deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into policy-csp-updates

Browse Source
This commit is contained in:
Sinead O'Sullivan 2021-05-26 12:11:24 +01:00
commit 89fbbdd86b
5 changed files with 90 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
windows/client-management/mdm/diagnosticlog-csp.md
View File

@ -136,45 +136,45 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
- Expected input value: The full command line including path and any arguments, such as `%windir%\\system32\\ipconfig.exe /all`.
- Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands which may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter.
- Privacy guardrails: To enable diagnostic data capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only the following commands are allowed:
- %windir%\\system32\\certutil.exe
- %windir%\\system32\\dxdiag.exe
- %windir%\\system32\\gpresult.exe
- %windir%\\system32\\msinfo32.exe
- %windir%\\system32\\netsh.exe
- %windir%\\system32\\nltest.exe
- %windir%\\system32\\ping.exe
- %windir%\\system32\\powercfg.exe
- %windir%\\system32\\w32tm.exe
- %windir%\\system32\\wpr.exe
- %windir%\\system32\\dsregcmd.exe
- %windir%\\system32\\dispdiag.exe
- %windir%\\system32\\ipconfig.exe
- %windir%\\system32\\logman.exe
- %windir%\\system32\\tracelog.exe
- %programfiles%\\windows defender\\mpcmdrun.exe
- %windir%\\system32\\MdmDiagnosticsTool.exe
- %windir%\\system32\\pnputil.exe
- %windir%\\system32\\certutil.exe
- %windir%\\system32\\dxdiag.exe
- %windir%\\system32\\gpresult.exe
- %windir%\\system32\\msinfo32.exe
- %windir%\\system32\\netsh.exe
- %windir%\\system32\\nltest.exe
- %windir%\\system32\\ping.exe
- %windir%\\system32\\powercfg.exe
- %windir%\\system32\\w32tm.exe
- %windir%\\system32\\wpr.exe
- %windir%\\system32\\dsregcmd.exe
- %windir%\\system32\\dispdiag.exe
- %windir%\\system32\\ipconfig.exe
- %windir%\\system32\\logman.exe
- %windir%\\system32\\tracelog.exe
- %programfiles%\\windows defender\\mpcmdrun.exe
- %windir%\\system32\\MdmDiagnosticsTool.exe
- %windir%\\system32\\pnputil.exe
- **FoldersFiles**
- Captures log files from a given path (without recursion).
- Expected input value: File path with or without wildcards, such as "%windir%\\System32", or "%programfiles%\\*.log".
- Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only paths under the following roots are allowed:
- %PROGRAMFILES%
- %PROGRAMDATA%
- %PUBLIC%
- %WINDIR%
- %TEMP%
- %TMP%
- %PROGRAMFILES%
- %PROGRAMDATA%
- %PUBLIC%
- %WINDIR%
- %TEMP%
- %TMP%
- Additionally, only files with the following extensions are captured:
- .log
- .txt
- .dmp
- .cab
- .zip
- .xml
- .html
- .evtx
- .etl
- .log
- .txt
- .dmp
- .cab
- .zip
- .xml
- .html
- .evtx
- .etl
<a href="" id="diagnosticarchive-archiveresults"></a>**DiagnosticArchive/ArchiveResults**
Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run.

10
windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
View File

@ -50,7 +50,7 @@ On **DC01**:
2. Create the **MDT_JD** service account by running the following command from an elevated **Windows PowerShell prompt**:
```powershell
New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD@contoso.com -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
```
3. Next, run the Set-OuPermissions script to apply permissions to the **MDT\_JD** service account, enabling it to manage computer accounts in the Contoso / Computers OU. Run the following commands from an elevated Windows PowerShell prompt:
@ -369,9 +369,9 @@ On **MDT01**:
2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
- Name: Set DriverGroup001
- Task Sequence Variable: DriverGroup001
- Value: Windows 10 x64\\%Make%\\%Model%
1. Name: Set DriverGroup001
2. Task Sequence Variable: DriverGroup001
3. Value: Windows 10 x64\\%Manufacturer%\\%Model%
2. Configure the **Inject Drivers** action with the following settings:
- Choose a selection profile: Nothing
@ -842,4 +842,4 @@ The partitions when deploying an UEFI-based machine.
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)<br>
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)<br>
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)<br>
[Configure MDT settings](configure-mdt-settings.md)<br>
[Configure MDT settings](configure-mdt-settings.md)<br>

4
windows/deployment/planning/windows-10-deprecated-features.md
View File

@ -36,7 +36,7 @@ The features described below are no longer being actively developed, and might b
| Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
| My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 |
| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user. <br>&nbsp;<br>The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 |
| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information about implementing a remote indirect display driver, ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). | 1903 |
| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 |
| Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 |
| Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 |
| Windows To Go | Windows To Go is no longer being developed. <br><br>The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| 1903 |
@ -70,4 +70,4 @@ The features described below are no longer being actively developed, and might b
|TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 |
|TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 |
|IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 |
|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507 <br /> Applies to Windows Server 2016 and Windows Server 2019 as well.|
|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507 <br /> Applies to Windows Server 2016 and Windows Server 2019 as well.|

50
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -9,12 +9,12 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: linque1
ms.author: robsize
manager: robsize
author: tomlayson
ms.author: tomlayson
manager: riche
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/1/2020
ms.date: 5/21/2021
---
# Manage connections from Windows 10 operating system components to Microsoft services
@ -592,6 +592,48 @@ Alternatively, you can configure the following Registry keys as described:
For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](/microsoft-edge/deploy/available-policies).
### <a href="" id="bkmk-edgegp"></a>13.2 Microsoft Edge Enterprise
For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies).
> [!Important]
> - The following settings are applicable to Microsoft Edge version 77 or later.
> - For details on supported Operating Systems, see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems).
> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge, see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge).
> - Devices must be domain joined for some of the policies to take effect.
| Policy | Group Policy Path | Registry Path |
|----------------------------------|--------------------|---------------------------------------------|
| **SearchSuggestEnabled** | Computer Configuration/Administrative Templates/Windows Component/Microsoft Edge - Enable search suggestions | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: SearchSuggestEnabled Set to 0** |
| **AutofillAddressEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for addresses | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: AutofillAddressEnabled Set to 0** |
| **AutofillCreditCardEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for credit cards | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: AutofillCreditCardEnabled Set to 0** |
| **ConfigureDoNotTrack** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Configure Do Not Track | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Enabled**| **REG_DWORD name: ConfigureDoNotTrackSet to 1** |
| **PasswordManagerEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Password manager and protection-Enable saving passwords to the password manager | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: PasswordManagerEnabled Set to 0** |
| **DefaultSearchProviderEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Default search provider-Enable the default search provider | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: DefaultSearchProviderEnabled Set to 0** |
| **HideFirstRunExperience** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Hide the First-run experience and splash screen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Enabled**| **REG_DWORD name: HideFirstRunExperience Set to 1** |
| **SmartScreenEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/SmartScreen settings-Configure Microsoft Defender SmartScreen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: SmartScreenEnabled Set to 0** |
| **NewTabPageLocation** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Configure the new tab page URL | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Enabled-Value “about:blank”**| **REG_SZ name: NewTabPageLocation Set to about:blank** |
| **RestoreOnStartup** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Action to take on startup | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: RestoreOnStartupSet to 5** |
| **RestoreOnStartupURLs** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page-Sites to open when the browser starts | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\RestoreOnStartupURLs |
| | **Set to Disabled**| **REG_SZ name: 1 Set to about:blank** |
| **UpdateDefault** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Applications-Update policy override default | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate |
| | **Set to Enabled - 'Updates disabled'**| **REG_DWORD name: UpdateDefault Set to 0** |
| **AutoUpdateCheckPeriodMinutes** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate |
| | **Set to Enabled - Set Value for Minutes between update checks to 0**| **REG_DWORD name: AutoUpdateCheckPeriodMinutes Set to 0** |
| **Experimentation and Configuration Service** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate |
| | **Set to RestrictedMode**| **REG_DWORD name: ExperimentationAndConfigurationServiceControl Set to 0** |
|||
### <a href="" id="bkmk-ncsi"></a>14. Network Connection Status Indicator
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. See the [Microsoft Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/bg-p/NetworkingBlog) to learn more.

5
windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
View File

@ -94,6 +94,9 @@ To find the PCR information, go to the end of the file.
## Use PCPTool to decode Measured Boot logs
> [!NOTE]
> PCPTool is a Visual Studio solution, but you need to build the executable before you can start using this tool.
PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file.
To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions.
@ -111,4 +114,4 @@ where the variables represent the following values:
The content of the XML file resembles the following.
![Command Prompt window that shows an example of how to use PCPTool](./images/pcptool-output.jpg)
![Command Prompt window that shows an example of how to use PCPTool](./images/pcptool-output.jpg)