mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-18 20:03:40 +00:00
task# 6907269
This commit is contained in:
Brian Lich
@ -1,8 +1,5 @@
|
|||||||
# [Keep Windows 10 secure](index.md)
|
# [Keep Windows 10 secure](index.md)
|
||||||
## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
|
## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
|
||||||
## [Device Guard certification and compliance](device-guard-certification-and-compliance.md)
|
|
||||||
### [Get apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md)
|
|
||||||
### [Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md)
|
|
||||||
## [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
|
## [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
|
||||||
### [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
|
### [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
|
||||||
### [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
|
### [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
---
|
---
|
||||||
title: Create a Device Guard code integrity policy based on a reference device (Windows 10)
|
title: Create a Device Guard code integrity policy based on a reference device (Windows 10)
|
||||||
redirect_url: device-guard-deployment-guide.md
|
redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
@ -144,9 +144,8 @@ First, you must add the virtualization-based security features. You can do this
|
|||||||
**Add the virtualization-based security features by using Programs and Features**
|
**Add the virtualization-based security features by using Programs and Features**
|
||||||
1. Open the Programs and Features control panel.
|
1. Open the Programs and Features control panel.
|
||||||
2. Click **Turn Windows feature on or off**.
|
2. Click **Turn Windows feature on or off**.
|
||||||
3. Select the **Isolated User Mode** check box.
|
3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
|
||||||
4. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
|
4. Click **OK**.
|
||||||
5. Click **OK**.
|
|
||||||
|
|
||||||
**Add the virtualization-based security features to an offline image by using DISM**
|
**Add the virtualization-based security features to an offline image by using DISM**
|
||||||
1. Open an elevated command prompt.
|
1. Open an elevated command prompt.
|
||||||
@ -154,12 +153,14 @@ First, you must add the virtualization-based security features. You can do this
|
|||||||
``` syntax
|
``` syntax
|
||||||
dism /image:<WIM file name> /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
|
dism /image:<WIM file name> /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
|
||||||
```
|
```
|
||||||
3. Add Isolated User Mode by running the following command:
|
|
||||||
``` syntax
|
|
||||||
dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
|
|
||||||
```
|
|
||||||
> **Note:** You can also add these features to an online image by using either DISM or Configuration Manager.
|
> **Note:** You can also add these features to an online image by using either DISM or Configuration Manager.
|
||||||
|
|
||||||
|
|
||||||
|
In Windows 10, version 1607, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode:
|
||||||
|
|
||||||
|
``` syntax
|
||||||
|
dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
|
||||||
|
```
|
||||||
### Turn on Credential Guard
|
### Turn on Credential Guard
|
||||||
|
|
||||||
If you don't use Group Policy, you can enable Credential Guard by using the registry.
|
If you don't use Group Policy, you can enable Credential Guard by using the registry.
|
||||||
@ -203,7 +204,7 @@ If you have to remove Credential Guard on a PC, you need to do the following:
|
|||||||
3. Accept the prompt to disable Credential Guard.
|
3. Accept the prompt to disable Credential Guard.
|
||||||
4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard.
|
4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard.
|
||||||
|
|
||||||
> **Note: ** The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
|
> **Note:** The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
|
||||||
|
|
||||||
For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
|
For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
|
||||||
|
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
---
|
---
|
||||||
title: Device Guard certification and compliance (Windows 10)
|
title: Device Guard certification and compliance (Windows 10)
|
||||||
redirect_url: device-guard-deployment-guide.md
|
redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide
|
||||||
---
|
---
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
---
|
---
|
||||||
title: Get apps to run on Device Guard-protected devices (Windows 10)
|
title: Get apps to run on Device Guard-protected devices (Windows 10)
|
||||||
redirect_url: device-guard-deployment-guide.md
|
redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide
|
||||||
---
|
---
|
||||||
|
|||||||
@ -31,6 +31,10 @@ Windows ICD now includes simplified workflows for creating provisioning packages
|
|||||||
|
|
||||||
## Security
|
## Security
|
||||||
|
|
||||||
|
### Credential Guard and Device Guard
|
||||||
|
|
||||||
|
Isolated User Mode is now included with Hyper-V so you don't have to install it separately.
|
||||||
|
|
||||||
### Windows Hello for Business
|
### Windows Hello for Business
|
||||||
|
|
||||||
When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
|
When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
|
||||||
@ -50,7 +54,6 @@ Additional changes for Windows Hello in Windows 10, version 1607:
|
|||||||
- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607)
|
- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607)
|
||||||
- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins.
|
- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Management
|
## Management
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user