deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 13:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

from master

Browse Source
This commit is contained in:
Joey Caparas 2016-07-29 15:25:57 +10:00
parent eab21fc40c
commit 9891b674be
142 changed files with 368 additions and 480 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
windows/keep-secure/TOC.md
View File

@ -1,34 +1,39 @@
# [Keep Windows 10 secure](index.md)
## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md)
## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
## [Device Guard certification and compliance](device-guard-certification-and-compliance.md)
### [Get apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md)
### [Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md)
## [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
### [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
### [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
## [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
### [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
### [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
### [Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
### [Windows Hello and password changes](microsoft-passport-and-password-changes.md)
### [Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
### [Event ID 300 - Windows Hello successfully created](passport-event-300.md)
### [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
### [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
### [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
### [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
### [Event ID 300 - Passport successfully created](passport-event-300.md)
## [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md)
## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
## [Device Guard deployment guide](device-guard-deployment-guide.md)
### [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
### [Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md)
### [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
### [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
#### [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md)
#### [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
#### [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)
#### [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md)
### [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
## [Protect derived domain credentials with Credential Guard](credential-guard.md)
## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
## [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md)
### [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md)
#### [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
##### [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)
##### [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)
##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
#### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md)
## [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md)
### [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md)
#### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
##### [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
##### [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md)
#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)
### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
#### [Windows Information Protection (WIP) overview](wip-enterprise-overview.md)
### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
#### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
#### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md)
#### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md)
#### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md)
#### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
## [VPN profile options](vpn-profile-options.md)
## [Windows security baselines](windows-security-baselines.md)
@ -704,13 +709,8 @@
##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md)
#### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
#### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
#### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
### [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
#### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
#### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
@ -827,8 +827,6 @@
###### [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
## [Enterprise security guides](windows-10-enterprise-security-guides.md)
### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
### [Device Guard deployment guide](device-guard-deployment-guide.md)
### [Microsoft Passport guide](microsoft-passport-guide.md)
### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
### [Windows 10 security overview](windows-10-security-guide.md)
## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md)

2
windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.

2
windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device.

2
windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC).

2
windows/keep-secure/assign-security-group-filters-to-the-gpo.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.

2
windows/keep-secure/basic-firewall-policy-design.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization.

2
windows/keep-secure/boundary-zone-gpos.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section.

4
windows/keep-secure/boundary-zone.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain.
@ -60,4 +60,4 @@ The boundary zone GPO for devices running at least Windows Server 2008 should i
>**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
**Next:**[Encryption Zone](encryption-zone.md)
**Next: **[Encryption Zone](encryption-zone.md)

2
windows/keep-secure/certificate-based-isolation-policy-design-example.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).

2
windows/keep-secure/certificate-based-isolation-policy-design.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic.

20
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -12,21 +12,15 @@ author: brianlic-msft
# Change history for Keep Windows 10 secure
This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## RELEASE: Windows 10, version 1607
The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
- [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
- [Remote Credential Guard](remote-credential-guard.md)
## July 2016
|New or changed topic | Description |
|----------------------|-------------|
|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Updated various topics throughout this section for new name and new UI in Microsoft Intune and System Center Configuration Manager. |
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |New |
|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New |
|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New |
|[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New |
|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |New |
|[Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |New |
|[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (multiple topics) | Updated |
|[Device Guard deployment guide](device-guard-deployment-guide.md) (multiple topics) | Updated |
@ -35,7 +29,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
|New or changed topic | Description |
|----------------------|-------------|
|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Added an update about needing to reconfigure your enterprise data protection app rules after delivery of the June service update. |
|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added an update about needing to reconfigure your Windows Information Protection app rules after delivery of the June service update. |
| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) (multiple topics) | New |
| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) (mutiple topics) | New security monitoring reference topics |
| [Windows security baselines](windows-security-baselines.md) | New |
@ -47,8 +41,8 @@ The topics in this library have been updated for Windows 10, version 1607 (also
| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Changed Internet Explorer to Microsoft Edge |
| [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Added errors 0x80090029 and 0x80070057, and merged entries for error 0x801c03ed. |
| [Microsoft Passport guide](microsoft-passport-guide.md) | Updated Roadmap section content |
|[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) |Updated info based on changes to the features and functionality.|
| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 |
|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Updated info based on changes to the features and functionality.|
| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview |
|[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (mutiple topics) | New |
## April 2016
@ -63,7 +57,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
|New or changed topic | Description |
|----------------------|-------------|
|[Requirements to use AppLocker](requirements-to-use-applocker.md) |Added that MDM can be used to manage any edition of Windows 10. Windows 10 Enterprise or Windows Server 2016 Technical Preview is required to manage AppLocker by using Group Policy.|
|[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) |Added pre-release content about how to set up and deploy enterprise data protection (EDP) in an enterprise environment.|
|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Added pre-release content about how to set up and deploy Windows Information Protection (WIP) in an enterprise environment.|
## February 2016

2
windows/keep-secure/change-rules-from-request-to-require-mode.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that are not part of the isolated domain.

2
windows/keep-secure/checklist-configuring-basic-firewall-settings.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules.

2
windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).

2
windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md).

2
windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.

2
windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.

2
windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.

2
windows/keep-secure/checklist-creating-group-policy-objects.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group.

2
windows/keep-secure/checklist-creating-inbound-firewall-rules.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This checklist includes tasks for creating firewall rules in your GPOs.

2
windows/keep-secure/checklist-creating-outbound-firewall-rules.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This checklist includes tasks for creating outbound firewall rules in your GPOs.

2
windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone.

4
windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
@ -26,7 +26,7 @@ The procedures in this section use the Group Policy MMC snap-in interfaces to co
| Task | Reference |
| - | - |
| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Basic Firewall Policy Design](basic-firewall-policy-design.md)<br/>[Firewall Policy Design Example](firewall-policy-design-example.md)<br/>[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)|
| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)<br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016 Technical Preview, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016 Technical Preview, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)<br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
| If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)|
| Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)|
| Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)|

2
windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design.

2
windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.

2
windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md).

2
windows/keep-secure/configure-authentication-methods.md
View File

@ -14,7 +14,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone.

2
windows/keep-secure/configure-data-protection-quick-mode-settings.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone.

2
windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate.

2
windows/keep-secure/configure-key-exchange-main-mode-settings.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic.

2
windows/keep-secure/configure-the-windows-firewall-log.md
View File

@ -14,7 +14,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
To configure Windows Firewall to log dropped packets or successful connections, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in.

2
windows/keep-secure/configure-the-workstation-authentication-certificate-template.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements.

2
windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
To configure Windows Firewall to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Firewall with Advanced Security node in the Group Policy Management console.

2
windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices.

4
windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in.
@ -47,4 +47,4 @@ To complete this procedure, you must be a member of the Domain Administrators gr
12. Type the name of the group that contains members of the boundary zone, for example **CG\_DOMISO\_Boundary**, and then click **OK**.
13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO.
13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016 Technical Preview, then select a WMI filter that allows only those devices to read and apply the GPO.

2
windows/keep-secure/create-a-group-account-in-active-directory.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console.

2
windows/keep-secure/create-a-group-policy-object.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
To create a new GPO, use the Active Directory Users and Computers MMC snap-in.

2
windows/keep-secure/create-an-authentication-exemption-list-rule.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies.

2
windows/keep-secure/create-an-authentication-request-rule.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
After you have configured IPsec algorithms and authentication methods, you can create the rule that requires the devices on the network to use those protocols and methods before they can communicate.

2
windows/keep-secure/create-an-inbound-icmp-rule.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network.

2
windows/keep-secure/create-an-inbound-port-rule.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port.

2
windows/keep-secure/create-an-inbound-program-or-service-rule.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
To allow inbound network traffic to a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port.

2
windows/keep-secure/create-an-outbound-port-rule.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers.

2
windows/keep-secure/create-an-outbound-program-or-service-rule.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port.

2
windows/keep-secure/create-inbound-rules-to-support-rpc.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
To allow inbound remote procedure call (RPC) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.

2
windows/keep-secure/create-wmi-filters-for-the-gpo.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device.

2
windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md
View File

@ -1,5 +1,5 @@
---
title: Create a Device Guard code integrity policy based on a reference device (Windows 10)
redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide
redirect_url: device-guard-deployment-guide.md
---

27
windows/keep-secure/credential-guard.md
View File

@ -90,7 +90,7 @@ The PC must meet the following hardware and software requirements to use Credent
<td>TPM 2.0</td>
</tr>
<tr>
<td>Windows 10 version 1511 or later</td>
<td>Windows 10 version 1511</td>
<td>TPM 2.0 or TPM 1.2</td>
</tr>
</table>
@ -109,11 +109,7 @@ The PC must meet the following hardware and software requirements to use Credent
</tr>
<tr class="odd">
<td align="left"><p>Physical PC</p></td>
<td align="left"><p>For PCs running Windows 10, version 1511 and Windows 10, version 1507, you cannot run Credential Guard on a virtual machine.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Virtual machine</p></td>
<td align="left"><p>For PCs running Windows 10, version 1607, you can run Credential Guard on a Generation 2 virtual machine.</p></td>
<td align="left"><p>For PCs running Windows 10, you cannot run Credential Guard on a virtual machine.</p></td>
</tr>
</tbody>
</table>
@ -148,8 +144,9 @@ First, you must add the virtualization-based security features. You can do this
**Add the virtualization-based security features by using Programs and Features**
1. Open the Programs and Features control panel.
2. Click **Turn Windows feature on or off**.
3. Go to **Hyper-V** -&gt; **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
4. Click **OK**.
3. Select the **Isolated User Mode** check box.
4. Go to **Hyper-V** -&gt; **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
5. Click **OK**.
**Add the virtualization-based security features to an offline image by using DISM**
1. Open an elevated command prompt.
@ -157,14 +154,12 @@ First, you must add the virtualization-based security features. You can do this
``` syntax
dism /image:<WIM file name> /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
```
3. Add Isolated User Mode by running the following command:
``` syntax
dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
```
> **Note:**  You can also add these features to an online image by using either DISM or Configuration Manager.
In Windows 10, version 1607, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode:
``` syntax
dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
```
 
### Turn on Credential Guard
If you don't use Group Policy, you can enable Credential Guard by using the registry.
@ -208,7 +203,7 @@ If you have to remove Credential Guard on a PC, you need to do the following:
3. Accept the prompt to disable Credential Guard.
4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard.
> **Note:** The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
> **Note: ** The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
 

58
windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
View File

@ -28,21 +28,15 @@ For information about enabling Credential Guard, see [Protect derived domain cre
## Windows feature requirements for virtualization-based security
In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must enable certain operating system features before you can enable VBS:
- With Windows 10, version 1607 or Windows Server 2016:<br>
Hyper-V Hypervisor (shown in Figure 1).
- With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:<br>
Hyper-V Hypervisor and Isolated User Mode (not shown).
In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must enable certain operating system features before you can enable VBS: Microsoft Hyper-V and isolated user mode (shown in Figure 1).
> **Note**&nbsp;&nbsp;You can configure these features manually by using Windows PowerShell or Deployment Image Servicing and Management. For specific information about these methods, see [Protect derived domain credentials with Credential Guard](credential-guard.md).
 
![Turn Windows features on or off](images/dg-fig1-enableos.png)
Figure 1. Enable operating system feature for VBS
Figure 1. Enable operating system features for VBS
After you enable the feature or features, you can configure any additional hardware-based security features you want. The following sections provide more information:
After you enable these features, you can configure any additional hardware-based security features you want. The following sections provide more information:
- [Enable Unified Extensible Firmware Interface Secure Boot](#enable-unified-extensible-firmware-interface-secure-boot)
- [Enable virtualization-based security for kernel-mode code integrity](#enable-virtualization-based-security-for-kernel-mode-code-integrity)
@ -50,7 +44,7 @@ After you enable the feature or features, you can configure any additional hardw
Before you begin this process, verify that the target device meets the hardware requirements for UEFI Secure Boot that are laid out in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). There are two options to configure UEFI Secure Boot: manual configuration of the appropriate registry keys and Group Policy deployment. Complete the following steps to manually configure UEFI Secure Boot on a computer running Windows 10.
> **Note**&nbsp;&nbsp;There are two platform security levels for Secure Boot: stand-alone Secure Boot and Secure Boot with DMA protection. DMA protection provides additional memory protection but will be enabled only on systems whose processors include input/output memory management units (IOMMUs). Protection against driver-based attacks is provided only on systems that have IOMMUs and that have DMA protection enabled. For more information about how IOMMUs help protect against DMA attacks, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
> **Note**&nbsp;&nbsp;There are two platform security levels for Secure Boot: stand-alone Secure Boot and Secure Boot with DMA protection. DMA protection provides additional memory protection but will be enabled only on systems whose processors include input/output memory management units (IOMMUs). Protection against driver-based attacks is provided only on systems that have IOMMUs and that have DMA protection enabled.
1. Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
@ -58,9 +52,9 @@ Before you begin this process, verify that the target device meets the hardware
3. Set the **RequirePlatformSecurityFeatures DWORD** value as appropriate:
| **With Windows 10, version 1607, <br>or Windows Server 2016** | **With an earlier version of Windows 10, <br>or Windows Server 2016 Technical Preview 5 or earlier** |
| ---------------- | ---------------- |
| **1** enables the **Secure Boot** option<br>**3** enables the **Secure Boot and DMA protection** option | **1** enables the **Secure Boot** option<br>**2** enables the **Secure Boot and DMA protection** option |
- Set this value to **1** to enable the **Secure Boot** option.
- Set this value to **2** to enable the **Secure Boot with DMA Protection** option.
4. Restart the client computer.
@ -86,11 +80,11 @@ Unfortunately, it would be time consuming to perform these steps manually on eve
Figure 6. Enable VBS
5. Select the **Enabled** button, and then select **Secure Boot and DMA Protection** from the **Select Platform Security Level** list.
5. Select the **Enabled** option, and then select **Secure Boot and DMA Protection** from the **Select Platform Security Level** list.
![Group Policy, Turn On Virtualization Based Security](images/device-guard-gp.png)
Figure 7. Enable Secure Boot (in Windows 10, version 1607)
Figure 7. Enable Secure Boot
> **Note**&nbsp;&nbsp;Device Guard Secure Boot is maximized when combined with DMA protection. If your hardware contains the IOMMUs required for DMA protection, be sure to select the **Secure Boot and DMA Protection** platform security level. If your hardware does not contain IOMMUs, there are several mitigations provided by leveraging Secure Boot without DMA Protection.
@ -108,11 +102,7 @@ Before you begin this process, verify that the desired computer meets the hardwa
**To configure virtualization-based protection of KMCI manually:**
1. Navigate to the appropriate registry subkey:
- With Windows 10, version 1607, or Windows Server 2016:<br>**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios**
- With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:<br>**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard**
1. Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
2. Set the **HypervisorEnforcedCodeIntegrity DWORD** value to **1**.
@ -140,15 +130,11 @@ It would be time consuming to perform these steps manually on every protected co
Figure 3. Enable VBS
5. Select the **Enabled** button, and then for **Virtualization Based Protection of Code Integrity**, select the appropriate option:
- With Windows 10, version 1607 or Windows Server 2016, choose an enabled option:<br>For an initial deployment or test deployment, we recommend **Enabled without UEFI lock**.<br>When your deployment is stable in your environment, we recommend changing to **Enabled with UEFI lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person.
- With earlier versions of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:<br>Select the **Enable Virtualization Based Protection of Code Integrity** check box.
5. Select the **Enabled** option, and then select the **Enable Virtualization Based Protection of Code Integrity** check box.
![Group Policy, Turn On Virtualization Based Security](images/dg-fig7-enablevbsofkmci.png)
Figure 4. Enable VBS of KMCI (in Windows 10, version 1607)
Figure 4. Enable VBS of KMCI
6. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. With this setting configured, the VBS of the KMCI will take effect upon restart.
@ -190,12 +176,7 @@ Table 1. Win32\_DeviceGuard properties
<li><p><strong>1.</strong> If present, hypervisor support is available.</p></li>
<li><p><strong>2.</strong> If present, Secure Boot is available.</p></li>
<li><p><strong>3.</strong> If present, DMA protection is available.</p></li>
<li><p><strong>4.</strong> If present, Secure Memory Overwrite is available.</p></li>
<li><p><strong>5.</strong> If present, NX protections are available.</p></li>
<li><p><strong>6.</strong> If present, SMM mitigations are available.</p></li>
</ul>
<p><strong>Note</strong>: 4, 5, and 6 were added as of Windows 10, version 1607.</p>
</td>
</ul></td>
</tr>
<tr class="even">
<td align="left"><strong>InstanceIdentifier</strong></td>
@ -207,15 +188,10 @@ Table 1. Win32\_DeviceGuard properties
<td align="left">This field describes the required security properties to enable virtualization-based security.</td>
<td align="left"><ul>
<li><p><strong>0.</strong> Nothing is required.</p></li>
<li><p><strong>1.</strong> If present, hypervisor support is needed.</p></li>
<li><p><strong>2.</strong> If present, Secure Boot is needed.</p></li>
<li><p><strong>3.</strong> If present, DMA protection is needed.</p></li>
<li><p><strong>4.</strong> If present, Secure Memory Overwrite is needed.</p></li>
<li><p><strong>5.</strong> If present, NX protections are needed.</p></li>
<li><p><strong>6.</strong> If present, SMM mitigations are needed.</p></li>
</ul>
<p><strong>Note</strong>: 4, 5, and 6 were added as of Windows 10, version 1607.</p>
</td>
<li><p><strong>1.</strong> If present, Secure Boot is needed.</p></li>
<li><p><strong>2.</strong> If present, DMA protection is needed.</p></li>
<li><p><strong>3.</strong> If present, both Secure Boot and DMA protection are needed.</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><strong>SecurityServicesConfigured</strong></td>

2
windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices.

2
windows/keep-secure/determining-the-trusted-state-of-your-devices.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status.

2
windows/keep-secure/device-guard-certification-and-compliance.md
View File

@ -1,4 +1,4 @@
---
title: Device Guard certification and compliance (Windows 10)
redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide
redirect_url: device-guard-deployment-guide.md
---

2
windows/keep-secure/documenting-the-zones.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Firewall with Advanced Security Strategy section. A sample is shown here:

2
windows/keep-secure/domain-isolation-policy-design-example.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams.

2
windows/keep-secure/domain-isolation-policy-design.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain.

2
windows/keep-secure/enable-predefined-inbound-rules.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
Windows Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.

2
windows/keep-secure/enable-predefined-outbound-rules.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Firewall with Advanced Security includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.

2
windows/keep-secure/encryption-zone-gpos.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section.

2
windows/keep-secure/encryption-zone.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
Some servers in the organization host data that is very sensitive, including medical, financial, or other personally identifying data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices.

2
windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
The following Windows Firewall with Advanced Security design examples illustrate how you can use Windows Firewall with Advanced Security to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Firewall with Advanced Security designs and to determine which design or combination of designs best suits the goals of your organization.

12
windows/keep-secure/event-4706.md
View File

@ -127,13 +127,13 @@ This event is generated only on domain controllers.
| 0x1 | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A&lt;--&gt;B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A&lt;--&gt;B&lt;--&gt;C trust linkage. |
| 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. |
| 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/en-us/library/cc237940.aspx). |
| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.<br>Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.<br>Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. |
| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](http://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx).<br>Only evaluated on TRUST\_TYPE\_MIT |
| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.<br>Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.<br>Evaluated only on Windows Server 2016<br>Evaluated only if SID Filtering is used.<br>Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. |
| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.<br>Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. |
| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.<br>Evaluated only on Windows Server 2016 Technical Preview<br>Evaluated only if SID Filtering is used.<br>Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. |
- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust:

12
windows/keep-secure/event-4716.md
View File

@ -127,13 +127,13 @@ This event is generated only on domain controllers.
| 0x1 | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A&lt;--&gt;B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A&lt;--&gt;B&lt;--&gt;C trust linkage. |
| 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. |
| 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/en-us/library/cc237940.aspx). |
| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.<br>Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.<br>Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. |
| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](http://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx).<br>Only evaluated on TRUST\_TYPE\_MIT |
| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.<br>Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.<br>Evaluated only on Windows Server 2016<br>Evaluated only if SID Filtering is used.<br>Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. |
| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.<br>Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. |
| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.<br>Evaluated only on Windows Server 2016 Technical Preview<br>Evaluated only if SID Filtering is used.<br>Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. |
- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust:

16
windows/keep-secure/event-4739.md
View File

@ -165,14 +165,14 @@ This event generates when one of the following changes was made to local compute
| Value | Identifier | Domain controller operating systems that are allowed in the domain |
|-------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0 | DS\_BEHAVIOR\_WIN2000 | Windows 2000 Server operating system<br>Windows Server 2003 operating system<br>Windows Server 2008 operating system<br>Windows Server 2008 R2 operating system<br>Windows Server 2012 operating system<br>Windows Server 2012 R2 operating system<br>Windows Server 2016 operating system |
| 1 | DS\_BEHAVIOR\_WIN2003\_WITH\_MIXED\_DOMAINS | Windows Server 2003<br>Windows Server 2008<br>Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016 |
| 2 | DS\_BEHAVIOR\_WIN2003 | Windows Server 2003<br>Windows Server 2008<br>Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016 |
| 3 | DS\_BEHAVIOR\_WIN2008 | Windows Server 2008<br>Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016 |
| 4 | DS\_BEHAVIOR\_WIN2008R2 | Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016 |
| 5 | DS\_BEHAVIOR\_WIN2012 | Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016 |
| 6 | DS\_BEHAVIOR\_WIN2012R2 | Windows Server 2012 R2<br>Windows Server 2016 |
| 7 | DS\_BEHAVIOR\_WINTHRESHOLD | Windows Server 2016 |
| 0 | DS\_BEHAVIOR\_WIN2000 | Windows 2000 Server operating system<br>Windows Server 2003 operating system<br>Windows Server 2008 operating system<br>Windows Server 2008 R2 operating system<br>Windows Server 2012 operating system<br>Windows Server 2012 R2 operating system<br>Windows Server 2016 Technical Preview operating system |
| 1 | DS\_BEHAVIOR\_WIN2003\_WITH\_MIXED\_DOMAINS | Windows Server 2003<br>Windows Server 2008<br>Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016 Technical Preview |
| 2 | DS\_BEHAVIOR\_WIN2003 | Windows Server 2003<br>Windows Server 2008<br>Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016 Technical Preview |
| 3 | DS\_BEHAVIOR\_WIN2008 | Windows Server 2008<br>Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016 Technical Preview |
| 4 | DS\_BEHAVIOR\_WIN2008R2 | Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016 Technical Preview |
| 5 | DS\_BEHAVIOR\_WIN2012 | Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016 Technical Preview |
| 6 | DS\_BEHAVIOR\_WIN2012R2 | Windows Server 2012 R2<br>Windows Server 2016 Technical Preview |
| 7 | DS\_BEHAVIOR\_WINTHRESHOLD | Windows Server 2016 Technical Preview |
- **OEM Information** \[Type = UnicodeString\]: there is no information about this field in this document.

2
windows/keep-secure/exempt-icmp-from-authentication.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol.

2
windows/keep-secure/exemption-list.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devicess on the internal network, yet secured from network attacks. However, if they must remain available to all devicess on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic.

2
windows/keep-secure/firewall-gpos.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters.

6
windows/keep-secure/firewall-policy-design-example.md
View File

@ -13,13 +13,13 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
In this example, the fictitious company Woodgrove Bank is a financial services institution.
Woodgrove Bank has an Active Directory domain that provides Group Policy-based management for all their Windows devices. The Active Directory domain controllers also host Domain Name System (DNS) for host name resolution. Separate devices host Windows Internet Name Service (WINS) for network basic input/output system (NetBIOS) name resolution. A set of devices that are running UNIX provide the Dynamic Host Configuration Protocol (DHCP) services for automatic IP addressing.
Woodgrove Bank is in the process of migrating their devices from Windows Vista and Windows Server 2008 to Windows 10 and Windows Server 2016. A significant number of the devices at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems.
Woodgrove Bank is in the process of migrating their devices from Windows Vista and Windows Server 2008 to Windows 10 and Windows Server 2016 Technical Preview. A significant number of the devices at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems.
A key line-of-business program called WGBank consists of a client program running on most of the desktop devices in the organization. This program accesses several front-end server devices that run the server-side part of WGBank. These front-end servers only do the processing — they do not store the data. The data is stored in several back-end database devices that are running Microsoft SQL Server.
@ -60,7 +60,7 @@ Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy t
- Client devices that run Windows 10, Windows 8, or Windows 7
- WGBank front-end servers that run Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them)
- WGBank front-end servers that run Windows Server 2016 Technical Preview, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them)
- WGBank partner servers that run Windows Server 2008

2
windows/keep-secure/gathering-information-about-your-active-directory-deployment.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Firewall with Advanced Security. Review the following list for information needed:

2
windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
Perhaps the most important aspect of planning for Windows Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Firewall with Advanced Security solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project:

2
windows/keep-secure/gathering-information-about-your-devices.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server devices on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned.

2
windows/keep-secure/gathering-other-relevant-information.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Firewall with Advanced Security policies in your organization.

2
windows/keep-secure/gathering-the-information-you-need.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
Before starting the planning process for a Windows Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation.

2
windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md
View File

@ -1,4 +1,4 @@
---
title: Get apps to run on Device Guard-protected devices (Windows 10)
redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide
redirect_url: device-guard-deployment-guide.md
---

2
windows/keep-secure/gpo-domiso-boundary.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.

2
windows/keep-secure/gpo-domiso-firewall.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008.

2
windows/keep-secure/gpo-domiso-isolateddomain-clients.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista.

2
windows/keep-secure/gpo-domiso-isolateddomain-servers.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008.

2
windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
Correctly identifying your Windows Firewall with Advanced Security deployment goals is essential for the success of your Windows Firewall with Advanced Security design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Firewall with Advanced Security by using an iterative approach. You can take advantage of the predefined Windows Firewall with Advanced Security deployment goals presented in this guide that are relevant to your scenarios.

BIN
windows/keep-secure/images/alert-details.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 74 KiB

After

Width:  |  Height:  |  Size: 74 KiB

BIN
windows/keep-secure/images/alertsq2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 63 KiB

After

Width:  |  Height:  |  Size: 60 KiB

BIN
windows/keep-secure/images/device-guard-gp.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 47 KiB

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/keep-secure/images/dg-fig1-enableos.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 22 KiB

After

Width:  |  Height:  |  Size: 17 KiB

BIN
windows/keep-secure/images/dg-fig11-dgproperties.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 74 KiB

After

Width:  |  Height:  |  Size: 102 KiB

BIN
windows/keep-secure/images/dg-fig7-enablevbsofkmci.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 47 KiB

After

Width:  |  Height:  |  Size: 36 KiB

BIN
windows/keep-secure/images/machines-view.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 80 KiB

After

Width:  |  Height:  |  Size: 80 KiB

BIN
windows/keep-secure/images/onboardingstate.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 129 KiB

After

Width:  |  Height:  |  Size: 151 KiB

BIN
windows/keep-secure/images/portal-image.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 178 KiB

After

Width:  |  Height:  |  Size: 178 KiB

101
windows/keep-secure/implement-microsoft-passport-in-your-organization.md
View File

@ -1,6 +1,6 @@
---
title: Implement Windows Hello in your organization (Windows 10)
description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
title: Implement Microsoft Passport in your organization (Windows 10)
description: You can create a Group Policy or mobile device management (MDM) policy that will implement Microsoft Passport on devices running Windows 10.
ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8
keywords: identity, PIN, biometric, Hello
ms.prod: w10
@ -10,41 +10,39 @@ ms.pagetype: security
author: jdeckerMS
---
# Implement Windows Hello for Business in your organization
# Implement Microsoft Passport in your organization
**Applies to**
- Windows 10
- Windows 10 Mobile
You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
> **Important:** The Group Policy setting **Turn on PIN sign-in** does not apply to Windows 10. Use **Windows Hello for Business** policy settings to manage PINs.
You can create a Group Policy or mobile device management (MDM) policy that will implement Microsoft Passport on devices running Windows 10.
> **Important:** The Group Policy setting **Turn on PIN sign-in** does not apply to Windows 10. Use **Microsoft Passport for Work** policy settings to manage PINs.
 
## Group Policy settings for Passport
The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.
The following table lists the Group Policy settings that you can configure for Passport use in your workplace. These policy settings are available in **Computer Configuration** &gt; **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Passport for Work**.
<table>
<tr>
<th colspan="2">Policy</th>
<th>Options</th>
</tr>
<tr>
<td>Use Windows Hello for Business</td>
<td>Use Microsoft Passport for Work</td>
<td></td>
<td>
<p><b>Not configured</b>: Users can provision Windows Hello for Business, which encrypts their domain password.</p>
<p><b>Enabled</b>: Device provisions Windows Hello for Business using keys or certificates for all users.</p>
<p><b>Disabled</b>: Device does not provision Windows Hello for Business for any user.</p>
<p><b>Not configured</b>: Users can provision Passport for Work, which encrypts their domain password.</p>
<p><b>Enabled</b>: Device provisions Passport for Work using keys or certificates for all users.</p>
<p><b>Disabled</b>: Device does not provision Passport for Work for any user.</p>
</td>
</tr>
<tr>
<td>Use a hardware security device</td>
<td></td>
<td>
<p><b>Not configured</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
<p><b>Enabled</b>: Windows Hello for Business will only be provisioned using TPM.</p>
<p><b>Disabled</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
<p><b>Not configured</b>: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
<p><b>Enabled</b>: Passport for Work will only be provisioned using TPM.</p>
<p><b>Disabled</b>: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
</td>
</tr>
<tr>
@ -124,23 +122,23 @@ The following table lists the Group Policy settings that you can configure for H
</td>
</tr>
<tr>
<td><a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone Sign-in</a></td>
<td><a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Remote Passport</a></td>
<td>
<p>Use Phone Sign-in</p>
<p>Use Remote Passport</p>
<div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
<div> </div>
</td>
<td>
<p><b>Not configured</b>: Phone sign-in is disabled.</p>
<p><b>Not configured</b>: Remote Passport is disabled.</p>
<p><b>Enabled</b>: Users can use a portable, registered device as a companion device for desktop authentication.</p>
<p><b>Disabled</b>: Phone sign-in is disabled.</p>
<p><b>Disabled</b>: Remote Passport is disabled.</p>
</td>
</tr>
</table>
## MDM policy settings for Passport
The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkId=692070).
The following table lists the MDM policy settings that you can configure for Passport use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkId=692070).
<table>
<tr>
<th colspan="2">Policy</th>
@ -154,9 +152,9 @@ The following table lists the MDM policy settings that you can configure for Win
<td>Device</td>
<td>True</td>
<td>
<p>True: Windows Hello for Business will be provisioned for all users on the device.</p>
<p>False: Users will not be able to provision Windows Hello for Business. </p>
<div class="alert"><b>Note</b>  If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices.</div>
<p>True: Passport will be provisioned for all users on the device.</p>
<p>False: Users will not be able to provision Passport. </p>
<div class="alert"><b>Note</b>  If Passport is enabled, and then the policy is changed to False, users who previously set up Passport can continue to use it, but will not be able to set up Passport on other devices.</div>
<div> </div>
</td>
</tr>
@ -166,8 +164,8 @@ The following table lists the MDM policy settings that you can configure for Win
<td>Device</td>
<td>False</td>
<td>
<p>True: Windows Hello for Business will only be provisioned using TPM.</p>
<p>False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
<p>True: Passport will only be provisioned using TPM.</p>
<p>False: Passport will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
</td>
</tr>
<tr>
@ -178,8 +176,8 @@ The following table lists the MDM policy settings that you can configure for Win
<td>Device </td>
<td>False</td>
<td>
<p>True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.</p>
<p>False: Only a PIN can be used as a gesture for domain sign-in.</p>
<p>True: Biometrics can be used as a gesture in place of a PIN for domain logon.</p>
<p>False: Only a PIN can be used as a gesture for domain logon.</p>
</td>
</tr>
<tr>
@ -278,8 +276,8 @@ The following table lists the MDM policy settings that you can configure for Win
<td>Device or user</td>
<td>False</td>
<td>
<p>True: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone sign-in</a> is enabled.</p>
<p>False: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone sign-in</a> is disabled.</p>
<p>True: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Remote Passport</a> is enabled.</p>
<p>False: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Remote Passport</a> is disabled.</p>
</td>
</tr>
</table>
@ -289,7 +287,7 @@ If policy is not configured to explicitly require letters or special characters,
 
## Prerequisites
Youll need this software to set Windows Hello for Business policies in your enterprise.
Youll need this software to set Microsoft Passport policies in your enterprise.
<table>
<colgroup>
<col width="25%" />
@ -299,10 +297,10 @@ Youll need this software to set Windows Hello for Business policies in your e
</colgroup>
<thead>
<tr class="header">
<th align="left">Windows Hello for Business mode</th>
<th align="left">Microsoft Passport mode</th>
<th align="left">Azure AD</th>
<th align="left">Active Directory (AD) on-premises (available with production release of Windows Server 2016)</th>
<th align="left">Azure AD/AD hybrid (available with production release of Windows Server 2016)</th>
<th align="left">Active Directory (AD) on-premises (available with production release of Windows Server 2016 Technical Preview)</th>
<th align="left">Azure AD/AD hybrid (available with production release of Windows Server 2016 Technical Preview)</th>
</tr>
</thead>
<tbody>
@ -310,14 +308,14 @@ Youll need this software to set Windows Hello for Business policies in your e
<td align="left">Key-based authentication</td>
<td align="left">Azure AD subscription</td>
<td align="left"><ul>
<li>Active Directory Federation Service (AD FS) (Windows Server 2016)</li>
<li>Active Directory Federation Service (AD FS) (Windows Server 2016 Technical Preview)</li>
<li>A few Windows Server 2016 Technical Preview domain controllers on-site</li>
<li>Microsoft System Center 2012 R2 Configuration Manager SP2</li>
</ul></td>
<td align="left"><ul>
<li>Azure AD subscription</li>
<li>[Azure AD Connect](http://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
<li>A few Windows Server 2016 domain controllers on-site</li>
<li>A few Windows Server 2016 Technical Preview domain controllers on-site</li>
<li>A management solution, such as Configuration Manager, Group Policy, or MDM</li>
<li>Active Directory Certificate Services (AD CS) without Network Device Enrollment Service (NDES)</li>
</ul></td>
@ -330,8 +328,8 @@ Youll need this software to set Windows Hello for Business policies in your e
<li>PKI infrastructure</li>
</ul></td>
<td align="left"><ul>
<li>ADFS (Windows Server 2016)</li>
<li>Active Directory Domain Services (AD DS) Windows Server 2016 schema</li>
<li>ADFS (Windows Server 2016 Technical Preview)</li>
<li>Active Directory Domain Services (AD DS) Windows Server 2016 Technical Preview schema</li>
<li>PKI infrastructure</li>
<li>Configuration Manager SP2, Intune, or non-Microsoft MDM solution</li>
</ul></td>
@ -339,22 +337,20 @@ Youll need this software to set Windows Hello for Business policies in your e
<li>Azure AD subscription</li>
<li>[Azure AD Connect](http://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
<li>AD CS with NDES</li>
<li>Configuration Manager 2016 for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work</li>
<li>Configuration Manager (current branch) or Configuration Manager 2016 Technical Preview for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work</li>
</ul></td>
</tr>
</tbody>
</table>
 
Configuration Manager and MDM provide the ability to manage Windows Hello for Business policy and to deploy and manage certificates protected by Windows Hello for Business.
Configuration Manager and MDM provide the ability to manage Passport policy and to deploy and manage certificates protected by Passport.
Azure AD provides the ability to register devices with your enterprise and to provision Passport for organization accounts.
Active Directory provides the ability to authorize users and devices using keys protected by Passport if domain controllers are running Windows 10 and the Microsoft Passport provisioning service in Windows 10 AD FS.
Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts.
## Passport for BYOD
Active Directory provides the ability to authorize users and devices using keys protected by Windows Hello for Business if domain controllers are running Windows 10 and the Windows Hello for Business provisioning service in Windows 10 AD FS.
## Windows Hello for BYOD
Windows Hello can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Windows Hello PIN for unlocking the device and a separate work PIN for access to work resources.
The work PIN is managed using the same Windows Hello for Business policies that you can use to manage Windows Hello for Business on organization-owned devices. The personal PIN is managed separately using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](http://go.microsoft.com/fwlink/p/?LinkID=623244).
Passport can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Passport PIN for unlocking the device and a separate work PIN for access to work resources.
The work PIN is managed using the same Passport policies that you can use to manage Passport on organization owned devices. The personal PIN is managed separately using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](http://go.microsoft.com/fwlink/p/?LinkID=623244).
## Related topics
@ -362,17 +358,14 @@ The work PIN is managed using the same Windows Hello for Business policies that
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
[Event ID 300 - Passport successfully created](passport-event-300.md)
 

2
windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
The following are important factors in the implementation of your Windows Firewall with Advanced Security design plan:

12
windows/keep-secure/index.md
View File

@ -16,20 +16,20 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
| Topic | Description |
| - | - |
| [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
| [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, weve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. |
| [Device Guard certification and compliance](device-guard-certification-and-compliance.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isnt trusted it cant run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
| [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
| [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN. |
| [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) | Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. |
| [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |
| [Device Guard deployment guide](device-guard-deployment-guide.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isnt trusted it cant run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
| [Protect derived domain credentials with Credential Guard](credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
| [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. |
| [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) | With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. |
| [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) | With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. |
| [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
| [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
| [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. |
| [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. |
| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |
| [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |
 
## Related topics

4
windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md
View File

@ -22,10 +22,6 @@ Certificates in Windows 10 Mobile are primarily used for the following purposes
- To authenticate a user to a reverse proxy server that is used to enable Microsoft Exchange ActiveSync (EAS) for email.
- For installation and licensing of applications (from the Windows Phone Store or a custom company distribution site).
**Warning**  
In Windows 10, Version 1607, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. [Learn more about this known issue in Version 1607](http://go.microsoft.com/fwlink/p/?LinkId=786764)
## Install certificates using Microsoft Edge
A certificate can be posted on a website and made available to users through a device-accessible URL that they can use to download the certificate. When a user accesses the page and taps the certificate, it opens on the device. The user can inspect the certificate, and if they choose to continue, the certificate is installed on the Windows 10 Mobile device.

2
windows/keep-secure/isolated-domain-gpos.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section.

2
windows/keep-secure/isolated-domain.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
The isolated domain is the primary zone for trusted devices. The devices in this zone use connection security and firewall rules to control the communications that can be sent between devices in the zone.

2
windows/keep-secure/isolating-apps-on-your-network.md
View File

@ -12,7 +12,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
When you add new devices to your network, you may want to customize your Windows Firewall configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.

2
windows/keep-secure/link-the-gpo-to-the-domain.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices.

78
windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
View File

@ -1,87 +1,73 @@
---
title: Manage identity verification using Windows Hello for Business (Windows 10)
description: In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
title: Manage identity verification using Microsoft Passport (Windows 10)
description: In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN.
ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
keywords: identity, PIN, biometric, Hello, passport
keywords: identity, PIN, biometric, Hello
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
author: jdeckerMS
---
# Manage identity verification using Windows Hello for Business
# Manage identity verification using Microsoft Passport
**Applies to**
- Windows 10
- Windows 10 Mobile
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN.
> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
Hello addresses the following problems with passwords:
Passport addresses the following problems with passwords:
- Passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Server breaches can expose symmetric network credentials.
- Passwords can be subject to [replay attacks](http://go.microsoft.com/fwlink/p/?LinkId=615673).
- Users can inadvertently expose their passwords due to [phishing attacks](http://go.microsoft.com/fwlink/p/?LinkId=615674).
Hello lets users authenticate to:
Passport lets users authenticate to:
- a Microsoft account.
- an Active Directory account.
- a Microsoft Azure Active Directory (AD) account.
- Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](http://go.microsoft.com/fwlink/p/?LinkId=533889) authentication
After an initial two-step verification of the user during enrollment, Hello is set up on the user's device and the user is asked to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Hello to authenticate users and help them to access protected resources and services.
After an initial two-step verification of the user during Passport enrollment, Passport is set up on the user's device and the user is asked to set a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify their identity. Windows then uses Passport to authenticate users and help them to access protected resources and services.
As an administrator in an enterprise or educational organization, you can create policies to manage Hello use on Windows 10-based devices that connect to your organization.
As an administrator in an enterprise or educational organization, you can create policies to manage Passport use on Windows 10-based devices that connect to your organization.
## The difference between Windows Hello and Windows Hello for Business
- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Hello provides a layer of protection by being unique to the device on which it is set up, however it is not backed by key-based or certificate-based authentication.
- Windows Hello for Business, which is configured by Group Policy or MDM policy, uses key-based or certificate-based authentication.
## Benefits of Windows Hello
## Benefits of Microsoft Passport
Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
You may wonder [how a PIN can help protect a device better than a password](why-a-pin-is-better-than-a-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
In Windows 10, Hello replaces passwords. The Hello provisioning process creates two cryptographic keys bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Hello keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Hello key is created in software.
In Windows 10, Passport replaces passwords. The Passport provisioning process creates two cryptographic keys bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Passport enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Passport keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Passport keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Passport key is created in software.
![how authentication works in windows hello](images/authflow.png)
![how authentication works in microsoft passport](images/authflow.png)
Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
Hello helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of TPMs.
Hello also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Hello on the users Windows 10 Mobile device. Because users carry their phone with them, Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
Passport helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Passport credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of TPMs.
Microsoft Passport also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Microsoft Passport on the users Windows 10 Mobile device. Because users carry their phone with them, Microsoft Passport makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
> **Note:**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
 
## How Windows Hello for Business works: key points
## How Microsoft Passport works: key points
- Hello credentials are based on certificate or asymmetrical key pair. Hello credentials are bound to the device, and the token that is obtained using the credential is also bound to the device.
- Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Hello's public key to a user account during the registration step.
- Passport credentials are based on certificate or asymmetrical key pair. Passport credentials are bound to the device, and the token that is obtained using the credential is also bound to the device.
- Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Microsoft Passport's public key to a user account during the registration step.
- Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Passport gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
- Private key never leaves a device. The authenticating server has a public key that is mapped to the user account during the registration process.
- PIN entry and biometric gesture both trigger Windows 10 to verify the user's identity and authenticate using Hello keys or certificates.
- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
- Certificates are added to the Hello container and are protected by the Hello gesture.
- PIN entry and Hello both trigger Windows 10 to verify the user's identity and authenticate using Passport keys or certificates.
- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use separate containers for keys. Non-Microsoft identity providers can generate keys for their users in the same container as the Microsoft account; however, all keys are separated by identity providers' domains to help ensure user privacy.
- Certificates are added to the Passport container and are protected by the Passport gesture.
- Windows Update behavior: After a reboot is required by Windows Update, the last interactive user is automatically signed on without any user gesture and the session is locked so the user's lock screen apps can run.
## Comparing key-based and certificate-based authentication
Windows Hello for Business can use either keys (hardware or software) or certificates with keys in hardware or software to confirm identity. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Hello.
Passport can use either keys (hardware or software) or certificates with keys in hardware or software to confirm identity. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Passport. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Passport.
Hardware-based keys, which are generated by TPM, provide the highest level of assurance. When the TPM is manufactured, an Endorsement Key (EK) certificate is resident in the TPM. This EK certificate creates a root trust for all other keys that are generated on this TPM.
EK certification is used to generate an attestation identity key (AIK) certificate issued by a Microsoft certificate authority. This AIK certificate can be used as an attestation claim to prove to identity providers that the Hello keys are generated on the same TPM. The Microsoft certificate authority (CA) generates the AIK certificate per device, per user, and per IDP to help ensure that user privacy is protected.
EK certification is used to generate an attestation identity key (AIK) certificate issued by a Microsoft certificate authority. This AIK certificate can be used as an attestation claim to prove to identity providers that the Passport keys are generated on the same TPM. The Microsoft certificate authority (CA) generates the AIK certificate per device, per user, and per IDP to help ensure that user privacy is protected.
When identity providers such as Active Directory or Azure AD enroll a certificate in Hello, Windows 10 will support the same set of scenarios as a smart card. When the credential type is a key, only key-based trust and operations will be supported.
When identity providers such as Active Directory or Azure AD enroll a certificate in Passport, Windows 10 will support the same set of scenarios as a smart card. When the credential type is a key, only key-based trust and operations will be supported.
## Learn more
@ -103,19 +89,15 @@ When identity providers such as Active Directory or Azure AD enroll a certificat
## Related topics
[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
 
[Event ID 300 - Passport successfully created](passport-event-300.md)
 

2
windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
View File

@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2016 Technical Preview
After you finish reviewing the existing Windows Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design.

25
windows/keep-secure/microsoft-passport-and-password-changes.md
View File

@ -1,6 +1,6 @@
---
title: Windows Hello and password changes (Windows 10)
description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
title: Microsoft Passport and password changes (Windows 10)
description: When you set up Microsoft Passport, the PIN or biometric (Windows Hello) gesture that you use is specific to that device.
ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55
ms.prod: w10
ms.mktglfcycl: deploy
@ -14,17 +14,17 @@ author: jdeckerMS
- Windows 10
- Windows 10 Mobile
When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.
When you set up Microsoft Passport, the PIN or biometric (Windows Hello) gesture that you use is specific to that device. You can set up Passport for the same account on multiple devices. If the PIN or biometric is configured as part of a Microsoft Passport for Work, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Microsoft Passport for Work is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Passport.
## Example
Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account.
Because you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part.
Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated.
> **Note:**  This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](implement-microsoft-passport-in-your-organization.md).
Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Passport on **Device A** knows will be outdated.
> **Note:**  This example also applies to an Active Directory account when [Passport for Work is not implemented](implement-microsoft-passport-in-your-organization.md).
 
## How to update Hello after you change your password on another device
## How to update Passport after you change your password on another device
1. When you try to sign in using your PIN or biometric, you will see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.**
2. Click **OK.**
@ -35,19 +35,16 @@ Suppose instead that you sign in on **Device B** and change your password for yo
## Related topics
[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
[Event ID 300 - Passport successfully created](passport-event-300.md)
 

22
windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
View File

@ -1,6 +1,6 @@
---
title: Windows Hello errors during PIN creation (Windows 10)
description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step.
title: Microsoft Passport errors during PIN creation (Windows 10)
description: When you set up Microsoft Passport in Windows 10, you may get an error during the Create a work PIN step.
ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
keywords: PIN, error, create a work PIN
ms.prod: w10
@ -10,13 +10,13 @@ ms.pagetype: security
author: jdeckerMS
---
# Windows Hello errors during PIN creation
# Microsoft Passport errors during PIN creation
**Applies to**
- Windows 10
- Windows 10 Mobile
When you set up Windows Hello in Windows 10, you may get an error during the **Create a work PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
When you set up Microsoft Passport in Windows 10, you may get an error during the **Create a work PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
## Where is the error code?
@ -221,18 +221,14 @@ For errors listed in this table, contact Microsoft Support for assistance.
## Related topics
[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
[Event ID 300 - Passport successfully created](passport-event-300.md)

2
windows/keep-secure/microsoft-passport-guide.md
View File

@ -101,7 +101,7 @@ Microsoft Passport offers four significant advantages over the current state of
**Its flexible**
Microsoft Passport offers unprecedented flexibility. Although the format and use of reusable passwords are fixed, Microsoft Passport gives both administrators and users options to manage authentication. First and foremost, Microsoft Passport works with both biometric identifiers and PINs, so users credentials are protected even on devices that dont support biometrics. Users can even use their phone to release their credentials instead of a PIN or biometric gesture on the main device. Microsoft Passport seamlessly takes advantage of the hardware of the devices in use; as users upgrade to newer devices, Microsoft Passport is ready to use them, and organizations can upgrade existing devices by adding biometric sensors where appropriate.
Microsoft Passport offers flexibility in the datacenter, too. To deploy it, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you dont have to replace or remove your existing Active Directory servers — the servers required for Microsoft Passport build on and add capability to your existing infrastructure. You dont have to change the domain or forest functional level, and you can either add on-premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport on your network. The choice of which users you should enable for Microsoft Passport use is completely up to you: you choose the policies and devices to support and which authentication factors you want users to have access to. This makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding strong credential protection to users who dont currently have it or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems (described in the [Design a Microsoft Passport deployment](#design) section).
Microsoft Passport offers flexibility in the datacenter, too. To deploy it, in some modes you must add Windows Server 2016 Technical Preview domain controllers to your Active Directory environment, but you dont have to replace or remove your existing Active Directory servers — the servers required for Microsoft Passport build on and add capability to your existing infrastructure. You dont have to change the domain or forest functional level, and you can either add on-premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport on your network. The choice of which users you should enable for Microsoft Passport use is completely up to you: you choose the policies and devices to support and which authentication factors you want users to have access to. This makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding strong credential protection to users who dont currently have it or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems (described in the [Design a Microsoft Passport deployment](#design) section).
**Its standardized**

Some files were not shown because too many files have changed in this diff Show More