mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 18:33:43 +00:00
resolved warnings
This commit is contained in:
Siddarth Mandalika
@ -592,7 +592,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s
|
||||
|
||||
> **Note** You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx).
|
||||
|
||||
|
||||
|
||||
|
||||
3. Close Active Directory Users and Computers.
|
||||
|
||||
@ -600,13 +600,13 @@ In this procedure, the workstations are dedicated to domain administrators. By s
|
||||
|
||||
5. Right-click the new OU, and > **Create a GPO in this domain, and Link it here**.
|
||||
|
||||
|
||||
|
||||
|
||||
6. Name the GPO, and > **OK**.
|
||||
|
||||
7. Expand the GPO, right-click the new GPO, and > **Edit**.
|
||||
|
||||
|
||||
|
||||
|
||||
8. Configure which members of accounts can log on locally to these administrative workstations as follows:
|
||||
|
||||
@ -625,7 +625,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s
|
||||
|
||||
5. Click **Add User or Group**, type **Administrators**, and > **OK**.
|
||||
|
||||
|
||||
|
||||
|
||||
9. Configure the proxy configuration:
|
||||
|
||||
@ -633,7 +633,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s
|
||||
|
||||
2. Double-click **Proxy Settings**, select the **Enable proxy settings** check box, type **127.0.0.1** (the network Loopback IP address) as the proxy address, and > **OK**.
|
||||
|
||||
|
||||
|
||||
|
||||
10. Configure the loopback processing mode to enable the user Group Policy proxy setting to apply to all users on the computer as follows:
|
||||
|
||||
@ -696,11 +696,11 @@ In this procedure, the workstations are dedicated to domain administrators. By s
|
||||
|
||||
1. Right-click **Windows Firewall with Advanced Security LDAP://path**, and > **Properties**.
|
||||
|
||||
|
||||
|
||||
|
||||
2. On each profile, ensure that the firewall is enabled and that inbound connections are set to **Block all connections**.
|
||||
|
||||
|
||||
|
||||
|
||||
3. Click **OK** to complete the configuration.
|
||||
|
||||
@ -738,11 +738,11 @@ For this procedure, do not link accounts to the OU that contain workstations for
|
||||
|
||||
3. Right-click **Group Policy Objects**, and > **New**.
|
||||
|
||||
|
||||
|
||||
|
||||
4. In the **New GPO** dialog box, name the GPO that restricts administrators from signing in to workstations, and > **OK**.
|
||||
|
||||
|
||||
|
||||
|
||||
5. Right-click **New GPO**, and > **Edit**.
|
||||
|
||||
@ -756,7 +756,7 @@ For this procedure, do not link accounts to the OU that contain workstations for
|
||||
|
||||
3. Click **Add User or Group**, click **Browse**, type **Domain Admins**, and > **OK**.
|
||||
|
||||
|
||||
|
||||
|
||||
**Note**
|
||||
You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
|
||||
@ -778,7 +778,7 @@ For this procedure, do not link accounts to the OU that contain workstations for
|
||||
|
||||
3. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**.
|
||||
|
||||
|
||||
|
||||
|
||||
**Note**
|
||||
You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
|
||||
@ -791,7 +791,7 @@ For this procedure, do not link accounts to the OU that contain workstations for
|
||||
|
||||
6. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**.
|
||||
|
||||
|
||||
|
||||
|
||||
**Note**
|
||||
You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
|
||||
@ -804,11 +804,11 @@ For this procedure, do not link accounts to the OU that contain workstations for
|
||||
|
||||
1. Right-click the workstation OU, and then > **Link an Existing GPO**.
|
||||
|
||||
|
||||
|
||||
|
||||
2. Select the GPO that you just created, and > **OK**.
|
||||
|
||||
|
||||
|
||||
|
||||
10. Test the functionality of enterprise applications on workstations in the first OU and resolve any issues caused by the new policy.
|
||||
|
||||
@ -831,7 +831,7 @@ It is a best practice to configure the user objects for all sensitive accounts i
|
||||
|
||||
As with any configuration change, test this enabled setting fully to ensure that it performs correctly before you implement it.
|
||||
|
||||
|
||||
|
||||
|
||||
## <a href="" id="sec-secure-manage-dcs"></a>Secure and manage domain controllers
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ manager: dansimp
|
||||
ms.collection: M365-identity-device-management
|
||||
ms.topic: article
|
||||
ms.prod: m365-security
|
||||
ms.technology: windows
|
||||
ms.technology: windows-sec
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 07/27/2017
|
||||
|
||||
@ -16,7 +16,7 @@ localizationpriority: medium
|
||||
ms.date: 08/19/2018
|
||||
ms.reviewer:
|
||||
---
|
||||
# Validate and Deploy Multifactor Authentication (MFA)
|
||||
# Validate and Deploy Multifactor Authentication
|
||||
|
||||
**Applies to**
|
||||
|
||||
|
||||
@ -16,7 +16,7 @@ localizationpriority: medium
|
||||
ms.date: 08/19/2018
|
||||
ms.reviewer:
|
||||
---
|
||||
# Validate and Deploy Multifactor Authentication (MFA)
|
||||
# Validate and Deploy Multifactor Authentication
|
||||
|
||||
> [!IMPORTANT]
|
||||
> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
|
||||
|
||||
@ -23,7 +23,7 @@ To secure the connections, update the configuration of VPN servers and clients b
|
||||
|
||||
## VPN server
|
||||
|
||||
For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-VpnServerConfiguration](/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps) to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration.
|
||||
For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-VpnServerConfiguration](/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps&preserve-view=true) to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration.
|
||||
|
||||
```powershell
|
||||
Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy
|
||||
@ -38,7 +38,7 @@ Set-VpnServerIPsecConfiguration -CustomPolicy
|
||||
## VPN client
|
||||
|
||||
For VPN client, you need to configure each VPN connection.
|
||||
For example, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps) and specify the name of the connection:
|
||||
For example, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps&preserve-view=true) and specify the name of the connection:
|
||||
|
||||
|
||||
```powershell
|
||||
|
||||
@ -34,7 +34,7 @@ Open Event Viewer and review the following logs under Applications and Services
|
||||
|
||||
Additionally, review the Windows logs\\System log for events that were produced by the TPM and TPM-WMI event sources.
|
||||
|
||||
To filter and display or export logs, you can use the [wevtutil.exe](/windows-server/administration/windows-commands/wevtutil) command-line tool or the [Get-WinEvent](/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6) cmdlet.
|
||||
To filter and display or export logs, you can use the [wevtutil.exe](/windows-server/administration/windows-commands/wevtutil) command-line tool or the [Get-WinEvent](/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6&preserve-view=true) cmdlet.
|
||||
|
||||
|
||||
For example, to use wevtutil to export the contents of the operational log from the BitLocker-API folder to a text file that is named BitLockerAPIOpsLog.txt, open a Command Prompt window, and run the following command:
|
||||
@ -88,11 +88,11 @@ Open an elevated Windows PowerShell window, and run each of the following comman
|
||||
|
||||
|Command |Notes |
|
||||
| --- | --- |
|
||||
|[**get-tpm \> C:\\TPM.txt**](/powershell/module/trustedplatformmodule/get-tpm?view=win10-ps) |Exports information about the local computer's Trusted Platform Module (TPM). This cmdlet shows different values depending on whether the TPM chip is version 1.2 or 2.0. This cmdlet is not supported in Windows 7. |
|
||||
|[**get-tpm \> C:\\TPM.txt**](/powershell/module/trustedplatformmodule/get-tpm?view=win10-ps&preserve-view=true) |Exports information about the local computer's Trusted Platform Module (TPM). This cmdlet shows different values depending on whether the TPM chip is version 1.2 or 2.0. This cmdlet is not supported in Windows 7. |
|
||||
|[**manage-bde –status \> C:\\BDEStatus.txt**](/windows-server/administration/windows-commands/manage-bde-status) |Exports information about the general encryption status of all drives on the computer. |
|
||||
|[**manage-bde c: <br />-protectors -get \> C:\\Protectors**](/windows-server/administration/windows-commands/manage-bde-protectors) |Exports information about the protection methods that are used for the BitLocker encryption key. |
|
||||
|[**reagentc /info \> C:\\reagent.txt**](/windows-hardware/manufacture/desktop/reagentc-command-line-options) |Exports information about an online or offline image about the current status of the Windows Recovery Environment (WindowsRE) and any available recovery image. |
|
||||
|[**get-BitLockerVolume \| fl**](/powershell/module/bitlocker/get-bitlockervolume?view=win10-ps) |Gets information about volumes that BitLocker Drive Encryption can protect. |
|
||||
|[**get-BitLockerVolume \| fl**](/powershell/module/bitlocker/get-bitlockervolume?view=win10-ps&preserve-view=true) |Gets information about volumes that BitLocker Drive Encryption can protect. |
|
||||
|
||||
## Review the configuration information
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: BitLocker cannot encrypt a drive known issues
|
||||
description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive
|
||||
ms.reviewer: kaushika
|
||||
ms.technology: windows
|
||||
ms.technology: windows-sec
|
||||
ms.prod: m365-security
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: BitLocker cannot encrypt a drive known TPM issues
|
||||
description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive, and that you can attribute to the TPM
|
||||
ms.reviewer: kaushika
|
||||
ms.technology: windows
|
||||
ms.technology: windows-sec
|
||||
ms.prod: m365-security
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: BitLocker configuration known issues
|
||||
description: Describes common issues that involve your BitLocker configuration and BitLocker's general functionality, and provides guidance for addressing those issues.
|
||||
ms.reviewer: kaushika
|
||||
ms.technology: windows
|
||||
ms.technology: windows-sec
|
||||
ms.prod: m365-security
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Decode Measured Boot logs to track PCR changes
|
||||
description: Provides instructions for installing and using a tool for analyzing log information to identify changes to PCRs
|
||||
ms.reviewer: kaushika
|
||||
ms.technology: windows
|
||||
ms.technology: windows-sec
|
||||
ms.prod: m365-security
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Enforcing BitLocker policies by using Intune known issues
|
||||
description: provides assistance for issues that you may see if you use Microsoft Intune policy to manage silent BitLocker encryption on devices.
|
||||
ms.reviewer: kaushika
|
||||
ms.technology: windows
|
||||
ms.technology: windows-sec
|
||||
ms.prod: m365-security
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: BitLocker Network Unlock known issues
|
||||
description: Describes several known issues that you may encounter while using Network Unlock, and provided guidance for addressing those issues.
|
||||
ms.reviewer: kaushika
|
||||
ms.technology: windows
|
||||
ms.technology: windows-sec
|
||||
ms.prod: m365-security
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: BitLocker recovery known issues
|
||||
description: Describes common issues that can occur that prevent BitLocker from behaving as expected when recovering a drive, or may cause BitLocker to start recovery unexpectedly. The article provides guidance for addressing those issues.
|
||||
ms.reviewer: kaushika
|
||||
ms.technology: windows
|
||||
ms.technology: windows-sec
|
||||
ms.prod: m365-security
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: BitLocker and TPM other known issues
|
||||
description: Describes common issues that relate directly to the TPM, and provides guidance for resolving those issues.
|
||||
ms.reviewer: kaushika
|
||||
ms.technology: windows
|
||||
ms.technology: windows-sec
|
||||
ms.prod: m365-security
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
|
||||
@ -53,7 +53,7 @@ By default, peripherals with DMA Remapping incompatible drivers will be blocked
|
||||
|
||||
## User experience
|
||||
|
||||
|
||||
|
||||
|
||||
By default, peripherals with DMA remapping compatible device drivers will be automatically enumerated and started. Peripherals with DMA Remapping incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged.
|
||||
The peripheral will continue to function normally if the user locks the screen or logs out of the system.
|
||||
@ -113,11 +113,11 @@ No, Kernel DMA Protection only protects against drive-by DMA attacks after the O
|
||||
DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of two means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (that is, the device driver does not support DMA-remapping).
|
||||
Check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
|
||||
|
||||
|
||||
|
||||
|
||||
*For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image.
|
||||
|
||||
|
||||
|
||||
|
||||
### When the drivers for PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping?
|
||||
|
||||
|
||||
Reference in New Issue
Block a user