From 97c40f1136179bdbeab5460fcfa4517cfad045f3 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 20 Jul 2016 11:45:31 -0700 Subject: [PATCH] task# 6907269 --- windows/keep-secure/TOC.md | 3 --- ...g-a-device-guard-policy-for-signed-apps.md | 2 +- windows/keep-secure/credential-guard.md | 19 ++++++++++--------- ...vice-guard-certification-and-compliance.md | 2 +- ...o-run-on-device-guard-protected-devices.md | 2 +- .../whats-new-windows-10-version-1607.md | 5 ++++- 6 files changed, 17 insertions(+), 16 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index a0f4c9ecd3..eabba964c1 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -1,8 +1,5 @@ # [Keep Windows 10 secure](index.md) ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) -## [Device Guard certification and compliance](device-guard-certification-and-compliance.md) -### [Get apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md) -### [Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md) ## [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) ### [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) ### [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) diff --git a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md index fdf497e545..6d70cbad2b 100644 --- a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md +++ b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md @@ -1,5 +1,5 @@ --- title: Create a Device Guard code integrity policy based on a reference device (Windows 10) -redirect_url: device-guard-deployment-guide.md +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide --- diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 3974a748e2..ec7cb18cf2 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -144,9 +144,8 @@ First, you must add the virtualization-based security features. You can do this **Add the virtualization-based security features by using Programs and Features** 1. Open the Programs and Features control panel. 2. Click **Turn Windows feature on or off**. -3. Select the **Isolated User Mode** check box. -4. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. -5. Click **OK**. +3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. +4. Click **OK**. **Add the virtualization-based security features to an offline image by using DISM** 1. Open an elevated command prompt. @@ -154,12 +153,14 @@ First, you must add the virtualization-based security features. You can do this ``` syntax dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all ``` -3. Add Isolated User Mode by running the following command: - ``` syntax - dism /image: /Enable-Feature /FeatureName:IsolatedUserMode - ``` > **Note:**  You can also add these features to an online image by using either DISM or Configuration Manager. -  + + +In Windows 10, version 1607, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode: + +``` syntax +dism /image: /Enable-Feature /FeatureName:IsolatedUserMode +``` ### Turn on Credential Guard If you don't use Group Policy, you can enable Credential Guard by using the registry. @@ -203,7 +204,7 @@ If you have to remove Credential Guard on a PC, you need to do the following: 3. Accept the prompt to disable Credential Guard. 4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard. -> **Note: ** The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS +> **Note:** The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).   diff --git a/windows/keep-secure/device-guard-certification-and-compliance.md b/windows/keep-secure/device-guard-certification-and-compliance.md index 5e60c5e980..566a6df4da 100644 --- a/windows/keep-secure/device-guard-certification-and-compliance.md +++ b/windows/keep-secure/device-guard-certification-and-compliance.md @@ -1,4 +1,4 @@ --- title: Device Guard certification and compliance (Windows 10) -redirect_url: device-guard-deployment-guide.md +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide --- diff --git a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md index 542e85c56f..88a3f076b6 100644 --- a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md +++ b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md @@ -1,4 +1,4 @@ --- title: Get apps to run on Device Guard-protected devices (Windows 10) -redirect_url: device-guard-deployment-guide.md +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide --- diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index a92065f467..e93467c542 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -31,6 +31,10 @@ Windows ICD now includes simplified workflows for creating provisioning packages ## Security +### Credential Guard and Device Guard + +Isolated User Mode is now included with Hyper-V so you don't have to install it separately. + ### Windows Hello for Business When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. @@ -50,7 +54,6 @@ Additional changes for Windows Hello in Windows 10, version 1607: - New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607) - Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins. -   ## Management