device when the screen is locked.
- **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
- **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
- **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
- **Revoke local encryption keys during the unerollment process.** Determines whether to revoke a users local encryption keys from a device when its unenrolled from enterprise data protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
- **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if youre migrating between Mobile Device Management (MDM) solutions.
2. After you pick all of the settings you want to include, click **Summary**.
### Review your configuration choices in the Summary screen
After you've finished configuring your policy, you can review all of your info on the **Summary** screen.
**To view the Summary screen**
- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.<p>
A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
![Create Configuration Item wizard, Summary screen for all of your policy choices](images/edp-sccm-summaryscreen.png)
A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
![Create Configuration Item wizard, review the Summary screen before creating the policy](images/edp-sccm-summaryscreen.png)
## Deploy the EDP policy
After youve created your EDP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
@ -283,7 +538,7 @@ After youve created your EDP policy, you'll need to deploy it to your organiz
- [How to Deploy Configuration Baselines in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708226)
## Related topics
- [System Center Configuration Manager and Endpoint Protection (Version 1511)](http://go.microsoft.com/fwlink/p/?LinkId=717372)
- [System Center Configuration Manager and Endpoint Protection (Version 1606)](http://go.microsoft.com/fwlink/p/?LinkId=717372)
- [TechNet documentation for Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=691623)
- [Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=691624)

14
windows/keep-secure/dynamic-access-control.md
View File

@ -132,16 +132,8 @@ If clients do not recognize Dynamic Access Control, there must be a two-way trus
If claims are transformed when they leave a forest, all domain controllers in the users forest root must be set at the Windows Server 2012 or higher functional level.
A file server running Windows Server 2012 or Windows Server 2012 R2 must have a Group Policy setting that specifies whether it needs to get user claims for user tokens that do not carry claims. This setting is set by default to **Automatic**, which results in this Group Policy setting to be turned **On** if there is a central policy that contains user or device claims for that file server. If the file server contains discretionary ACLs that include user claims, you need to set this Group Policy to **On** so that the server knows to request claims on behalf of users that do not provide claims when they access the server.
## Additional resource
[Access control overview](access-control.md)
 
 
A file server running a server operating system that supports Dyamic Access Control must have a Group Policy setting that specifies whether it needs to get user claims for user tokens that do not carry claims. This setting is set by default to **Automatic**, which results in this Group Policy setting to be turned **On** if there is a central policy that contains user or device claims for that file server. If the file server contains discretionary ACLs that include user claims, you need to set this Group Policy to **On** so that the server knows to request claims on behalf of users that do not provide claims when they access the server.
## See also
- [Access control overview](access-control.md)

29
windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
View File

@ -16,7 +16,7 @@ author: jdeckerMS
- Windows 10
- Windows 10 Mobile
In Windows 10, Version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call or to remember a PIN -- just tap the app.
In Windows 10, Version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call -- just unlock the phone and tap the app.
(add screenshot when I can get the app working)
@ -25,6 +25,7 @@ You can create a Group Policy or mobile device management (MDM) policy that will
## Prerequisites
- Both phone and PC must be running Windows 10, Version 1607.
- The PC must be running Windows 10 Pro, Enterprise, or Education
- Both phone and PC must have Bluetooth.
- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
- The phone must be joined to Azure AD or have a work account added.
@ -34,35 +35,35 @@ You can create a Group Policy or mobile device management (MDM) policy that will
To enable phone sign-in, you must enable the following policies using Group Policy or MDM.
- Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Passport for Work**
- Enable **Use Microsoft Passport for Work**
- Enable **Remote Passport**
- Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**
- Enable **Use Windows Hello for Business**
- Enable **Phone Sign-in**
- MDM:
- Set **UsePassportForWork** to **True**
- Set **Remote\UseRemotePassport** to **True**
To distribute the **Phone Sign-in** app, your organization must have set up Windows Store for Business, with Microsoft added as a Line of Business (LOB) publisher.
- The **Phone Sign-in** app must be added to Windows Store for Business for your organization.
- Users must install the **Phone sign-in** app on the phone.
Everyone can get the **Microsoft Authenticator** app from the Windows Store. If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a Line of Business (LOB) publisher.
[Tell people how to sign in using their phone.](prepare-people-to-use-microsoft-passport.md#bmk-remote)
## Related topics
[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Event ID 300 - Passport successfully created](passport-event-300.md)
[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
 

BIN
windows/keep-secure/images/edp-sccm-add-network-domain.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 65 KiB

BIN
windows/keep-secure/images/edp-sccm-addapplockerfile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
windows/keep-secure/images/edp-sccm-adddesktopapp.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 36 KiB

After

Width:  |  Height:  |  Size: 50 KiB

BIN
windows/keep-secure/images/edp-sccm-additionalsettings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/keep-secure/images/edp-sccm-adduniversalapp.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 33 KiB

After

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/keep-secure/images/edp-sccm-appmgmt.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 27 KiB

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/keep-secure/images/edp-sccm-corp-identity.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.4 KiB

BIN
windows/keep-secure/images/edp-sccm-devicesettings.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 23 KiB

After

Width:  |  Height:  |  Size: 35 KiB

BIN
windows/keep-secure/images/edp-sccm-dra.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.9 KiB

BIN
windows/keep-secure/images/edp-sccm-generalscreen.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 38 KiB

BIN
windows/keep-secure/images/edp-sccm-network-domain.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/keep-secure/images/edp-sccm-optsettings.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 17 KiB

After

Width:  |  Height:  |  Size: 39 KiB

BIN
windows/keep-secure/images/edp-sccm-primarydomain2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 28 KiB

BIN
windows/keep-secure/images/edp-sccm-summaryscreen.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 32 KiB

After

Width:  |  Height:  |  Size: 56 KiB

BIN
windows/keep-secure/images/edp-sccm-supportedplat.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 19 KiB

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/keep-secure/images/intune-applocker-before-begin.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
windows/keep-secure/images/intune-applocker-permissions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/keep-secure/images/intune-applocker-publisher-with-app.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/keep-secure/images/intune-applocker-publisher.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/keep-secure/images/intune-applocker-select-apps.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
windows/keep-secure/images/intune-local-security-export.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 59 KiB

BIN
windows/keep-secure/images/intune-local-security-snapin-updated.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 66 KiB

BIN
windows/keep-secure/images/intune-local-security-snapin.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 65 KiB

31
windows/keep-secure/implement-microsoft-passport-in-your-organization.md
View File

@ -1,6 +1,6 @@
---
title: Implement Microsoft Passport in your organization (Windows 10)
description: You can create a Group Policy or mobile device management (MDM) policy that will implement Microsoft Passport on devices running Windows 10.
title: Implement Windows Hello in your organization (Windows 10)
description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8
keywords: identity, PIN, biometric, Hello
ms.prod: w10
@ -10,24 +10,20 @@ ms.pagetype: security
author: jdeckerMS
---
# Implement Microsoft Passport in your organization
# Implement Windows Hello for Business in your organization
**Applies to**
- Windows 10
- Windows 10 Mobile
You can create a Group Policy or mobile device management (MDM) policy that will implement Microsoft Passport on devices running Windows 10.
> **Important:** The Group Policy setting **Turn on PIN sign-in** does not apply to Windows 10. Use **Microsoft Passport for Work** policy settings to manage PINs.
You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
> **Important:** The Group Policy setting **Turn on PIN sign-in** does not apply to Windows 10. Use **Windows Hello for Business** policy settings to manage PINs.
 
## Group Policy settings for Passport
<<<<<<< HEAD
The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.
The following table lists the Group Policy settings that you can configure for Passport use in your workplace. *These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.*
=======
The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in **Computer Configuration** &gt; **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.
>>>>>>> refs/remotes/origin/rs1
<table>
<tr>
<th colspan="2">Policy</th>
@ -283,7 +279,7 @@ The following table lists the MDM policy settings that you can configure for Win
<td>False</td>
<td>
<p>True: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone sign-in</a> is enabled.</p>
<p>False: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone sign0in</a> is disabled.</p>
<p>False: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone sign-in</a> is disabled.</p>
</td>
</tr>
</table>
@ -366,14 +362,17 @@ The work PIN is managed using the same Windows Hello for Business policies that
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Event ID 300 - Passport successfully created](passport-event-300.md)
[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
 

3
windows/keep-secure/index.md
View File

@ -19,8 +19,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
| [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
| [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, weve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. |
| [Device Guard certification and compliance](device-guard-certification-and-compliance.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isnt trusted it cant run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
| [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN. |
| [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) | Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. |
| [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
| [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |
| [Protect derived domain credentials with Credential Guard](credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |

38
windows/keep-secure/local-accounts.md
View File

@ -48,7 +48,7 @@ This topic describes the following:
- [Create unique passwords for local accounts with administrative rights](#sec-create-unique-passwords)
For information about security principals, see [Security Principals Technical Overview](security-principals.md).
For information about security principals, see [Security Principals](security-principals.md).
## <a href="" id="sec-default-accounts"></a>Default local user accounts
@ -99,7 +99,7 @@ As a security best practice, use your local (non-Administrator) account to sign
In comparison, on the Windows client operating system, a user with a local user account that has Administrator rights is considered the system administrator of the client computer. The first local user account that is created during installation is placed in the local Administrators group. However, when multiple users run as local administrators, the IT staff has no control over these users or their client computers.
In this case, Group Policy can be used to enable secure settings that can control the use of the local Administrators group automatically on every server or client computer. For more information about Group Policy, see [Group Policy Overview](http://technet.microsoft.com/library/hh831791.aspx) and [Group Policy](http://technet.microsoft.com/windowsserver/bb310732.aspx).
In this case, Group Policy can be used to enable secure settings that can control the use of the local Administrators group automatically on every server or client computer. For more information about Group Policy, see [Group Policy Overview](http://technet.microsoft.com/library/hh831791.aspx).
**Note**  
Blank passwords are not allowed in the versions designated in the **Applies To** list at the beginning of this topic.
@ -141,7 +141,7 @@ The security identifiers (SIDs) that pertain to the default HelpAssistant accoun
For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used.
In comparison, for the Windows client operating system, the HelpAssistant account is enabled on installation by default. For more information about remote desktop connections for those client operating systems designated in the **Applies To** list at the beginning of this topic, see [Enable Remote Desktop](http://technet.microsoft.com/library/dd744299.aspx).
In comparison, for the Windows client operating system, the HelpAssistant account is enabled on installation by default.
## <a href="" id="sec-localsystem"></a>Default local system accounts
@ -200,7 +200,7 @@ In addition, UAC can require administrators to specifically approve applications
For example, a default feature of UAC is shown when a local account signs in from a remote computer by using Network logon (for example, by using NET.EXE USE). In this instance, it is issued a standard user token with no administrative rights, but with the ability to request or receive elevation. Consequently, local accounts that sign in by using Network logon cannot access administrative shares such as C$, or ADMIN$, or perform any remote administration.
For summary information about UAC, see [User Account Control](http://technet.microsoft.com/library/cc731416.aspx). For detailed information about special conditions when you use UAC, see [User Account Control](http://technet.microsoft.com/library/cc772207.aspx).
For more information about UAC, see [User Account Control](user-account-control-overview.md).
The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access.
@ -384,10 +384,7 @@ The following table shows the Group Policy settings that are used to deny networ
<tr class="even">
<td><p></p></td>
<td><p>Policy name</p></td>
<td><p>[Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)</p>
<p>(Windows Server 2008 R2 and later.)</p>
<p>Deny logon through Terminal Services</p>
<p>(Windows Server 2008)</p></td>
<td><p>[Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)</p></td>
</tr>
<tr class="odd">
<td><p></p></td>
@ -437,23 +434,16 @@ The following table shows the Group Policy settings that are used to deny networ
1. Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then click **User Rights Assignment**.
**Note**  
Depending on the Windows operating system, you can choose the name of the Remote Interactive logon user right.
2. Double-click **Deny log on through Remote Desktop Services**, and then select **Define these settings**.
 
2. On computers that run Windows Server 2008, double-click **Deny logon through Terminal Services**, and then select **Define these policy settings**.
3. On computers running Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2, double-click **Deny logon through Remote Desktop Services**, and then select **Define these settings**.
4. Click **Add User or Group**, type the user name of the default Administrator account, and &gt; **OK**. (The default name is Administrator on US English installations, but it can be renamed either by policy or manually.
3. Click **Add User or Group**, type the user name of the default Administrator account, and &gt; **OK**. (The default name is Administrator on US English installations, but it can be renamed either by policy or manually.
**Important**  
In the **User and group names** box, type the user name of the account that you identified at the start of this process. Do not click **Browse** and do not type the domain name or the local computer name in this dialog box. For example, type only **Administrator**. If the text that you typed resolves to a name that is underlined or includes a domain name, it restricts the wrong account and causes this mitigation to work incorrectly. Also, be careful that you do not enter the group name Administrator because this also blocks domain accounts in that group.
 
5. For any additional local accounts in the Administrators group on all of the workstations that you are setting up, click **Add User or Group**, type the user names of these accounts in the dialog box in the same manner as the previous step, and &gt; **OK**.
4. For any additional local accounts in the Administrators group on all of the workstations that you are setting up, click **Add User or Group**, type the user names of these accounts in the dialog box in the same manner as the previous step, and &gt; **OK**.
8. Link the GPO to the first **Workstations** OU as follows:
@ -498,16 +488,8 @@ Passwords can be randomized by:
The following resources provide additional information about technologies that are related to local accounts.
- [Security Principals Technical Overview](security-principals.md)
- [Security Principals](security-principals.md)
- [Security Identifiers Technical Overview](security-identifiers.md)
- [Security Identifiers](security-identifiers.md)
- [Access Control Overview](access-control.md)
 
 

76
windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
View File

@ -1,6 +1,6 @@
---
title: Manage identity verification using Microsoft Passport (Windows 10)
description: In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN.
title: Manage identity verification using Windows Hello for Business (Windows 10)
description: In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
keywords: identity, PIN, biometric, Hello
ms.prod: w10
@ -9,83 +9,79 @@ ms.sitesec: library
ms.pagetype: security, mobile
author: jdeckerMS
---
# Manage identity verification using Microsoft Passport
# Manage identity verification using Windows Hello for Business
**Applies to**
- Windows 10
- Windows 10 Mobile
In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN.
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
Passport addresses the following problems with passwords:
> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
Hello addresses the following problems with passwords:
- Passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Server breaches can expose symmetric network credentials.
- Passwords can be subject to [replay attacks](http://go.microsoft.com/fwlink/p/?LinkId=615673).
- Users can inadvertently expose their passwords due to [phishing attacks](http://go.microsoft.com/fwlink/p/?LinkId=615674).
Passport lets users authenticate to:
Hello lets users authenticate to:
- a Microsoft account.
- an Active Directory account.
- a Microsoft Azure Active Directory (AD) account.
- Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](http://go.microsoft.com/fwlink/p/?LinkId=533889) authentication
After an initial two-step verification of the user during Passport enrollment, Passport is set up on the user's device and the user is asked to set a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify their identity. Windows then uses Passport to authenticate users and help them to access protected resources and services.
After an initial two-step verification of the user during enrollment, Hello is set up on the user's device and the user is asked to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Hello to authenticate users and help them to access protected resources and services.
As an administrator in an enterprise or educational organization, you can create policies to manage Passport use on Windows 10-based devices that connect to your organization.
As an administrator in an enterprise or educational organization, you can create policies to manage Hello use on Windows 10-based devices that connect to your organization.
## The difference between Passport and Passport for Work
*Individuals can create a PIN or Hello gesture on their personal devices for convenient sign-in. This use of Passport provides a layer of protection by being unique to the device on which it is set up, however it is not backed by key-based or certificate-based authentication.**
*Passport for Work, which is configured by Group Policy or MDM policy, used key-based or certificate-based authentication. *
## The difference between Windows Hello and Windows Hello for Business
- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Hello provides a layer of protection by being unique to the device on which it is set up, however it is not backed by key-based or certificate-based authentication.
- Windows Hello for Business, which is configured by Group Policy or MDM policy, uses key-based or certificate-based authentication.
## Benefits of Microsoft Passport
Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
You may wonder [how a PIN can help protect a device better than a password](why-a-pin-is-better-than-a-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
In Windows 10, Passport replaces passwords. The Passport provisioning process creates two cryptographic keys bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Passport enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Passport keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Passport keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Passport key is created in software.
In Windows 10, Hello replaces passwords. The Hello provisioning process creates two cryptographic keys bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Hello keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Hello key is created in software.
![how authentication works in microsoft passport](images/authflow.png)
Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
Passport helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Passport credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of TPMs.
Hello helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of TPMs.
Microsoft Passport also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Microsoft Passport on the users Windows 10 Mobile device. Because users carry their phone with them, Microsoft Passport makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
<<<<<<< HEAD
Hello also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Hello on the users Windows 10 Mobile device. Because users carry their phone with them, Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
> **Note**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
=======
> **Note:**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
>>>>>>> refs/remotes/origin/rs1
 
## How Microsoft Passport works: key points
## How Windows Hello for Business works: key points
- Passport credentials are based on certificate or asymmetrical key pair. Passport credentials are bound to the device, and the token that is obtained using the credential is also bound to the device.
- Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Microsoft Passport's public key to a user account during the registration step.
- Hello credentials are based on certificate or asymmetrical key pair. Hello credentials are bound to the device, and the token that is obtained using the credential is also bound to the device.
- Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Hello's public key to a user account during the registration step.
- Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Passport gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
- Private key never leaves a device. The authenticating server has a public key that is mapped to the user account during the registration process.
- PIN entry and Hello both trigger Windows 10 to verify the user's identity and authenticate using Passport keys or certificates.
<<<<<<< HEAD
- PIN entry and biometric gesture both trigger Windows 10 to verify the user's identity and authenticate using Hello keys or certificates.
- *Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.*
=======
- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use separate containers for keys. Non-Microsoft identity providers can generate keys for their users in the same container as the Microsoft account; however, all keys are separated by identity providers' domains to help ensure user privacy.
>>>>>>> refs/remotes/origin/rs1
- Certificates are added to the Passport container and are protected by the Passport gesture.
- Certificates are added to the Hello container and are protected by the Hello gesture.
- Windows Update behavior: After a reboot is required by Windows Update, the last interactive user is automatically signed on without any user gesture and the session is locked so the user's lock screen apps can run.
## Comparing key-based and certificate-based authentication
Passport can use either keys (hardware or software) or certificates with keys in hardware or software to confirm identity. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Passport. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Passport.
Windows Hello for Business can use either keys (hardware or software) or certificates with keys in hardware or software to confirm identity. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Hello.
Hardware-based keys, which are generated by TPM, provide the highest level of assurance. When the TPM is manufactured, an Endorsement Key (EK) certificate is resident in the TPM. This EK certificate creates a root trust for all other keys that are generated on this TPM.
EK certification is used to generate an attestation identity key (AIK) certificate issued by a Microsoft certificate authority. This AIK certificate can be used as an attestation claim to prove to identity providers that the Passport keys are generated on the same TPM. The Microsoft certificate authority (CA) generates the AIK certificate per device, per user, and per IDP to help ensure that user privacy is protected.
EK certification is used to generate an attestation identity key (AIK) certificate issued by a Microsoft certificate authority. This AIK certificate can be used as an attestation claim to prove to identity providers that the Hello keys are generated on the same TPM. The Microsoft certificate authority (CA) generates the AIK certificate per device, per user, and per IDP to help ensure that user privacy is protected.
When identity providers such as Active Directory or Azure AD enroll a certificate in Passport, Windows 10 will support the same set of scenarios as a smart card. When the credential type is a key, only key-based trust and operations will be supported.
When identity providers such as Active Directory or Azure AD enroll a certificate in Hello, Windows 10 will support the same set of scenarios as a smart card. When the credential type is a key, only key-based trust and operations will be supported.
## Learn more
@ -107,17 +103,19 @@ When identity providers such as Active Directory or Azure AD enroll a certificat
## Related topics
[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Event ID 300 - Passport successfully created](passport-event-300.md)
[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
 

12
windows/keep-secure/microsoft-accounts.md
View File

@ -155,14 +155,6 @@ Within your organization, you can set application control policies to regulate a
## See also
- [Managing Privacy: Using a Microsoft Account to Logon and Resulting Internet Communication](https://technet.microsoft.com/library/jj884082(v=ws.11).aspx)
[Managing Privacy: Using a Microsoft Account to Logon and Resulting Internet Communication](https://technet.microsoft.com/library/jj884082(v=ws.11).aspx)
 
 
- [Access Control Overview](access-control.md)

25
windows/keep-secure/microsoft-passport-and-password-changes.md
View File

@ -1,6 +1,6 @@
---
title: Microsoft Passport and password changes (Windows 10)
description: When you set up Microsoft Passport, the PIN or biometric (Windows Hello) gesture that you use is specific to that device.
title: Windows Hello and password changes (Windows 10)
description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55
ms.prod: w10
ms.mktglfcycl: deploy
@ -14,17 +14,17 @@ author: jdeckerMS
- Windows 10
- Windows 10 Mobile
When you set up Microsoft Passport, the PIN or biometric (Windows Hello) gesture that you use is specific to that device. You can set up Passport for the same account on multiple devices. If the PIN or biometric is configured as part of a Microsoft Passport for Work, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Microsoft Passport for Work is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Passport.
When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.
## Example
Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account.
Because you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part.
Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Passport on **Device A** knows will be outdated.
> **Note:**  This example also applies to an Active Directory account when [Passport for Work is not implemented](implement-microsoft-passport-in-your-organization.md).
Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated.
> **Note:**  This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](implement-microsoft-passport-in-your-organization.md).
 
## How to update Passport after you change your password on another device
## How to update Hello after you change your password on another device
1. When you try to sign in using your PIN or biometric, you will see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.**
2. Click **OK.**
@ -35,16 +35,19 @@ Suppose instead that you sign in on **Device B** and change your password for yo
## Related topics
[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
[Event ID 300 - Passport successfully created](passport-event-300.md)
[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
 

22
windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
View File

@ -1,6 +1,6 @@
---
title: Microsoft Passport errors during PIN creation (Windows 10)
description: When you set up Microsoft Passport in Windows 10, you may get an error during the Create a work PIN step.
title: Windows Hello errors during PIN creation (Windows 10)
description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step.
ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
keywords: PIN, error, create a work PIN
ms.prod: w10
@ -10,13 +10,13 @@ ms.pagetype: security
author: jdeckerMS
---
# Microsoft Passport errors during PIN creation
# Windows Hello errors during PIN creation
**Applies to**
- Windows 10
- Windows 10 Mobile
When you set up Microsoft Passport in Windows 10, you may get an error during the **Create a work PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
When you set up Windows Hello in Windows 10, you may get an error during the **Create a work PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
## Where is the error code?
@ -221,14 +221,18 @@ For errors listed in this table, contact Microsoft Support for assistance.
## Related topics
[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
[Event ID 300 - Passport successfully created](passport-event-300.md)
[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)

6
windows/keep-secure/overview-create-edp-policy.md
View File

@ -1,6 +1,6 @@
---
title: Create an enterprise data protection (EDP) policy (Windows 10)
description: Microsoft Intune and System Center Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
description: Microsoft Intune and System Center Configuration Manager (version 1606 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.prod: w10
ms.mktglfcycl: explore
@ -17,13 +17,13 @@ author: eross-msft
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Microsoft Intune and System Center Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
Microsoft Intune and System Center Configuration Manager (version 1606 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
## In this section
|Topic |Description |
|------|------------|
|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Intune helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
|[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |Configuration Manager (version 1511 or later) helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
|[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |Configuration Manager (version 1606 or later) helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
 
 

31
windows/keep-secure/passport-event-300.md
View File

@ -1,6 +1,6 @@
---
title: Event ID 300 - Passport successfully created (Windows 10)
description: This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD).
title: Event ID 300 - Windows Hello successfully created (Windows 10)
description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD).
ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04
keywords: ngc
ms.prod: w10
@ -10,13 +10,13 @@ ms.pagetype: security
author: jdeckerMS
---
# Event ID 300 - Passport successfully created
# Event ID 300 - Windows Hello successfully created
**Applies to**
- Windows 10
- Windows 10 Mobile
This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
## Event details
| | |
@ -34,9 +34,20 @@ This is a normal condition. No further action is required.
## Related topics
- [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
- [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
- [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
- [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
- [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
- [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)

40
windows/keep-secure/prepare-people-to-use-microsoft-passport.md
View File

@ -1,6 +1,6 @@
---
title: Prepare people to use Microsoft Passport (Windows 10)
description: When you set a policy to require Microsoft Passport in the workplace, you will want to prepare people in your organization.
title: Prepare people to use Windows Hello (Windows 10)
description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B
keywords: identity, PIN, biometric, Hello
ms.prod: w10
@ -16,13 +16,13 @@ author: jdeckerMS
- Windows 10
- Windows 10 Mobile
When you set a policy to require Microsoft Passport in the workplace, you will want to prepare people in your organization by explaining how to use Passport.
When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello.
After enrollment in Passport, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Passport.
Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Hello.
People who are currently using virtual smart cards for authentication can use their virtual smart card to verify their identity when they set up Passport.
People who are currently using virtual smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello.
## On devices owned by the organization
@ -36,32 +36,30 @@ Next, they select a way to connect. Tell the people in your enterprise which opt
They sign in, and are then asked to verify their identity. People have options to choose from, such as a text message, phone call, or authentication app. After verification, they create their PIN. The **Create a work PIN** screen displays any complexity requirements that you have set, such as minimum length.
After Passport is set up, people use their PIN to unlock the device, and that will automatically log them on.
After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on.
## On personal devices
People who want to access work resources on their personal devices can add a work or school account in **Settings** &gt; **Accounts** &gt; **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials. (This work account gesture doesn't affect the device unlock PIN.)
Assure people that their work credentials and personal credentials are stored in separate containers; the enterprise has no access to their personal credentials.
People can go to **Settings** &gt; **Accounts** &gt; **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device.
## Using Windows Hello and biometrics
If your policy allows it, people can add Windows Hello to their Passport. Windows Hello can be fingerprint, iris, and facial recognition, and is available to users only if the hardware supports it.
If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it.
![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png)
## <a href="" id="bmk-remote"></a>Use a phone to sign in to a PC
If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Microsoft Passport credentials.
If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials.
 
**Prerequisites:**
- The PC must be joined to the Active Directory domain or Azure AD cloud domain.
- The PC must have Bluetooth connectivity.
- The phone must be joined to the Azure AD cloud domain, or the user must have added a work account to their personal phone.
- The **Phone Sign-in** app must be installed on the phone.
- The **Microsoft Authenticator** app must be installed on the phone.
**Pair the PC and phone**
@ -77,21 +75,25 @@ If your enterprise enables phone sign-in, users can pair a phone running Windows
**Sign in to PC using the phone**
1. Open the **Phone Sign-in** app and tap the name of the PC to sign in to.
> **Note: **  The first time that you run the **Phone Sign-in** app, you must add an account.
1. Open the **Microsoft Authenticator** app and tap the name of the PC to sign in to.
> **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account.
 
2. Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account.
## Related topics
[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Event ID 300 - Passport successfully created](passport-event-300.md)
[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)

34
windows/keep-secure/protect-enterprise-data-using-edp.md
View File

@ -2,7 +2,7 @@
title: Protect your enterprise data using enterprise data protection (EDP) (Windows 10)
description: With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control.
ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032
keywords: EDP, enterprise data protection
keywords: EDP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@ -18,16 +18,16 @@ author: eross-msft
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside EDP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise-aware version of a rights management mail client.
Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
## Prerequisites
Youll need this software to run EDP in your enterprise:
|Operating system | Management solution |
|-----------------|---------------------|
|Windows 10 Insider Preview | Microsoft Intune<br>-OR-<br>System Center Configuration Manager (version 1511 or later)<br>-OR-<br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
|Windows 10 Insider Preview | Microsoft Intune<br>-OR-<br>System Center Configuration Manager (version 1605 Tech Preview or later)<br>-OR-<br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
## How EDP works
EDP helps address your everyday challenges in the enterprise. Including:
@ -38,14 +38,14 @@ EDP helps address your everyday challenges in the enterprise. Including:
- Helping to maintain the ownership and control of your enterprise data.
- Helping control the network and data access and data sharing for apps that arent enterprise-aware.
- Helping control the network and data access and data sharing for apps that arent enterprise aware.
### EDP-protection modes
You can set EDP to 1 of 4 protection and management modes:
|Mode|Description|
|----|-----------|
|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organizations network.|
|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organizations network.|
|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or EDP-protected data, are still blocked.|
|Off |EDP is turned off and doesn't help to protect or audit your data.<p>After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives. |
@ -60,20 +60,32 @@ EDP gives you a new way to manage data policy enforcement for apps and documents
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an EDP-protected device, EDP encrypts the data on the device.
- **Using allowed apps.** Managed apps (apps that you've included on the protected apps list in your EDP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if EDP management is set to Block, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Using allowed apps.** Managed apps (apps that you've included on the protected apps list in your EDP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if EDP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Managed apps and restrictions.** With EDP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are blocked from accessing your enterprise data, depending on your EDP management-mode.<p>You dont have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in your protected apps list.
- **Managed apps and restrictions.** With EDP you can control which apps can access and use your enterprise data. After adding an app to your **Protected App** list, the app is trusted with enterprise data. All apps that arent on this list are blocked from accessing your enterprise network resources and your EDP-protected data.<p>
You dont have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the **Protected App** list.
- **Deciding your level of data access.** EDP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list.
- **Deciding your level of data access.** EDP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your **Protected App** list.
- **Data encryption at rest.** EDP helps protect enterprise data on local files and on removable media.<p>Apps such as Microsoft Word work with EDP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens EDP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies EDP to the new document.
- **Continuous data encryption.** EDP helps protect enterprise data on local files and on removable media.<p>
Apps such as Microsoft Word work with EDP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens EDP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies EDP to the new document.
- **Helping prevent accidental data disclosure to public spaces.** EDP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isnt on your protected apps list, employees wont be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
- **Helping prevent accidental data disclosure to public spaces.** EDP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isnt on your **Protected App** list, employees wont be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your **Protected Apps** list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the cloud, while maintaining the encryption.
- **Helping prevent accidental data disclosure to removable media.** EDP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesnt.
- **Remove access to enterprise data from enterprise-protected devices.** EDP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.<p>**Note**<br>System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
## Current limitations with EDP
EDP is still in development and is not yet integrated with Azure Rights Management. This means that while you can deploy an EDP-configured policy to a protected device, that protection is restricted to a single user on the device. Additionally, the EDP-protected data must be stored on NTFS, FAT, or ExFAT file systems.
Use the following table to identify the scenarios that require Azure Rights Management, the behavior when Azure Rights Management is not used with EDP, and the recommended workarounds.
|EDP scenario |Without Azure Rights Management |Workaround |
|-------------|--------------------------------|-----------|
|Saving enterprise data to USB drives |Data in the new location remains encrypted, but becomes inaccessible on other devices or for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.<p>We strongly recommend educating employees about how to limit or eliminate the need for this decryption. |
|Synchronizing data to other services or public cloud storage |Synchronized files aren't protected on additional services or as part of public cloud storage. |Stop the app from synchronizing or don't add the app to your **Protected App** list.<p>For more info about adding apps to the **Protected App** list, see either the [Create an enterprise data protection (EDP) policy using Intune](create-edp-policy-using-intune.md) or the [Create and deploy an enterprise data protection (EDP) policy using Configuration Manager](create-edp-policy-using-sccm.md) topic, depending on your management solution.
## Next steps
After deciding to use EDP in your enterprise, you need to:

2
windows/keep-secure/security-identifiers.md
View File

@ -41,7 +41,7 @@ SIDs always remain unique. Security authorities never issue the same SID twice,
## Security identifier architecture
A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, the Windows Server 2012 operating system), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID.
A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID.
![](images/security-identifider-architecture.jpg)

8
windows/keep-secure/security-principals.md
View File

@ -138,10 +138,6 @@ For descriptions and settings information about the domain security groups that
For descriptions and settings information about the Special Identities group, see [Special Identities](special-identities.md).
 
 
## See also
- [Access Control Overview](access-control.md)

2
windows/keep-secure/service-accounts.md
View File

@ -106,4 +106,4 @@ The following table provides links to additional resources that are related to s
|---------------|-------------|
| **Product evaluation** | [What's New for Managed Service Accounts](https://technet.microsoft.com/library/hh831451(v=ws.11).aspx)<br>[Getting Started with Group Managed Service Accounts](https://technet.microsoft.com/library/jj128431(v=ws.11).aspx) |
| **Deployment** | [Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) |
| **Related technologies** | [Security Principals Technical Overview](security-principals.md)<br>[What's new in Active Directory Domain Services](https://technet.microsoft.com/library/mt163897.aspx) |
| **Related technologies** | [Security Principals](security-principals.md)<br>[What's new in Active Directory Domain Services](https://technet.microsoft.com/library/mt163897.aspx) |

17
windows/keep-secure/special-identities.md
View File

@ -1002,21 +1002,10 @@ Any user accessing the system through Terminal Services has the Terminal Server
</tbody>
</table>
 
## See also
- [Active Directory Security Groups](active-directory-security-groups.md)
[Active Directory Security Groups](active-directory-security-groups.md)
[Security Principals Technical Overview](security-principals.md)
 
 
- [Security Principals](security-principals.md)
- [Access Control Overview](access-control.md)

28
windows/keep-secure/why-a-pin-is-better-than-a-password.md
View File

@ -1,8 +1,8 @@
---
title: Why a PIN is better than a password (Windows 10)
description: Microsoft Passport in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password .
description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password .
ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212
keywords: pin, security, password
keywords: pin, security, password, hello
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@ -16,36 +16,36 @@ author: jdeckerMS
- Windows 10
- Windows 10 Mobile
Microsoft Passport in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Passport PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
## PIN is tied to the device
One important difference between a password and a Passport PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Passport on each device.
Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
## PIN is local to the device
A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server.
When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
> **Note:**  For details on how Passport uses asymetric key pairs for authentication, see [Microsoft Passport guide](http://go.microsoft.com/fwlink/p/?LinkId=691928).
> **Note:**  For details on how Hello uses asymetric key pairs for authentication, see [Microsoft Passport guide](http://go.microsoft.com/fwlink/p/?LinkId=691928).
 
## PIN is backed by hardware
The Passport PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.
The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.
User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Microsoft Passport uses asymmetrical key pairs, users credentials cant be stolen in cases where the identity provider or websites the user accesses have been compromised.
User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetrical key pairs, users credentials cant be stolen in cases where the identity provider or websites the user accesses have been compromised.
The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
## PIN can be complex
The Passport PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](implement-microsoft-passport-in-your-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](implement-microsoft-passport-in-your-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
## What if someone steals the laptop or phone?
To compromise a Microsoft Passport credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the users biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device.
To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the users biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device.
You can provide additional protection for laptops that don't have TPM by enablng BitLocker and setting a policy to limit failed sign-ins.
**Configure BitLocker without TPM**
@ -63,13 +63,13 @@ You can provide additional protection for laptops that don't have TPM by enablng
2. Set the number of invalid logon attempts to allow, and then click OK.
## Why do you need a PIN to use Windows Hello?
Windows Hello is the biometric sign-in for Microsoft Passport in Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using Passport when you cant use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you cant use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account name and password, which doesn't provide you the same level of protection as Passport.
If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account name and password, which doesn't provide you the same level of protection as Hello.
## Related topics
[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
 

16
windows/keep-secure/windows-hello-in-enterprise.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
author: jdeckerMS
---
# Windows Hello biometrics in the enterprise
@ -17,21 +17,23 @@ author: eross-msft
Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
Because we realize your employees are going to want to use this new technology in your enterprise, weve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.
##How does Windows Hello work?
Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Microsoft Passport credentials.
Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials.
The Windows Hello authenticator works with Microsoft Passport to authenticate and allow employees onto your enterprise network. Authentication doesnt roam among devices, isnt shared with a server, and cant easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesnt roam among devices, isnt shared with a server, and cant easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
## Why should I let my employees use Windows Hello?
Windows Hello provides many benefits, including:
- Combined with Microsoft Passport, it helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, its much more difficult to gain access without the employees knowledge.
- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, its much more difficult to gain access without the employees knowledge.
- Employees get a simple authentication method (backed up with a PIN) thats always with them, so theres nothing to lose. No more forgetting passwords!
- Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) topic.
- Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) topic.
## Where is Microsoft Hello data stored?
The biometric data used to support Windows Hello is stored on the local device only. It doesnt roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still cant be easily converted to a form that could be recognized by the biometric sensor.
@ -72,8 +74,8 @@ To allow facial recognition, you must have devices with integrated special infra
- Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
## Related topics
- [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
- [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
- [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
- [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
- [Microsoft Passport guide](microsoft-passport-guide.md)
- [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
- [PassportforWork CSP](http://go.microsoft.com/fwlink/p/?LinkId=708219)

1
windows/manage/TOC.md
View File

@ -3,6 +3,7 @@
## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
## [Manage corporate devices](manage-corporate-devices.md)
### [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
### [New policies for Windows 10](new-policies-for-windows-10.md)
### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
### [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)

14
windows/manage/app-inventory-managemement-windows-store-for-business.md
View File

@ -23,7 +23,7 @@ The **Inventory** page in Windows Store for Business shows all apps in your inve
All of these apps are treated the same once they are in your inventory and you can perform app lifecycle tasks for them: distribute apps, add apps to private store, review license details, and reclaim app licenses.
![](images/wsfb-inventoryaddprivatestore.png)
![Image shows Inventory page in Windows Store for Business with status status options for an app.](images/wsfb-inventoryaddprivatestore.png)
Store for Business shows this info for each app in your inventory:
@ -168,13 +168,13 @@ For each app in your inventory, you can view and manage license details. This gi
2. Click **Manage**, and then choose **Inventory**.
3. Click the ellipses for and app, and then choose **View license details**.
3. Click the ellipses for an app, and then choose **View license details**.
![](images/wsfb-inventory-viewlicense.png)
![Image showing Inventory page in Windows Store for Business.](images/wsfb-inventory-viewlicense.png)
You'll see the names of people in your organization who have installed the app and are using one of the licenses.
![](images/wsfb-licensedetails.png)
![Image showing assigned licenses for an app.](images/wsfb-licensedetails.png)
On **Assigned licenses**, you can do several things:
@ -190,9 +190,9 @@ For each app in your inventory, you can view and manage license details. This gi
**To assign an app to more people**
- Click Assign to people, type the email address for the employee that you're assigning the app to, and click **Assign**.
- Click **Assign to people**, type the email address for the employee that you're assigning the app to, and click **Assign**.
![](images/wsfb-licenseassign.png)
![Image showing Assign to people dialog for assigning app licenses to people in your organization.](images/wsfb-licenseassign.png)
Store for Business updates the list of assigned licenses.
@ -200,7 +200,7 @@ For each app in your inventory, you can view and manage license details. This gi
- Choose the person you want to reclaim the license from, click **Reclaim licenses**, and then click **Reclaim licenses**.
![](images/wsfb-licensereclaim.png)
![Image showing Assign to people dialog for reclaiming app licenses from people in your organization.](images/wsfb-licensereclaim.png)
Store for Business updates the list of assigned licenses.

80
windows/manage/connect-to-remote-aadj-pc.md Normal file
View File

@ -0,0 +1,80 @@
---
title: Connect to remote Azure Active Directory-joined PC (Windows 10)
description: You can use Remote Desktop Connection to connect to an Azure AD-joined PC.
ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D
keywords: ["MDM", "device management", "RDP", "AADJ"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: jdeckerMS
---
# Connect to remote Azure Active Directory-joined PC
**Applies to**
- Windows 10
From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD).
![Remote Desktop Connection client](images/rdp.png)
## Set up
- Both PCs (local and remote) must be running Windows 10, version 1607. Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
- [Remote Credential Guard](https://tnstage.redmond.corp.microsoft.com/en-us/itpro/windows/keep-secure/remote-credential-guard?branch=bl-7475998), a new feature in Windows 10, version 1607, must be disabled on the remote PC.
- On the PC that you want to connect to:
1. Open system properties for the remote PC.
2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
![Allow remote connections to this computer](images/allow-rdp.png)
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users, click **Select Users**.
4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.
## Supported configurations
In organizations that have integrated Active Directory and Azure AD, you can connect from a domain-joined PC to an Azure AD-joined PC using:
- Password
- Smartcards
- Windows Hello for Business, if the domain is managed by System Center Configuration Manager
In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network using:
- Password
- Smartcards
- Windows Hello for Business, if the organization has a mobile device management (MDM) subscription.
In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using:
- Password
- Smartcards
- Windows Hello for Business, with or without an MDM subscription.
In organizations using only Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using:
- Password
- Windows Hello for Business, with or without an MDM subscription.
## Related topics
[How to use Remote Desktop](http://windows.microsoft.com/en-us/windows-10/how-to-use-remote-desktop)
[Remote Desktop Connection: frequently asked questions](http://windows.microsoft.com/en-us/windows/remote-desktop-connection-faq#1TC=windows-8) (Windows 8.1 documentation, still applicable to Windows 10)
 
 

10
windows/manage/distribute-apps-from-your-private-store.md
View File

@ -23,29 +23,29 @@ You can make an app available in your private store when you acquire the app, or
**To acquire an app and make it available in your private store**
1. Sign in to the Store for Business.
1. Sign in to the [Store for Business](https://businessstore.microsoft.com).
2. Click an app and then click **Get the app** to acquire the app for your organization.
3. You'll have a few options for distributing the app -- choose **Add to your private store where all people in your organization can find and install it.**
![](images/wsfb-distribute.png)
![Image showing Distribute options for app in the Windows Store for Business.](images/wsfb-distribute.png)
It will take approximately twelve hours before the app is available in the private store.
**To make an app in inventory available in your private store**
1. Sign in to the Store for Business.
1. Sign in to the [Store for Business](https://businessstore.microsoft.com).
2. Click **Manage**, and then choose **Inventory**.
![](images/wsfb-manageinventory.png)
![Image showing Manage menu in Windows Store for Business.](images/wsfb-manageinventory.png)
3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page.
4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**.
![](images/wsfb-inventoryaddprivatestore.png)
![Image showing options from Action for each app in Inventory.](images/wsfb-inventoryaddprivatestore.png)
The value under **Private store** for the app will change to pending. It will take approximately twelve hours before the app is available in the private store.

4
windows/manage/distribute-apps-with-management-tool.md
View File

@ -48,14 +48,14 @@ If your vendor doesnt support the ability to synchronize applications from th
This diagram shows how you can use a management tool to distribute offline-licensed app to employees in your organization. Once synchronized from Store for Business, management tools can use the Windows Management framework to distribute applications to devices.
![](images/wsfb-offline-distribute-mdm.png)
![Image showing flow for distributing offline-licensed app from Windows Store for Business to employees in your organization.](images/wsfb-offline-distribute-mdm.png)
## Distribute online-licensed apps
This diagram shows how you can use a management tool to distribute an online-licensed app to employees in your organization. Once synchronized from Store for Business, management tools use the Windows Management framework to distribute applications to devices. For Online licensed applications, the management tool calls back in to Store for Business management services to assign an application prior to issuing the policy to install the application.
![](images/wsfb-online-distribute-mdm.png)
![Image showing flow for distributing online-licensed app from Wndows Store for Business.](images/wsfb-online-distribute-mdm.png)
## Related topics

8
windows/manage/group-policies-for-enterprise-and-education-editions.md
View File

@ -17,14 +17,16 @@ In Windows 10, version 1607, the following Group Policies apply only to Windows
| Policy name | Policy path | Comments |
| --- | --- | --- |
| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. |
| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Do not require CTRL+ALT+DEL** </br>combined with</br>**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon </br>and</br>Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](set-up-a-device-for-anyone-to-use.md)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro. |
| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) |
| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/en-us/kb/3135657). |

BIN
windows/manage/images/allow-rdp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
windows/manage/images/rdp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

25
windows/manage/lockdown-xml.md
View File

@ -31,12 +31,13 @@ The configuration items must be in the following order when you lock down settin
- Default profile
- ActionCenter
- Apps
- Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
- Apps (contains lists of applications and folders)
- Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449), or folder ID and folder name, as described in [EnterpriseAssignedAccess CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt157024%28v=vs.85%29.aspx)
- App User Model ID, as described in [Configuring Multiple App Packages](#bmk-map)
- PinToStart
- Size
- Location
- Parent folder ID
- Buttons
- ButtonLockdownList
- Button name
@ -56,12 +57,13 @@ The configuration items must be in the following order when you lock down settin
- RoleList
- Role (repeat for each role)
- ActionCenter
- Apps
- Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
- App User Model ID (AUMID), as described in [Configuring Multiple App Packages](#bmk-map)
- Apps (contains lists of applications and folders)
- Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449), or folder ID and folder name, as described in [EnterpriseAssignedAccess CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt157024%28v=vs.85%29.aspx)
- App User Model ID, as described in [Configuring Multiple App Packages](#bmk-map)
- PinToStart
- Size
- Location
- Parent folder ID
- Buttons
- ButtonLockdownList
- Button name
@ -124,6 +126,16 @@ The XML example can be used as a lockdown file that is contained in a provisioni
<Default>
<ActionCenter enabled="true" />
<Apps>
<!-- Create folder -->
<Application folderId="1" folderName="foldername">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Settings -->
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
<PinToStart>
@ -134,7 +146,7 @@ The XML example can be used as a lockdown file that is contained in a provisioni
</Location>
</PinToStart>
</Application>
<!-- Outlook Calendar -->
<!-- Outlook Calendar in folder -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Small</Size>
@ -142,6 +154,7 @@ The XML example can be used as a lockdown file that is contained in a provisioni
<LocationX>0</LocationX>
<LocationY>2</LocationY>
</Location>
<ParentFolderId>1</ParentFolderId>
</PinToStart>
</Application>
<!-- Photos -->

2
windows/manage/manage-access-to-private-store.md
View File

@ -23,7 +23,7 @@ Organizations might want control the set of apps that are available to their emp
The private store is a feature in Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in the Windows Store, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. Your private store looks something like this:
![](images/wsfb-wsappprivatestore.png)
![Image showing the Windows Store app, with a private store tab highlighted.](images/wsfb-wsappprivatestore.png)
Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports the Store for Business, the MDM can use the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#group-policy-table). More specifically, the **ApplicationManagement/RequirePrivateStoreOnly** policy.

2
windows/manage/manage-corporate-devices.md
View File

@ -124,7 +124,7 @@ Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager &
[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
 
[Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) 
 

8
windows/manage/manage-private-store-settings.md
View File

@ -19,9 +19,9 @@ author: TrudyHa
The private store is a feature in the Windows Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store.
The name of your private store is shown on a tab in the Windows Store.
The name of your private store is shown on a tab in the Windows Store app.
![](images/wsfb-wsappprivatestore.png)
![Image showing Windows Store app with private store tab highlighted.](images/wsfb-wsappprivatestore.png)
You can change the name of your private store in Store for Business.
@ -33,13 +33,13 @@ You can change the name of your private store in Store for Business.
You'll see your private store name.
![](images/wsfb-privatestore.png)
![Image showing Private store page in Windows Store for Business.](images/wsfb-privatestore.png)
3. Click **Change**.
4. Type a new display name for your private store, and click **Save**.
![](images/wsfb-renameprivatestore.png)
![Image showing Private store dialog used to change private store display name.](images/wsfb-renameprivatestore.png)
 

4
windows/manage/roles-and-permissions-windows-store-for-business.md
View File

@ -204,11 +204,11 @@ These permissions allow people to:
2. Click **Settings**, and then choose **Permissions**.
![](images/wsfb-settings-permissions.png)
![Image showing Permissions page in Windows Store for Business.](images/wsfb-settings-permissions.png)
3. Click **Add people**, type a name, choose the role you want to assign, and click **Save** .
![](images/wsfb-permissions-assignrole.png)
![Image showing Assign roles to people box in Windows Store for Business.](images/wsfb-permissions-assignrole.png)
4.

26
windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
View File

@ -68,13 +68,14 @@ For a more secure kiosk experience, we recommend that you make the following con
Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access:
- [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) - Windows 10 Pro, Enterprise, and Education
| Method | Account type | Windows 10 edition |
| --- | --- | --- |
| [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education |
| [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
| [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
| [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education |
- [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) - Windows 10 Enterprise and Education
- [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) - Windows 10 Enterprise and Education
- [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) - Windows 10 Pro, Enterprise, and Education
### Requirements
@ -181,7 +182,7 @@ When you build a provisioning package, you may include sensitive information in
You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices.
To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results.
To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator.
```
Set-AssignedAccess -AppUserModelId <AUMID> -UserName <username>
@ -194,14 +195,16 @@ Set-AssignedAccess -AppUserModelId <AUMID> -UserSID <usersid>
```
Set-AssignedAccess -AppName <CustomApp> -UserName <username>
```
> **Note:** To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once.
```
Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>
```
> **Note:** To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once.
[Learn how to get the AUMID](http://go.microsoft.com/fwlink/p/?LinkId=614867).
[Learn how to get the AppName](https://msdn.microsoft.com/en-us/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**).
[Learn how to get the SID](http://go.microsoft.com/fwlink/p/?LinkId=615517).
To remove assigned access, using PowerShell, run the following cmdlet.
@ -225,7 +228,7 @@ Edit the registry to have an account automatically logged on.
2. Go to
****HKEY\_LOCAL\_MACHINE**\\**SOFTWARE**\\**Microsoft**\\**WindowsNT**\\**CurrentVersion**\\**Winlogon****
**HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon**
3. Set the values for the following keys.
@ -235,10 +238,7 @@ Edit the registry to have an account automatically logged on.
- *DefaultPassword*: set value as the password for the account.
**Note**  
If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
 
> **Note**  If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
- *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
@ -250,7 +250,7 @@ To sign out of an assigned access account, press **Ctrl + Alt + Del**, and then
If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
****HKEY\_LOCAL\_MACHINE**\\**SOFTWARE**\\**Microsoft**\\**Windows**\\**CurrentVersion**\\**Authentication**\\**LogonUI****
**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI**
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.

16
windows/manage/sign-up-windows-store-for-business.md
View File

@ -34,7 +34,7 @@ Before signing up for the Store for Business, make sure you're the global admini
- If you already have an Azure AD directory, you'll [sign in to Store for Business](#sign-in), and then accept Store for Business terms.
![](images/wsfb-landing.png)
![Image showing Windows Store for Business page with invitation to sign up, or sign in.](images/wsfb-landing.png)
**To sign up for Azure AD accounts through Office 365 for Business**
@ -44,43 +44,43 @@ Before signing up for the Store for Business, make sure you're the global admini
Type the required info and click **Next.**
![](images/wsfb-onboard-1.png)
![Image showing Welcome page for sign up process.](images/wsfb-onboard-1.png)
- Step 2: Create an ID.
We'll use info you provided on the previous page to build your user ID. Check the info and click **Next**.
![](images/wsfb-onboard-2.png)
![Image showing Create your user ID page for sign up process.](images/wsfb-onboard-2.png)
- Step 3: You're in.
Let us know how you'd like to receive a verification code, and click either **Text me**, or **Call me**. We'll send you a verification code
![](images/wsfb-onboard-3.png)
![Image showing confirmation page as part of sign up process.](images/wsfb-onboard-3.png)
- Verification.
Type your verification code and click **Create my account**.
![](images/wsfb-onboard-4.png)
![Image showing verification code step.](images/wsfb-onboard-4.png)
- Save this info.
Be sure to save the portal sign-in page and your user ID info. Click **You're ready to go**.
![](images/wsfb-onboard-5.png)
![Image showing sign-in page and user ID for Windows Store for Business. ](images/wsfb-onboard-5.png)
- At this point, you'll have an Azure AD directory created with one user account. That user account is the global administrator. You can use that account to sign in to Store for Business.
2. <a href="" id="sign-in"></a>Sign in with your Azure AD account.
![](images/wsfb-onboard-7.png)
![Image showing sign-in page for Windows Store for Business.](images/wsfb-onboard-7.png)
3. <a href="" id="accept-terms"></a>Read through and accept Store for Business terms.
4. Welcome to the Store for Business. Click **Next** to continue.
![](images/wsfb-firstrun.png)
![Image showing welcome message for Windows Store for Business.](images/wsfb-firstrun.png)
### Next steps

2
windows/whats-new/TOC.md
View File

@ -8,7 +8,7 @@
## [Enterprise data protection (EDP)](edp-whats-new-overview.md)
## [Enterprise management for Windows 10 devices](device-management.md)
## [Lockdown features from Windows Embedded Industry 8.1](lockdown-features-windows-10.md)
## [Microsoft Passport](microsoft-passport.md)
## [Windows Hello](microsoft-passport.md)
## [Provisioning packages](new-provisioning-packages.md)
## [Security](security.md)
## [Security auditing](security-auditing.md)

2
windows/whats-new/edp-whats-new-overview.md
View File

@ -18,7 +18,7 @@ author: eross-msft
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.

4
windows/whats-new/index.md
View File

@ -64,8 +64,8 @@ Learn about new features in Windows 10 for IT professionals, such as Enterprise
<td align="left"><p>Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Microsoft Passport](microsoft-passport.md)</p></td>
<td align="left"><p>In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.</p></td>
<td align="left"><p>[Windows Hello](microsoft-passport.md)</p></td>
<td align="left"><p>In Windows 10, Windows Hello replaces passwords with strong two-factor authentication that consists of an enrolled device and a PIN or biometric gesture such as a fingerprint.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Provisioning packages](new-provisioning-packages.md)</p></td>

24
windows/whats-new/microsoft-passport.md
View File

@ -1,8 +1,8 @@
---
title: Microsoft Passport overview (Windows 10)
description: In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication.
title: Windows Hello overview (Windows 10)
description: In Windows 10, Windows Hello replaces passwords with strong two-factor authentication.
ms.assetid: 292F3BE9-3651-4B20-B83F-85560631EF5B
keywords: password, hello, fingerprint, iris, biometric
keywords: password, hello, fingerprint, iris, biometric, passport
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@ -10,23 +10,25 @@ ms.pagetype: mobile, security
author: jdeckerMS
---
# Microsoft Passport overview
# Windows Hello overview
**Applies to**
- Windows 10
- Windows 10 Mobile
In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports [Fast ID Online (FIDO)](http://go.microsoft.com/fwlink/p/?LinkId=533889) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services.
Microsoft Passport also enables Windows 10 Mobile devices to be used as a remote credential when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Microsoft Passport on the users Windows 10 Mobile device. Because users carry their phone with them, Microsoft Passport makes implementing two-factor authentication across the enterprise less costly and complex than other solutions
In Windows 10, Windows Hello replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
## Benefits of Microsoft Passport
Windows Hello lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports [Fast ID Online (FIDO)](http://go.microsoft.com/fwlink/p/?LinkId=533889) authentication. After an initial two-step verification during Hello enrollment, Hello is set up on the user's device and the user sets a gesture, which can be biometric such as a fingerprint or a PIN. The user provides the gesture to verify identity; Windows then uses Hello to authenticate users and help them to access protected resources and services.
Hello also enables Windows 10 Mobile devices to be used as a remote credential when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Hello on the users Windows 10 Mobile device. Because users carry their phone with them, Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions
- **User convenience**. The employee provides credentials (such as account and password, or other credentials), and is then guided to set up Microsoft Passport and Hello. From that point on, the employee can access enterprise resources by providing a gesture.
- **Security**. Microsoft Passport helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Microsoft
## Benefits of Windows Hello
- **User convenience**. The employee provides credentials (such as account and password, or other credentials), and is then guided to set up Windows Hello. From that point on, the employee can access enterprise resources by providing a gesture.
- **Security**. Hello helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Microsoft
Passport credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of Trusted Platform Modules (TPMs).
[Learn how to implement and manage Microsoft Passport in your organization.](../keep-secure/implement-microsoft-passport-in-your-organization.md)
[Learn how to implement and manage Windows Hello for Business in your organization.](../keep-secure/implement-microsoft-passport-in-your-organization.md)
## Learn more

14
windows/whats-new/windows-spotlight.md
View File

@ -16,7 +16,9 @@ author: jdeckerMS
- Windows 10
Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background.
Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10.
For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps.
## What does Windows Spotlight include?
@ -41,10 +43,16 @@ To turn off Windows Spotlight locally, go to **Settings** &gt; **Personalization
## How do you disable Windows Spotlight for managed devices?
Windows 10, Version 1607, provides two new Group Policy settings to help you manage Spotlight on employees' computers.
Windows 10, version 1607, provides three new Group Policy settings to help you manage Spotlight on employees' computers.
**Windows 10 Pro, Enterprise, and Education**
- **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** enables enterprises to restrict suggestions to Microsoft apps and services.
**Windows 10 Enterprise and Education**
* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** enables enterprises to completely disable all Spotlight features in a single setting.
* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** specifically controls the use of the dynamic Spotlight image on the lock screen, and can be enabled or disabled. (A third setting, **Enterprise Spotlight**, does not work in Windows 10, Version 1607.)
* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** specifically controls the use of the dynamic Spotlight image on the lock screen, and can be enabled or disabled. (The Group Policy setting **Enterprise Spotlight** does not work in Windows 10, version 1607.)
Windows Spotlight is enabled by default. Administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Force a specific default lock screen image**.