deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 13:23:36 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into design

Browse Source
This commit is contained in:
greg-lindsay
2021-04-30 13:49:37 -07:00
parent dc81dc4246 4958b5e91e
commit 97d0720723
2 changed files with 25 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
View File

@ -37,7 +37,7 @@ This guide assumes that baseline infrastructure exists which meets the requireme
- A well-connected, working network - A well-connected, working network
- Internet access - Internet access
- Multi-factor Authentication Server to support MFA during Windows Hello for Business provisioning - Multi-factor Authentication is required during Windows Hello for Business provisioning
- Proper name resolution, both internal and external names - Proper name resolution, both internal and external names
- Active Directory and an adequate number of domain controllers per site to support authentication - Active Directory and an adequate number of domain controllers per site to support authentication
- Active Directory Certificate Services 2012 or later - Active Directory Certificate Services 2012 or later
@ -78,4 +78,4 @@ Following are the various deployment guides and models included in this topic:
Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
> [!NOTE] > [!NOTE]
> You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data. > You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data.

27
windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
View File

@ -28,13 +28,12 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
> [!NOTE] > [!NOTE]
> To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool. > To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool.
## Script-based deployment process for WDAC policy ## Script-based deployment process for Windows 10 version 1903 and above
1. Initialize the variables to be used by the script. 1. Initialize the variables to be used by the script.
```powershell ```powershell
# Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = <PolicyId> from the Policy XML) # Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = <PolicyId> from the Policy XML)
# Single policy format binaries should be named as SiPolicy.p7b.
$PolicyBinary = "<Path to policy binary file to deploy>" $PolicyBinary = "<Path to policy binary file to deploy>"
$DestinationFolder = $env:windir+"\System32\CodeIntegrity\CIPolicies\Active\" $DestinationFolder = $env:windir+"\System32\CodeIntegrity\CIPolicies\Active\"
$RefreshPolicyTool = "<Path where RefreshPolicy.exe can be found from managed endpoints>" $RefreshPolicyTool = "<Path where RefreshPolicy.exe can be found from managed endpoints>"
@ -43,7 +42,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
2. Copy WDAC policy binary to the destination folder. 2. Copy WDAC policy binary to the destination folder.
```powershell ```powershell
cp $PolicyBinary $DestinationFolder Copy-Item -Path $PolicyBinary -Destination $DestinationFolder -Force
``` ```
3. Repeat steps 1-2 as appropriate to deploy additional WDAC policies. 3. Repeat steps 1-2 as appropriate to deploy additional WDAC policies.
@ -53,4 +52,24 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
& $RefreshPolicyTool & $RefreshPolicyTool
``` ```
5. If successful, you should see the message **Rebootless ConfigCI Policy Refreshing Succeeded!** ## Script-based deployment process for Windows 10 versions earlier than 1903
1. Initialize the variables to be used by the script.
```powershell
# Policy binary files should be named as SiPolicy.p7b for Windows 10 versions earlier than 1903
$PolicyBinary = "<Path to policy binary file to deploy>"
$DestinationBinary = $env:windir+"\System32\CodeIntegrity\SiPolicy.p7b"
```
2. Copy WDAC policy binary to the destination.
```powershell
Copy-Item -Path $PolicyBinary -Destination $DestinationBinary -Force
```
3. Refresh and activate WDAC policy using WMI
```powershell
Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = $DestinationBinary}
```