mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-16 19:03:46 +00:00
Merge remote-tracking branch 'refs/remotes/origin/master' into atp-whatsnew
This commit is contained in:
Joey Caparas
@ -47,7 +47,6 @@
|
||||
#### [User Account Control security policy settings](user-account-control\user-account-control-security-policy-settings.md)
|
||||
#### [User Account Control Group Policy and registry key settings](user-account-control\user-account-control-group-policy-and-registry-key-settings.md)
|
||||
|
||||
### [Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-overview.md)
|
||||
### [Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-overview.md)
|
||||
#### [Understanding and Evaluating Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-understanding-and-evaluating.md)
|
||||
##### [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-cards\virtual-smart-card-get-started.md)
|
||||
|
||||
@ -26,26 +26,29 @@ See also Knowledge Base articles [KB4015219](https://support.microsoft.com/en-us
|
||||
[KB4015221](https://support.microsoft.com/en-us/help/4015221/windows-10-update-kb4015221)
|
||||
|
||||
The following issue is under investigation. For available workarounds, see the following Knowledge Base article:
|
||||
- [Installing AppSense Environment Manager on Windows 10 machines causes LsaIso.exe to exhibit high CPU usage when Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) *
|
||||
- [Installing AppSense Environment Manager on Windows 10 machines causes LSAiso.exe to exhibit high CPU usage when Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) * <sup>[1]</sup>
|
||||
|
||||
*Registration required to access this article.
|
||||
*Registration required to access this article.
|
||||
|
||||
<sup>[1]</sup> For further technical information on LSAiso.exe, see this MSDN article: [Isolated User Mode (IUM) Processes](https://msdn.microsoft.com/library/windows/desktop/mt809132(v=vs.85).aspx)
|
||||
|
||||
The following issue affects Cisco AnyConnect Secure Mobility Client:
|
||||
|
||||
- [Blue screen on Windows 10 computers running Device Guard and Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692)**
|
||||
|
||||
**Registration required to access this article.
|
||||
**Registration required to access this article.
|
||||
|
||||
Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 clients to exhibit high CPU usage. For further information, see the following Knowledge Base articles:
|
||||
Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 clients to exhibit high CPU usage. For further information, see the following Knowledge Base article:
|
||||
|
||||
- KB88869: [Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869)
|
||||
|
||||
The following issue is under investigation:
|
||||
|
||||
- Windows 10 machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled.
|
||||
|
||||
Microsoft is currently working with Citrix to investigate this issue.
|
||||
|
||||
|
||||
## Vendor support
|
||||
|
||||
See the following article on Citrix support for Secure Boot:
|
||||
- [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
|
||||
|
||||
Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:
|
||||
|
||||
@ -287,15 +287,19 @@ You can prevent Windows from setting the time automatically.
|
||||
|
||||
-or-
|
||||
|
||||
- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
|
||||
|
||||
After that, configure the following:
|
||||
|
||||
- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Configure Windows NTP Client**
|
||||
|
||||
> [!NOTE]
|
||||
> This is only available on Windows 10, version 1703 and later.
|
||||
|
||||
-or -
|
||||
|
||||
- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** to 0 (zero).
|
||||
- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** and set it to 0 (zero).
|
||||
|
||||
-or-
|
||||
|
||||
- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
|
||||
|
||||
### <a href="" id="bkmk-devinst"></a>4. Device metadata retrieval
|
||||
|
||||
@ -392,7 +396,6 @@ Use Group Policy to manage settings for Internet Explorer. You can find the Int
|
||||
| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites. <br /> Default: Enabled <br /> You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.|
|
||||
| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar. <br /> Default: Enabled|
|
||||
| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar. <br /> Default: Disabled </br> You can also turn this off in the UI by clearing the <strong>Internet Options</strong> > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.|
|
||||
| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version. <br /> Default: Enabled |
|
||||
| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer. <br /> Default: Disabled|
|
||||
| Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer. <br /> Default: Disabled |
|
||||
|
||||
@ -403,7 +406,6 @@ Alternatively, you could use the registry to set the Group Policies.
|
||||
| Turn on Suggested Sites| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites!Enabled <br /> REG_DWORD: 0|
|
||||
| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\AllowServicePoweredQSA <br /> REG_DWORD: 0|
|
||||
| Turn off the auto-complete feature for web addresses | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Explorer\\AutoComplete!AutoSuggest<br /> REG_SZ: **No** |
|
||||
| Disable Periodic Check for Internet Explorer software updates| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Infodelivery\\Restrictions!NoUpdateCheck<br /> REG_DWORD: 1 |
|
||||
| Turn off browser geolocation | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation!PolicyDisableGeolocation <br /> REG_DWORD: 1 |
|
||||
| Prevent managing SmartScreen filter | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\ Internet Explorer\\PhishingFilter!EnabledV9 <br /> REG_DWORD: 0 |
|
||||
|
||||
@ -510,8 +512,8 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
|
||||
| Configure search suggestions in Address bar | Choose whether the address bar shows search suggestions. <br /> Default: Enabled |
|
||||
| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703) <br/> Configure SmartScreen Filter (Windows Server 2016) | Choose whether Windows Defender SmartScreen is turned on or off. <br /> Default: Enabled |
|
||||
| Allow web content on New Tab page | Choose whether a new tab page appears. <br /> Default: Enabled |
|
||||
| Configure Start pages | Choose the Start page for domain-joined devices. <br /> Set this to **about:blank** |
|
||||
| Prevent the First Run webpage from opening pages | Choose whether employees see the First Run webpage. <br /> Default: Enabled |
|
||||
| Configure Start pages | Choose the Start page for domain-joined devices. <br /> Set this to **\<about:blank\>** |
|
||||
| Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage. <br /> Default: Disabled |
|
||||
|
||||
|
||||
The Windows 10, version 1511 Microsoft Edge Group Policy names are:
|
||||
|
||||
@ -19,7 +19,7 @@ localizationpriority: high
|
||||
|
||||
In your organization, you might have different configuration requirements for devices that you manage. You can create separate provisioning packages for each group of devices in your organization that have different requirements. Or, you can create a multivariant provisioning package, a single provisioning package that can work for multiple conditions. For example, in a single provisioning package, you can define one set of customization settings that will apply to devices set up for French and a different set of customization settings for devices set up for Japanese.
|
||||
|
||||
To provision multivariant settings, you use Windows Imaging and Configuration Designer (ICD) to create a provisioning package that contains all of the customization settings that you want to apply to any of your devices. Next, you manually edit the .XML file for that project to define each set of devices (a **Target**). For each **Target**, you specify at least one **Condition** with a value, which identifies the devices to receive the configuration. Finally, for each **Target**, you provide the customization settings to be applied to those devices.
|
||||
To provision multivariant settings, you use Windows Configuration Designer to create a provisioning package that contains all of the customization settings that you want to apply to any of your devices. Next, you manually edit the .XML file for that project to define each set of devices (a **Target**). For each **Target**, you specify at least one **Condition** with a value, which identifies the devices to receive the configuration. Finally, for each **Target**, you provide the customization settings to be applied to those devices.
|
||||
|
||||
Let's begin by learning how to define a **Target**.
|
||||
|
||||
@ -258,7 +258,7 @@ Follow these steps to create a provisioning package with multivariant capabiliti
|
||||
6. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step.
|
||||
|
||||
|
||||
7. Use the [Windows ICD command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml.
|
||||
7. Use the [Windows Configuration Designer command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml.
|
||||
|
||||
For example:
|
||||
|
||||
|
||||
@ -12,7 +12,6 @@
|
||||
#### [Monitor app usage with AppLocker](applocker\monitor-application-usage-with-applocker.md)
|
||||
#### [Manage packaged apps with AppLocker](applocker\manage-packaged-apps-with-applocker.md)
|
||||
#### [Working with AppLocker rules](applocker\working-with-applocker-rules.md)
|
||||
#### [Working with AppLocker rules](applocker\working-with-applocker-rules.md)
|
||||
##### [Create a rule that uses a file hash condition](applocker\create-a-rule-that-uses-a-file-hash-condition.md)
|
||||
##### [Create a rule that uses a path condition](applocker\create-a-rule-that-uses-a-path-condition.md)
|
||||
##### [Create a rule that uses a publisher condition](applocker\create-a-rule-that-uses-a-publisher-condition.md)
|
||||
@ -561,6 +560,7 @@
|
||||
##### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md)
|
||||
##### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md)
|
||||
##### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)
|
||||
##### [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)
|
||||
##### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md)
|
||||
##### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md)
|
||||
##### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)
|
||||
|
||||
@ -151,3 +151,4 @@ If the policy is defined, admin tools, scripts and software that formerly enumer
|
||||
|
||||
[SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016](https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b)
|
||||
|
||||
<br>
|
||||
@ -28,7 +28,7 @@ You can use a dedicated command-line tool to perform various functions in Window
|
||||
|
||||
This utility can be useful when you want to automate the use of Windows Defender Antivirus.
|
||||
|
||||
The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.
|
||||
The utility is available in _%ProgramFiles%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.
|
||||
|
||||
> [!NOTE]
|
||||
> You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
|
||||
@ -51,6 +51,7 @@ Command | Description
|
||||
\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
|
||||
\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
|
||||
\-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md)
|
||||
\-SignatureUpdate [-UNC [-Path <path>]] | Checks for new definition updates
|
||||
|
||||
|
||||
|
||||
|
||||
@ -146,6 +146,8 @@ Use the following argument with the Windows Defender AV command line utility (*m
|
||||
```DOS
|
||||
MpCmdRun - ValidateMapsConnection
|
||||
```
|
||||
> [!NOTE]
|
||||
> You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
|
||||
|
||||
See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user