diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 4d18fb5f5c..a5080b3900 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -1,34 +1,39 @@ # [Keep Windows 10 secure](index.md) +## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) -## [Device Guard certification and compliance](device-guard-certification-and-compliance.md) -### [Get apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md) -### [Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md) -## [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) -### [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) -### [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) +## [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) +### [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) ### [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) -### [Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) -### [Windows Hello and password changes](microsoft-passport-and-password-changes.md) -### [Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) -### [Event ID 300 - Windows Hello successfully created](passport-event-300.md) -### [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) +### [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md) +### [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md) +### [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) +### [Event ID 300 - Passport successfully created](passport-event-300.md) +## [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) ## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) ## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) +## [Device Guard deployment guide](device-guard-deployment-guide.md) +### [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) +### [Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) +### [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md) +### [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) +#### [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) +#### [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md) +#### [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md) +#### [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md) +### [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md) ## [Protect derived domain credentials with Credential Guard](credential-guard.md) -## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) -## [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) -### [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md) -#### [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) -##### [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) -##### [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) -##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) -#### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) +## [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) +### [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md) +#### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) +##### [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) +##### [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) +##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) +#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) #### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) -### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) -#### [Windows Information Protection (WIP) overview](wip-enterprise-overview.md) +### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) -#### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) -#### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) +#### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) +#### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) ## [VPN profile options](vpn-profile-options.md) ## [Windows security baselines](windows-security-baselines.md) @@ -704,13 +709,8 @@ ##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) ##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) #### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) -#### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) -##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) -##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) #### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) -#### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) ### [Windows Defender in Windows 10](windows-defender-in-windows-10.md) #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) @@ -827,8 +827,6 @@ ###### [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md) ## [Enterprise security guides](windows-10-enterprise-security-guides.md) ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) -### [Device Guard deployment guide](device-guard-deployment-guide.md) ### [Microsoft Passport guide](microsoft-passport-guide.md) ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) ### [Windows 10 security overview](windows-10-security-guide.md) -## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) diff --git a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md index 69108c1fcc..fc07133c99 100644 --- a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md +++ b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices. diff --git a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md index 11b782d3f8..f5f2edf9d6 100644 --- a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md +++ b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device. diff --git a/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md index f567285c1b..f72093bb1e 100644 --- a/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md +++ b/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). diff --git a/windows/keep-secure/assign-security-group-filters-to-the-gpo.md b/windows/keep-secure/assign-security-group-filters-to-the-gpo.md index d70e138887..f6dcdfddf4 100644 --- a/windows/keep-secure/assign-security-group-filters-to-the-gpo.md +++ b/windows/keep-secure/assign-security-group-filters-to-the-gpo.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO. diff --git a/windows/keep-secure/basic-firewall-policy-design.md b/windows/keep-secure/basic-firewall-policy-design.md index bbc34eda26..3863b0cf74 100644 --- a/windows/keep-secure/basic-firewall-policy-design.md +++ b/windows/keep-secure/basic-firewall-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization. diff --git a/windows/keep-secure/boundary-zone-gpos.md b/windows/keep-secure/boundary-zone-gpos.md index 550aa7e934..66865b93a6 100644 --- a/windows/keep-secure/boundary-zone-gpos.md +++ b/windows/keep-secure/boundary-zone-gpos.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section. diff --git a/windows/keep-secure/boundary-zone.md b/windows/keep-secure/boundary-zone.md index da0878002d..b44e15fdc1 100644 --- a/windows/keep-secure/boundary-zone.md +++ b/windows/keep-secure/boundary-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain. @@ -60,4 +60,4 @@ The boundary zone GPO for devices running at least Windows Server 2008 should i >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) -**Next:**[Encryption Zone](encryption-zone.md) +**Next: **[Encryption Zone](encryption-zone.md) diff --git a/windows/keep-secure/certificate-based-isolation-policy-design-example.md b/windows/keep-secure/certificate-based-isolation-policy-design-example.md index 0c3612bef6..8b5e59db2e 100644 --- a/windows/keep-secure/certificate-based-isolation-policy-design-example.md +++ b/windows/keep-secure/certificate-based-isolation-policy-design-example.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md). diff --git a/windows/keep-secure/certificate-based-isolation-policy-design.md b/windows/keep-secure/certificate-based-isolation-policy-design.md index 6a1a244f5c..8d0483f776 100644 --- a/windows/keep-secure/certificate-based-isolation-policy-design.md +++ b/windows/keep-secure/certificate-based-isolation-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic. diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 1b0dc4f144..9ffa767e4b 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -12,21 +12,15 @@ author: brianlic-msft # Change history for Keep Windows 10 secure This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). -## RELEASE: Windows 10, version 1607 - -The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: - -- [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) -- [Remote Credential Guard](remote-credential-guard.md) - ## July 2016 |New or changed topic | Description | |----------------------|-------------| +|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Updated various topics throughout this section for new name and new UI in Microsoft Intune and System Center Configuration Manager. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |New | |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New | -|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New | -|[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New | +|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |New | +|[Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |New | |[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (multiple topics) | Updated | |[Device Guard deployment guide](device-guard-deployment-guide.md) (multiple topics) | Updated | @@ -35,7 +29,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also |New or changed topic | Description | |----------------------|-------------| -|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Added an update about needing to reconfigure your enterprise data protection app rules after delivery of the June service update. | +|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added an update about needing to reconfigure your Windows Information Protection app rules after delivery of the June service update. | | [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) (multiple topics) | New | | [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) (mutiple topics) | New security monitoring reference topics | | [Windows security baselines](windows-security-baselines.md) | New | @@ -47,8 +41,8 @@ The topics in this library have been updated for Windows 10, version 1607 (also | [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Changed Internet Explorer to Microsoft Edge | | [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Added errors 0x80090029 and 0x80070057, and merged entries for error 0x801c03ed. | | [Microsoft Passport guide](microsoft-passport-guide.md) | Updated Roadmap section content | -|[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) |Updated info based on changes to the features and functionality.| -| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 | +|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Updated info based on changes to the features and functionality.| +| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview | |[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (mutiple topics) | New | ## April 2016 @@ -63,7 +57,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also |New or changed topic | Description | |----------------------|-------------| |[Requirements to use AppLocker](requirements-to-use-applocker.md) |Added that MDM can be used to manage any edition of Windows 10. Windows 10 Enterprise or Windows Server 2016 Technical Preview is required to manage AppLocker by using Group Policy.| -|[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) |Added pre-release content about how to set up and deploy enterprise data protection (EDP) in an enterprise environment.| +|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Added pre-release content about how to set up and deploy Windows Information Protection (WIP) in an enterprise environment.| ## February 2016 diff --git a/windows/keep-secure/change-rules-from-request-to-require-mode.md b/windows/keep-secure/change-rules-from-request-to-require-mode.md index 747345df41..156957d053 100644 --- a/windows/keep-secure/change-rules-from-request-to-require-mode.md +++ b/windows/keep-secure/change-rules-from-request-to-require-mode.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that are not part of the isolated domain. diff --git a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md index af8be53831..979ef0e243 100644 --- a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md +++ b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules. diff --git a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md index 5385c20f4d..a3cd9303ca 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md). diff --git a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md index 996a84ad21..f954a6f45e 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md index 93506e5368..898aff61c0 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md index aba8c91407..8bf35ebe8e 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md index 4533b51003..41375ddbad 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. diff --git a/windows/keep-secure/checklist-creating-group-policy-objects.md b/windows/keep-secure/checklist-creating-group-policy-objects.md index 207e94a1a5..b846638c4e 100644 --- a/windows/keep-secure/checklist-creating-group-policy-objects.md +++ b/windows/keep-secure/checklist-creating-group-policy-objects.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group. diff --git a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md index bf0e277be4..16681cba2a 100644 --- a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md +++ b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This checklist includes tasks for creating firewall rules in your GPOs. diff --git a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md index 9187d83a88..22b8d892c8 100644 --- a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md +++ b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This checklist includes tasks for creating outbound firewall rules in your GPOs. diff --git a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md index febc811262..bd5a21cdb8 100644 --- a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md +++ b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone. diff --git a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md index 0e170e2c53..f72a945895 100644 --- a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. @@ -26,7 +26,7 @@ The procedures in this section use the Group Policy MMC snap-in interfaces to co | Task | Reference | | - | - | | Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Basic Firewall Policy Design](basic-firewall-policy-design.md)
[Firewall Policy Design Example](firewall-policy-design-example.md)
[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)| -| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016 Technical Preview, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016 Technical Preview, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| | If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)| | Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)| | Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)| diff --git a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md index 6a65e70ac2..1cab0a3744 100644 --- a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design. diff --git a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md index 1c370cc0c7..a57af52e9a 100644 --- a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. diff --git a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md index 533859a661..e4ed2e3d00 100644 --- a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md). diff --git a/windows/keep-secure/configure-authentication-methods.md b/windows/keep-secure/configure-authentication-methods.md index cee5bff4da..c637681093 100644 --- a/windows/keep-secure/configure-authentication-methods.md +++ b/windows/keep-secure/configure-authentication-methods.md @@ -14,7 +14,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone. diff --git a/windows/keep-secure/configure-data-protection-quick-mode-settings.md b/windows/keep-secure/configure-data-protection-quick-mode-settings.md index 4c7f4c94ea..1b0e5489ab 100644 --- a/windows/keep-secure/configure-data-protection-quick-mode-settings.md +++ b/windows/keep-secure/configure-data-protection-quick-mode-settings.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone. diff --git a/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md index 0251ff4352..a3687db1b5 100644 --- a/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md +++ b/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate. diff --git a/windows/keep-secure/configure-key-exchange-main-mode-settings.md b/windows/keep-secure/configure-key-exchange-main-mode-settings.md index dd11e2d12d..097d29b877 100644 --- a/windows/keep-secure/configure-key-exchange-main-mode-settings.md +++ b/windows/keep-secure/configure-key-exchange-main-mode-settings.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic. diff --git a/windows/keep-secure/configure-the-windows-firewall-log.md b/windows/keep-secure/configure-the-windows-firewall-log.md index 086d294c27..0784a64b85 100644 --- a/windows/keep-secure/configure-the-windows-firewall-log.md +++ b/windows/keep-secure/configure-the-windows-firewall-log.md @@ -14,7 +14,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview To configure Windows Firewall to log dropped packets or successful connections, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in. diff --git a/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md b/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md index 3b75bc141f..89b5eb68e9 100644 --- a/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md +++ b/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements. diff --git a/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md index 057dd20255..b4990058e6 100644 --- a/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md +++ b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview To configure Windows Firewall to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Firewall with Advanced Security node in the Group Policy Management console. diff --git a/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md index c64746932b..0423277e45 100644 --- a/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md +++ b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices. diff --git a/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md b/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md index 0b0fc49d34..694250fe3b 100644 --- a/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md +++ b/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in. @@ -47,4 +47,4 @@ To complete this procedure, you must be a member of the Domain Administrators gr 12. Type the name of the group that contains members of the boundary zone, for example **CG\_DOMISO\_Boundary**, and then click **OK**. -13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO. +13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016 Technical Preview, then select a WMI filter that allows only those devices to read and apply the GPO. diff --git a/windows/keep-secure/create-a-group-account-in-active-directory.md b/windows/keep-secure/create-a-group-account-in-active-directory.md index 6ada08d53f..6aeb64d983 100644 --- a/windows/keep-secure/create-a-group-account-in-active-directory.md +++ b/windows/keep-secure/create-a-group-account-in-active-directory.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console. diff --git a/windows/keep-secure/create-a-group-policy-object.md b/windows/keep-secure/create-a-group-policy-object.md index bdd41a37ca..42a0e5ae62 100644 --- a/windows/keep-secure/create-a-group-policy-object.md +++ b/windows/keep-secure/create-a-group-policy-object.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview To create a new GPO, use the Active Directory Users and Computers MMC snap-in. diff --git a/windows/keep-secure/create-an-authentication-exemption-list-rule.md b/windows/keep-secure/create-an-authentication-exemption-list-rule.md index e48455f5e9..b0a4ec1118 100644 --- a/windows/keep-secure/create-an-authentication-exemption-list-rule.md +++ b/windows/keep-secure/create-an-authentication-exemption-list-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies. diff --git a/windows/keep-secure/create-an-authentication-request-rule.md b/windows/keep-secure/create-an-authentication-request-rule.md index 42617dc699..1c947f68f9 100644 --- a/windows/keep-secure/create-an-authentication-request-rule.md +++ b/windows/keep-secure/create-an-authentication-request-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview After you have configured IPsec algorithms and authentication methods, you can create the rule that requires the devices on the network to use those protocols and methods before they can communicate. diff --git a/windows/keep-secure/create-an-inbound-icmp-rule.md b/windows/keep-secure/create-an-inbound-icmp-rule.md index 83983389da..f76bba3007 100644 --- a/windows/keep-secure/create-an-inbound-icmp-rule.md +++ b/windows/keep-secure/create-an-inbound-icmp-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network. diff --git a/windows/keep-secure/create-an-inbound-port-rule.md b/windows/keep-secure/create-an-inbound-port-rule.md index 212bf9a8fc..e2a911293f 100644 --- a/windows/keep-secure/create-an-inbound-port-rule.md +++ b/windows/keep-secure/create-an-inbound-port-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. diff --git a/windows/keep-secure/create-an-inbound-program-or-service-rule.md b/windows/keep-secure/create-an-inbound-program-or-service-rule.md index 62c8e83e1b..51524c047d 100644 --- a/windows/keep-secure/create-an-inbound-program-or-service-rule.md +++ b/windows/keep-secure/create-an-inbound-program-or-service-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview To allow inbound network traffic to a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port. diff --git a/windows/keep-secure/create-an-outbound-port-rule.md b/windows/keep-secure/create-an-outbound-port-rule.md index 9a06f49266..98c85d581c 100644 --- a/windows/keep-secure/create-an-outbound-port-rule.md +++ b/windows/keep-secure/create-an-outbound-port-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. diff --git a/windows/keep-secure/create-an-outbound-program-or-service-rule.md b/windows/keep-secure/create-an-outbound-program-or-service-rule.md index 2e7e5c2e1e..342e863ffd 100644 --- a/windows/keep-secure/create-an-outbound-program-or-service-rule.md +++ b/windows/keep-secure/create-an-outbound-program-or-service-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port. diff --git a/windows/keep-secure/create-inbound-rules-to-support-rpc.md b/windows/keep-secure/create-inbound-rules-to-support-rpc.md index a7cf60c649..0ba04d529e 100644 --- a/windows/keep-secure/create-inbound-rules-to-support-rpc.md +++ b/windows/keep-secure/create-inbound-rules-to-support-rpc.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview To allow inbound remote procedure call (RPC) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper. diff --git a/windows/keep-secure/create-wmi-filters-for-the-gpo.md b/windows/keep-secure/create-wmi-filters-for-the-gpo.md index 3cbb5be9a5..f4b066d3e1 100644 --- a/windows/keep-secure/create-wmi-filters-for-the-gpo.md +++ b/windows/keep-secure/create-wmi-filters-for-the-gpo.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device. diff --git a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md index 6d70cbad2b..fdf497e545 100644 --- a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md +++ b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md @@ -1,5 +1,5 @@ --- title: Create a Device Guard code integrity policy based on a reference device (Windows 10) -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide +redirect_url: device-guard-deployment-guide.md --- diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 94996dab65..3974a748e2 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -90,7 +90,7 @@ The PC must meet the following hardware and software requirements to use Credent TPM 2.0 -Windows 10 version 1511 or later +Windows 10 version 1511 TPM 2.0 or TPM 1.2 @@ -109,11 +109,7 @@ The PC must meet the following hardware and software requirements to use Credent

Physical PC

-

For PCs running Windows 10, version 1511 and Windows 10, version 1507, you cannot run Credential Guard on a virtual machine.

- - -

Virtual machine

-

For PCs running Windows 10, version 1607, you can run Credential Guard on a Generation 2 virtual machine.

+

For PCs running Windows 10, you cannot run Credential Guard on a virtual machine.

@@ -148,8 +144,9 @@ First, you must add the virtualization-based security features. You can do this **Add the virtualization-based security features by using Programs and Features** 1. Open the Programs and Features control panel. 2. Click **Turn Windows feature on or off**. -3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. -4. Click **OK**. +3. Select the **Isolated User Mode** check box. +4. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. +5. Click **OK**. **Add the virtualization-based security features to an offline image by using DISM** 1. Open an elevated command prompt. @@ -157,14 +154,12 @@ First, you must add the virtualization-based security features. You can do this ``` syntax dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all ``` +3. Add Isolated User Mode by running the following command: + ``` syntax + dism /image: /Enable-Feature /FeatureName:IsolatedUserMode + ``` > **Note:**  You can also add these features to an online image by using either DISM or Configuration Manager. - - -In Windows 10, version 1607, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode: - -``` syntax -dism /image: /Enable-Feature /FeatureName:IsolatedUserMode -``` +  ### Turn on Credential Guard If you don't use Group Policy, you can enable Credential Guard by using the registry. @@ -208,7 +203,7 @@ If you have to remove Credential Guard on a PC, you need to do the following: 3. Accept the prompt to disable Credential Guard. 4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard. -> **Note:** The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS +> **Note: ** The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).   diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md index 943481d23b..9eda4d82c8 100644 --- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md +++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md @@ -28,21 +28,15 @@ For information about enabling Credential Guard, see [Protect derived domain cre ## Windows feature requirements for virtualization-based security -In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must enable certain operating system features before you can enable VBS: - -- With Windows 10, version 1607 or Windows Server 2016:
-Hyper-V Hypervisor (shown in Figure 1). - -- With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
-Hyper-V Hypervisor and Isolated User Mode (not shown). +In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must enable certain operating system features before you can enable VBS: Microsoft Hyper-V and isolated user mode (shown in Figure 1). > **Note**  You can configure these features manually by using Windows PowerShell or Deployment Image Servicing and Management. For specific information about these methods, see [Protect derived domain credentials with Credential Guard](credential-guard.md).   ![Turn Windows features on or off](images/dg-fig1-enableos.png) -Figure 1. Enable operating system feature for VBS +Figure 1. Enable operating system features for VBS -After you enable the feature or features, you can configure any additional hardware-based security features you want. The following sections provide more information: +After you enable these features, you can configure any additional hardware-based security features you want. The following sections provide more information: - [Enable Unified Extensible Firmware Interface Secure Boot](#enable-unified-extensible-firmware-interface-secure-boot) - [Enable virtualization-based security for kernel-mode code integrity](#enable-virtualization-based-security-for-kernel-mode-code-integrity) @@ -50,7 +44,7 @@ After you enable the feature or features, you can configure any additional hardw Before you begin this process, verify that the target device meets the hardware requirements for UEFI Secure Boot that are laid out in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). There are two options to configure UEFI Secure Boot: manual configuration of the appropriate registry keys and Group Policy deployment. Complete the following steps to manually configure UEFI Secure Boot on a computer running Windows 10. -> **Note**  There are two platform security levels for Secure Boot: stand-alone Secure Boot and Secure Boot with DMA protection. DMA protection provides additional memory protection but will be enabled only on systems whose processors include input/output memory management units (IOMMUs). Protection against driver-based attacks is provided only on systems that have IOMMUs and that have DMA protection enabled. For more information about how IOMMUs help protect against DMA attacks, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). +> **Note**  There are two platform security levels for Secure Boot: stand-alone Secure Boot and Secure Boot with DMA protection. DMA protection provides additional memory protection but will be enabled only on systems whose processors include input/output memory management units (IOMMUs). Protection against driver-based attacks is provided only on systems that have IOMMUs and that have DMA protection enabled. 1. Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey. @@ -58,9 +52,9 @@ Before you begin this process, verify that the target device meets the hardware 3. Set the **RequirePlatformSecurityFeatures DWORD** value as appropriate: - | **With Windows 10, version 1607,
or Windows Server 2016** | **With an earlier version of Windows 10,
or Windows Server 2016 Technical Preview 5 or earlier** | - | ---------------- | ---------------- | - | **1** enables the **Secure Boot** option
**3** enables the **Secure Boot and DMA protection** option | **1** enables the **Secure Boot** option
**2** enables the **Secure Boot and DMA protection** option | + - Set this value to **1** to enable the **Secure Boot** option. + + - Set this value to **2** to enable the **Secure Boot with DMA Protection** option. 4. Restart the client computer. @@ -86,11 +80,11 @@ Unfortunately, it would be time consuming to perform these steps manually on eve Figure 6. Enable VBS -5. Select the **Enabled** button, and then select **Secure Boot and DMA Protection** from the **Select Platform Security Level** list. +5. Select the **Enabled** option, and then select **Secure Boot and DMA Protection** from the **Select Platform Security Level** list. ![Group Policy, Turn On Virtualization Based Security](images/device-guard-gp.png) - Figure 7. Enable Secure Boot (in Windows 10, version 1607) + Figure 7. Enable Secure Boot > **Note**  Device Guard Secure Boot is maximized when combined with DMA protection. If your hardware contains the IOMMUs required for DMA protection, be sure to select the **Secure Boot and DMA Protection** platform security level. If your hardware does not contain IOMMUs, there are several mitigations provided by leveraging Secure Boot without DMA Protection. @@ -108,11 +102,7 @@ Before you begin this process, verify that the desired computer meets the hardwa **To configure virtualization-based protection of KMCI manually:** -1. Navigate to the appropriate registry subkey: - - - With Windows 10, version 1607, or Windows Server 2016:
**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios** - - - With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** +1. Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey. 2. Set the **HypervisorEnforcedCodeIntegrity DWORD** value to **1**. @@ -140,15 +130,11 @@ It would be time consuming to perform these steps manually on every protected co Figure 3. Enable VBS -5. Select the **Enabled** button, and then for **Virtualization Based Protection of Code Integrity**, select the appropriate option: - - - With Windows 10, version 1607 or Windows Server 2016, choose an enabled option:
For an initial deployment or test deployment, we recommend **Enabled without UEFI lock**.
When your deployment is stable in your environment, we recommend changing to **Enabled with UEFI lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person. - - - With earlier versions of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
Select the **Enable Virtualization Based Protection of Code Integrity** check box. +5. Select the **Enabled** option, and then select the **Enable Virtualization Based Protection of Code Integrity** check box. ![Group Policy, Turn On Virtualization Based Security](images/dg-fig7-enablevbsofkmci.png) - Figure 4. Enable VBS of KMCI (in Windows 10, version 1607) + Figure 4. Enable VBS of KMCI 6. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. With this setting configured, the VBS of the KMCI will take effect upon restart. @@ -190,12 +176,7 @@ Table 1. Win32\_DeviceGuard properties

  • 1. If present, hypervisor support is available.

  • 2. If present, Secure Boot is available.

  • 3. If present, DMA protection is available.

    • -

  • 4. If present, Secure Memory Overwrite is available.

    • -

  • 5. If present, NX protections are available.

    • -

  • 6. If present, SMM mitigations are available.

    • - -

    Note: 4, 5, and 6 were added as of Windows 10, version 1607.

    - + InstanceIdentifier @@ -207,15 +188,10 @@ Table 1. Win32\_DeviceGuard properties This field describes the required security properties to enable virtualization-based security.

    • 0. Nothing is required.

      • -

    • 1. If present, hypervisor support is needed.

      • -

    • 2. If present, Secure Boot is needed.

      • -

    • 3. If present, DMA protection is needed.

      • -

    • 4. If present, Secure Memory Overwrite is needed.

      • -

    • 5. If present, NX protections are needed.

      • -

    • 6. If present, SMM mitigations are needed.

      • -
    -

    Note: 4, 5, and 6 were added as of Windows 10, version 1607.

    - +

  • 1. If present, Secure Boot is needed.

    • +

  • 2. If present, DMA protection is needed.

    • +

  • 3. If present, both Secure Boot and DMA protection are needed.

    • + SecurityServicesConfigured diff --git a/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md index df45d7bcb2..144252b206 100644 --- a/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices. diff --git a/windows/keep-secure/determining-the-trusted-state-of-your-devices.md b/windows/keep-secure/determining-the-trusted-state-of-your-devices.md index 01ed85051c..8bbd75608d 100644 --- a/windows/keep-secure/determining-the-trusted-state-of-your-devices.md +++ b/windows/keep-secure/determining-the-trusted-state-of-your-devices.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status. diff --git a/windows/keep-secure/device-guard-certification-and-compliance.md b/windows/keep-secure/device-guard-certification-and-compliance.md index 566a6df4da..5e60c5e980 100644 --- a/windows/keep-secure/device-guard-certification-and-compliance.md +++ b/windows/keep-secure/device-guard-certification-and-compliance.md @@ -1,4 +1,4 @@ --- title: Device Guard certification and compliance (Windows 10) -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide +redirect_url: device-guard-deployment-guide.md --- diff --git a/windows/keep-secure/documenting-the-zones.md b/windows/keep-secure/documenting-the-zones.md index 9c120835e8..88e67e80c4 100644 --- a/windows/keep-secure/documenting-the-zones.md +++ b/windows/keep-secure/documenting-the-zones.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Firewall with Advanced Security Strategy section. A sample is shown here: diff --git a/windows/keep-secure/domain-isolation-policy-design-example.md b/windows/keep-secure/domain-isolation-policy-design-example.md index f5cc8ea0f6..2bfcf9cbc8 100644 --- a/windows/keep-secure/domain-isolation-policy-design-example.md +++ b/windows/keep-secure/domain-isolation-policy-design-example.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams. diff --git a/windows/keep-secure/domain-isolation-policy-design.md b/windows/keep-secure/domain-isolation-policy-design.md index 6f15c8338f..da2564242b 100644 --- a/windows/keep-secure/domain-isolation-policy-design.md +++ b/windows/keep-secure/domain-isolation-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain. diff --git a/windows/keep-secure/enable-predefined-inbound-rules.md b/windows/keep-secure/enable-predefined-inbound-rules.md index 59e8325dac..fe16701837 100644 --- a/windows/keep-secure/enable-predefined-inbound-rules.md +++ b/windows/keep-secure/enable-predefined-inbound-rules.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Windows Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. diff --git a/windows/keep-secure/enable-predefined-outbound-rules.md b/windows/keep-secure/enable-predefined-outbound-rules.md index 137de67aa2..1691399b8a 100644 --- a/windows/keep-secure/enable-predefined-outbound-rules.md +++ b/windows/keep-secure/enable-predefined-outbound-rules.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Firewall with Advanced Security includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. diff --git a/windows/keep-secure/encryption-zone-gpos.md b/windows/keep-secure/encryption-zone-gpos.md index 357f2eebfc..dcb49121a4 100644 --- a/windows/keep-secure/encryption-zone-gpos.md +++ b/windows/keep-secure/encryption-zone-gpos.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section. diff --git a/windows/keep-secure/encryption-zone.md b/windows/keep-secure/encryption-zone.md index 7e59ef31e3..f6fd2aacd4 100644 --- a/windows/keep-secure/encryption-zone.md +++ b/windows/keep-secure/encryption-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Some servers in the organization host data that is very sensitive, including medical, financial, or other personally identifying data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices. diff --git a/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md index c7fe4f7637..35a8444e6e 100644 --- a/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md +++ b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview The following Windows Firewall with Advanced Security design examples illustrate how you can use Windows Firewall with Advanced Security to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Firewall with Advanced Security designs and to determine which design or combination of designs best suits the goals of your organization. diff --git a/windows/keep-secure/event-4706.md b/windows/keep-secure/event-4706.md index 936468b4c3..3eb6bdda15 100644 --- a/windows/keep-secure/event-4706.md +++ b/windows/keep-secure/event-4706.md @@ -127,13 +127,13 @@ This event is generated only on domain controllers. | 0x1 | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A<-->B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A<-->B<-->C trust linkage. | | 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. | | 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/en-us/library/cc237940.aspx). | -| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
    Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | -| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
    Only evaluated if SID Filtering is used.
    Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
    Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | +| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
    Only evaluated if SID Filtering is used.
    Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | | 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](http://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx).
    Only evaluated on TRUST\_TYPE\_MIT | -| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
    Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | -| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Evaluated only on Windows Server 2016
    Evaluated only if SID Filtering is used.
    Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | +| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
    Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | +| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Evaluated only on Windows Server 2016 Technical Preview
    Evaluated only if SID Filtering is used.
    Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | - **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust: diff --git a/windows/keep-secure/event-4716.md b/windows/keep-secure/event-4716.md index 65ea86275d..8140c94b16 100644 --- a/windows/keep-secure/event-4716.md +++ b/windows/keep-secure/event-4716.md @@ -127,13 +127,13 @@ This event is generated only on domain controllers. | 0x1 | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A<-->B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A<-->B<-->C trust linkage. | | 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. | | 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/en-us/library/cc237940.aspx). | -| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
    Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | -| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
    Only evaluated if SID Filtering is used.
    Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
    Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | +| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
    Only evaluated if SID Filtering is used.
    Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | | 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](http://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx).
    Only evaluated on TRUST\_TYPE\_MIT | -| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
    Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | -| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Evaluated only on Windows Server 2016
    Evaluated only if SID Filtering is used.
    Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | +| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
    Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | +| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Evaluated only on Windows Server 2016 Technical Preview
    Evaluated only if SID Filtering is used.
    Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | - **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust: diff --git a/windows/keep-secure/event-4739.md b/windows/keep-secure/event-4739.md index 44897f5f13..8b692f1ea3 100644 --- a/windows/keep-secure/event-4739.md +++ b/windows/keep-secure/event-4739.md @@ -165,14 +165,14 @@ This event generates when one of the following changes was made to local compute | Value | Identifier | Domain controller operating systems that are allowed in the domain | |-------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0 | DS\_BEHAVIOR\_WIN2000 | Windows 2000 Server operating system
    Windows Server 2003 operating system
    Windows Server 2008 operating system
    Windows Server 2008 R2 operating system
    Windows Server 2012 operating system
    Windows Server 2012 R2 operating system
    Windows Server 2016 operating system | -| 1 | DS\_BEHAVIOR\_WIN2003\_WITH\_MIXED\_DOMAINS | Windows Server 2003
    Windows Server 2008
    Windows Server 2008 R2
    Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 | -| 2 | DS\_BEHAVIOR\_WIN2003 | Windows Server 2003
    Windows Server 2008
    Windows Server 2008 R2
    Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 | -| 3 | DS\_BEHAVIOR\_WIN2008 | Windows Server 2008
    Windows Server 2008 R2
    Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 | -| 4 | DS\_BEHAVIOR\_WIN2008R2 | Windows Server 2008 R2
    Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 | -| 5 | DS\_BEHAVIOR\_WIN2012 | Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 | -| 6 | DS\_BEHAVIOR\_WIN2012R2 | Windows Server 2012 R2
    Windows Server 2016 | -| 7 | DS\_BEHAVIOR\_WINTHRESHOLD | Windows Server 2016 | +| 0 | DS\_BEHAVIOR\_WIN2000 | Windows 2000 Server operating system
    Windows Server 2003 operating system
    Windows Server 2008 operating system
    Windows Server 2008 R2 operating system
    Windows Server 2012 operating system
    Windows Server 2012 R2 operating system
    Windows Server 2016 Technical Preview operating system | +| 1 | DS\_BEHAVIOR\_WIN2003\_WITH\_MIXED\_DOMAINS | Windows Server 2003
    Windows Server 2008
    Windows Server 2008 R2
    Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 Technical Preview | +| 2 | DS\_BEHAVIOR\_WIN2003 | Windows Server 2003
    Windows Server 2008
    Windows Server 2008 R2
    Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 Technical Preview | +| 3 | DS\_BEHAVIOR\_WIN2008 | Windows Server 2008
    Windows Server 2008 R2
    Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 Technical Preview | +| 4 | DS\_BEHAVIOR\_WIN2008R2 | Windows Server 2008 R2
    Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 Technical Preview | +| 5 | DS\_BEHAVIOR\_WIN2012 | Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016 Technical Preview | +| 6 | DS\_BEHAVIOR\_WIN2012R2 | Windows Server 2012 R2
    Windows Server 2016 Technical Preview | +| 7 | DS\_BEHAVIOR\_WINTHRESHOLD | Windows Server 2016 Technical Preview | - **OEM Information** \[Type = UnicodeString\]: there is no information about this field in this document. diff --git a/windows/keep-secure/exempt-icmp-from-authentication.md b/windows/keep-secure/exempt-icmp-from-authentication.md index 21100a9674..a60e483753 100644 --- a/windows/keep-secure/exempt-icmp-from-authentication.md +++ b/windows/keep-secure/exempt-icmp-from-authentication.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol. diff --git a/windows/keep-secure/exemption-list.md b/windows/keep-secure/exemption-list.md index fc0fd3b704..3ebf7a465b 100644 --- a/windows/keep-secure/exemption-list.md +++ b/windows/keep-secure/exemption-list.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devicess on the internal network, yet secured from network attacks. However, if they must remain available to all devicess on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. diff --git a/windows/keep-secure/firewall-gpos.md b/windows/keep-secure/firewall-gpos.md index 229cb2a3e0..b264a38993 100644 --- a/windows/keep-secure/firewall-gpos.md +++ b/windows/keep-secure/firewall-gpos.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters. diff --git a/windows/keep-secure/firewall-policy-design-example.md b/windows/keep-secure/firewall-policy-design-example.md index 8dad2b48f7..41310314aa 100644 --- a/windows/keep-secure/firewall-policy-design-example.md +++ b/windows/keep-secure/firewall-policy-design-example.md @@ -13,13 +13,13 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview In this example, the fictitious company Woodgrove Bank is a financial services institution. Woodgrove Bank has an Active Directory domain that provides Group Policy-based management for all their Windows devices. The Active Directory domain controllers also host Domain Name System (DNS) for host name resolution. Separate devices host Windows Internet Name Service (WINS) for network basic input/output system (NetBIOS) name resolution. A set of devices that are running UNIX provide the Dynamic Host Configuration Protocol (DHCP) services for automatic IP addressing. -Woodgrove Bank is in the process of migrating their devices from Windows Vista and Windows Server 2008 to Windows 10 and Windows Server 2016. A significant number of the devices at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems. +Woodgrove Bank is in the process of migrating their devices from Windows Vista and Windows Server 2008 to Windows 10 and Windows Server 2016 Technical Preview. A significant number of the devices at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems. A key line-of-business program called WGBank consists of a client program running on most of the desktop devices in the organization. This program accesses several front-end server devices that run the server-side part of WGBank. These front-end servers only do the processing — they do not store the data. The data is stored in several back-end database devices that are running Microsoft SQL Server. @@ -60,7 +60,7 @@ Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy t - Client devices that run Windows 10, Windows 8, or Windows 7 -- WGBank front-end servers that run Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them) +- WGBank front-end servers that run Windows Server 2016 Technical Preview, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them) - WGBank partner servers that run Windows Server 2008 diff --git a/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md index 0c507fdc73..33727fc9f4 100644 --- a/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md +++ b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Firewall with Advanced Security. Review the following list for information needed: diff --git a/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md index 67dcea5661..65555cc782 100644 --- a/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Perhaps the most important aspect of planning for Windows Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Firewall with Advanced Security solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project: diff --git a/windows/keep-secure/gathering-information-about-your-devices.md b/windows/keep-secure/gathering-information-about-your-devices.md index 7f4692a95a..1f3b73fa21 100644 --- a/windows/keep-secure/gathering-information-about-your-devices.md +++ b/windows/keep-secure/gathering-information-about-your-devices.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server devices on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned. diff --git a/windows/keep-secure/gathering-other-relevant-information.md b/windows/keep-secure/gathering-other-relevant-information.md index 83ee00960a..ca8d396fcb 100644 --- a/windows/keep-secure/gathering-other-relevant-information.md +++ b/windows/keep-secure/gathering-other-relevant-information.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Firewall with Advanced Security policies in your organization. diff --git a/windows/keep-secure/gathering-the-information-you-need.md b/windows/keep-secure/gathering-the-information-you-need.md index a11fbf67c8..3e8a62b0cc 100644 --- a/windows/keep-secure/gathering-the-information-you-need.md +++ b/windows/keep-secure/gathering-the-information-you-need.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Before starting the planning process for a Windows Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation. diff --git a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md index 88a3f076b6..542e85c56f 100644 --- a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md +++ b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md @@ -1,4 +1,4 @@ --- title: Get apps to run on Device Guard-protected devices (Windows 10) -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide +redirect_url: device-guard-deployment-guide.md --- diff --git a/windows/keep-secure/gpo-domiso-boundary.md b/windows/keep-secure/gpo-domiso-boundary.md index 00fb043b7a..22db5273b8 100644 --- a/windows/keep-secure/gpo-domiso-boundary.md +++ b/windows/keep-secure/gpo-domiso-boundary.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. diff --git a/windows/keep-secure/gpo-domiso-firewall.md b/windows/keep-secure/gpo-domiso-firewall.md index d1349941e1..226c9deac1 100644 --- a/windows/keep-secure/gpo-domiso-firewall.md +++ b/windows/keep-secure/gpo-domiso-firewall.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008. diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md index a6ab80ad09..0f2faadb9e 100644 --- a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md +++ b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista. diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md index 91cd4e3890..fb984adf5f 100644 --- a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md +++ b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008. diff --git a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index 092982bd0a..b1adf33fd9 100644 --- a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Correctly identifying your Windows Firewall with Advanced Security deployment goals is essential for the success of your Windows Firewall with Advanced Security design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Firewall with Advanced Security by using an iterative approach. You can take advantage of the predefined Windows Firewall with Advanced Security deployment goals presented in this guide that are relevant to your scenarios. diff --git a/windows/keep-secure/images/alert-details.png b/windows/keep-secure/images/alert-details.png index e2f5a387b0..7d23ae0374 100644 Binary files a/windows/keep-secure/images/alert-details.png and b/windows/keep-secure/images/alert-details.png differ diff --git a/windows/keep-secure/images/alertsq2.png b/windows/keep-secure/images/alertsq2.png index 8e823cd9c7..a11b5ba76b 100644 Binary files a/windows/keep-secure/images/alertsq2.png and b/windows/keep-secure/images/alertsq2.png differ diff --git a/windows/keep-secure/images/device-guard-gp.png b/windows/keep-secure/images/device-guard-gp.png index 169d2f245b..0c2c1c9d4f 100644 Binary files a/windows/keep-secure/images/device-guard-gp.png and b/windows/keep-secure/images/device-guard-gp.png differ diff --git a/windows/keep-secure/images/dg-fig1-enableos.png b/windows/keep-secure/images/dg-fig1-enableos.png index a114c520de..cefb124344 100644 Binary files a/windows/keep-secure/images/dg-fig1-enableos.png and b/windows/keep-secure/images/dg-fig1-enableos.png differ diff --git a/windows/keep-secure/images/dg-fig11-dgproperties.png b/windows/keep-secure/images/dg-fig11-dgproperties.png index 3c93b2b948..ce16705d0f 100644 Binary files a/windows/keep-secure/images/dg-fig11-dgproperties.png and b/windows/keep-secure/images/dg-fig11-dgproperties.png differ diff --git a/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png b/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png index ddc2158a8a..bf0d55dd7f 100644 Binary files a/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png and b/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png differ diff --git a/windows/keep-secure/images/machines-view.png b/windows/keep-secure/images/machines-view.png index f1d00f4035..3baf15a05f 100644 Binary files a/windows/keep-secure/images/machines-view.png and b/windows/keep-secure/images/machines-view.png differ diff --git a/windows/keep-secure/images/onboardingstate.png b/windows/keep-secure/images/onboardingstate.png index ab49c49e17..0606e2b2c6 100644 Binary files a/windows/keep-secure/images/onboardingstate.png and b/windows/keep-secure/images/onboardingstate.png differ diff --git a/windows/keep-secure/images/portal-image.png b/windows/keep-secure/images/portal-image.png index c038da30de..be59f06fa5 100644 Binary files a/windows/keep-secure/images/portal-image.png and b/windows/keep-secure/images/portal-image.png differ diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md index db0f315439..1680e13ed9 100644 --- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md +++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md @@ -1,6 +1,6 @@ --- -title: Implement Windows Hello in your organization (Windows 10) -description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10. +title: Implement Microsoft Passport in your organization (Windows 10) +description: You can create a Group Policy or mobile device management (MDM) policy that will implement Microsoft Passport on devices running Windows 10. ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8 keywords: identity, PIN, biometric, Hello ms.prod: w10 @@ -10,41 +10,39 @@ ms.pagetype: security author: jdeckerMS --- -# Implement Windows Hello for Business in your organization +# Implement Microsoft Passport in your organization **Applies to** - Windows 10 - Windows 10 Mobile -You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10. -> **Important:** The Group Policy setting **Turn on PIN sign-in** does not apply to Windows 10. Use **Windows Hello for Business** policy settings to manage PINs. +You can create a Group Policy or mobile device management (MDM) policy that will implement Microsoft Passport on devices running Windows 10. +> **Important:** The Group Policy setting **Turn on PIN sign-in** does not apply to Windows 10. Use **Microsoft Passport for Work** policy settings to manage PINs.   ## Group Policy settings for Passport -The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. - - +The following table lists the Group Policy settings that you can configure for Passport use in your workplace. These policy settings are available in **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Passport for Work**. - + @@ -124,23 +122,23 @@ The following table lists the Group Policy settings that you can configure for H - +
    Policy Options
    Use Windows Hello for BusinessUse Microsoft Passport for Work -

    Not configured: Users can provision Windows Hello for Business, which encrypts their domain password.

    -

    Enabled: Device provisions Windows Hello for Business using keys or certificates for all users.

    -

    Disabled: Device does not provision Windows Hello for Business for any user.

    +

    Not configured: Users can provision Passport for Work, which encrypts their domain password.

    +

    Enabled: Device provisions Passport for Work using keys or certificates for all users.

    +

    Disabled: Device does not provision Passport for Work for any user.
    Use a hardware security device -

    Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

    -

    Enabled: Windows Hello for Business will only be provisioned using TPM.

    -

    Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

    +

    Not configured: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

    +

    Enabled: Passport for Work will only be provisioned using TPM.

    +

    Disabled: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
    Phone Sign-inRemote Passport -

    Use Phone Sign-in

    +

    Use Remote Passport

    Note  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
     
    		 -

    Not configured: Phone sign-in is disabled.

    +

    Not configured: Remote Passport is disabled.

    Enabled: Users can use a portable, registered device as a companion device for desktop authentication.

    -

    Disabled: Phone sign-in is disabled.

    +

    Disabled: Remote Passport is disabled.
    ## MDM policy settings for Passport -The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkId=692070). +The following table lists the MDM policy settings that you can configure for Passport use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkId=692070). @@ -154,9 +152,9 @@ The following table lists the MDM policy settings that you can configure for Win @@ -166,8 +164,8 @@ The following table lists the MDM policy settings that you can configure for Win @@ -178,8 +176,8 @@ The following table lists the MDM policy settings that you can configure for Win @@ -278,8 +276,8 @@ The following table lists the MDM policy settings that you can configure for Win
    PolicyDevice True -

    True: Windows Hello for Business will be provisioned for all users on the device.

    -

    False: Users will not be able to provision Windows Hello for Business.

    -
    Note  If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices.
    +

    True: Passport will be provisioned for all users on the device.

    +

    False: Users will not be able to provision Passport.

    +
    Note  If Passport is enabled, and then the policy is changed to False, users who previously set up Passport can continue to use it, but will not be able to set up Passport on other devices.
     
    Device False -

    True: Windows Hello for Business will only be provisioned using TPM.

    -

    False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

    +

    True: Passport will only be provisioned using TPM.

    +

    False: Passport will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
    Device False -

    True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.

    -

    False: Only a PIN can be used as a gesture for domain sign-in.

    +

    True: Biometrics can be used as a gesture in place of a PIN for domain logon.

    +

    False: Only a PIN can be used as a gesture for domain logon.
    Device or user False -

    True: Phone sign-in is enabled.

    -

    False: Phone sign-in is disabled.

    +

    True: Remote Passport is enabled.

    +

    False: Remote Passport is disabled.
    @@ -289,7 +287,7 @@ If policy is not configured to explicitly require letters or special characters,   ## Prerequisites -You’ll need this software to set Windows Hello for Business policies in your enterprise. +You’ll need this software to set Microsoft Passport policies in your enterprise. @@ -299,10 +297,10 @@ You’ll need this software to set Windows Hello for Business policies in your e - + - - + + @@ -310,14 +308,14 @@ You’ll need this software to set Windows Hello for Business policies in your e @@ -330,8 +328,8 @@ You’ll need this software to set Windows Hello for Business policies in your e
  • PKI infrastructure
    • @@ -339,22 +337,20 @@ You’ll need this software to set Windows Hello for Business policies in your e
  • Azure AD subscription
  • [Azure AD Connect](http://go.microsoft.com/fwlink/p/?LinkId=616792)
  • AD CS with NDES
    • -
  • Configuration Manager 2016 for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work
    • +
  • Configuration Manager (current branch) or Configuration Manager 2016 Technical Preview for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work
    • Windows Hello for Business modeMicrosoft Passport mode Azure ADActive Directory (AD) on-premises (available with production release of Windows Server 2016)Azure AD/AD hybrid (available with production release of Windows Server 2016)Active Directory (AD) on-premises (available with production release of Windows Server 2016 Technical Preview)Azure AD/AD hybrid (available with production release of Windows Server 2016 Technical Preview)
    Key-based authentication Azure AD subscription
      -
    • Active Directory Federation Service (AD FS) (Windows Server 2016)
      • +
    • Active Directory Federation Service (AD FS) (Windows Server 2016 Technical Preview)
    • A few Windows Server 2016 Technical Preview domain controllers on-site
    • Microsoft System Center 2012 R2 Configuration Manager SP2
    • Azure AD subscription
    • [Azure AD Connect](http://go.microsoft.com/fwlink/p/?LinkId=616792)
      • -
    • A few Windows Server 2016 domain controllers on-site
      • +
    • A few Windows Server 2016 Technical Preview domain controllers on-site
    • A management solution, such as Configuration Manager, Group Policy, or MDM
    • Active Directory Certificate Services (AD CS) without Network Device Enrollment Service (NDES)
      -
    • ADFS (Windows Server 2016)
      • -
    • Active Directory Domain Services (AD DS) Windows Server 2016 schema
      • +
    • ADFS (Windows Server 2016 Technical Preview)
      • +
    • Active Directory Domain Services (AD DS) Windows Server 2016 Technical Preview schema
    • PKI infrastructure
    • Configuration Manager SP2, Intune, or non-Microsoft MDM solution
      -Configuration Manager and MDM provide the ability to manage Windows Hello for Business policy and to deploy and manage certificates protected by Windows Hello for Business. +Configuration Manager and MDM provide the ability to manage Passport policy and to deploy and manage certificates protected by Passport. +Azure AD provides the ability to register devices with your enterprise and to provision Passport for organization accounts. +Active Directory provides the ability to authorize users and devices using keys protected by Passport if domain controllers are running Windows 10 and the Microsoft Passport provisioning service in Windows 10 AD FS. -Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts. +## Passport for BYOD -Active Directory provides the ability to authorize users and devices using keys protected by Windows Hello for Business if domain controllers are running Windows 10 and the Windows Hello for Business provisioning service in Windows 10 AD FS. - -## Windows Hello for BYOD - -Windows Hello can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Windows Hello PIN for unlocking the device and a separate work PIN for access to work resources. -The work PIN is managed using the same Windows Hello for Business policies that you can use to manage Windows Hello for Business on organization-owned devices. The personal PIN is managed separately using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](http://go.microsoft.com/fwlink/p/?LinkID=623244). +Passport can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Passport PIN for unlocking the device and a separate work PIN for access to work resources. +The work PIN is managed using the same Passport policies that you can use to manage Passport on organization owned devices. The personal PIN is managed separately using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](http://go.microsoft.com/fwlink/p/?LinkID=623244). ## Related topics @@ -362,17 +358,14 @@ The work PIN is managed using the same Windows Hello for Business policies that [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) -[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) +[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) -[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) +[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md) -[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) +[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md) -[Windows Hello and password changes](microsoft-passport-and-password-changes.md) -[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) +[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) +[Event ID 300 - Passport successfully created](passport-event-300.md)   \ No newline at end of file diff --git a/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md index 6099d183c9..25f0fba560 100644 --- a/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview The following are important factors in the implementation of your Windows Firewall with Advanced Security design plan: diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md index 0fb93662f0..4d81cd0545 100644 --- a/windows/keep-secure/index.md +++ b/windows/keep-secure/index.md @@ -16,20 +16,20 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure. | Topic | Description | | - | - | +| [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). | | [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. | -| [Device Guard certification and compliance](device-guard-certification-and-compliance.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. | -| [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. | +| [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN. | +| [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) | Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. | | [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. | | [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. | +| [Device Guard deployment guide](device-guard-deployment-guide.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. | | [Protect derived domain credentials with Credential Guard](credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. | -| [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. | -| [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. | +| [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. | | [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. | | [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. | | [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. | | [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. | -| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. | -| [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). | +| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |   ## Related topics diff --git a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md index 3d0ace0785..6bd8e60c5d 100644 --- a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md +++ b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md @@ -22,10 +22,6 @@ Certificates in Windows 10 Mobile are primarily used for the following purposes - To authenticate a user to a reverse proxy server that is used to enable Microsoft Exchange ActiveSync (EAS) for email. - For installation and licensing of applications (from the Windows Phone Store or a custom company distribution site). - -**Warning**   -In Windows 10, Version 1607, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. [Learn more about this known issue in Version 1607](http://go.microsoft.com/fwlink/p/?LinkId=786764) - ## Install certificates using Microsoft Edge A certificate can be posted on a website and made available to users through a device-accessible URL that they can use to download the certificate. When a user accesses the page and taps the certificate, it opens on the device. The user can inspect the certificate, and if they choose to continue, the certificate is installed on the Windows 10 Mobile device. diff --git a/windows/keep-secure/isolated-domain-gpos.md b/windows/keep-secure/isolated-domain-gpos.md index 745da6642b..b7f6c3b921 100644 --- a/windows/keep-secure/isolated-domain-gpos.md +++ b/windows/keep-secure/isolated-domain-gpos.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section. diff --git a/windows/keep-secure/isolated-domain.md b/windows/keep-secure/isolated-domain.md index 43e1461c41..3d23484bf9 100644 --- a/windows/keep-secure/isolated-domain.md +++ b/windows/keep-secure/isolated-domain.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview The isolated domain is the primary zone for trusted devices. The devices in this zone use connection security and firewall rules to control the communications that can be sent between devices in the zone. diff --git a/windows/keep-secure/isolating-apps-on-your-network.md b/windows/keep-secure/isolating-apps-on-your-network.md index c8adf77620..09367196c5 100644 --- a/windows/keep-secure/isolating-apps-on-your-network.md +++ b/windows/keep-secure/isolating-apps-on-your-network.md @@ -12,7 +12,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview When you add new devices to your network, you may want to customize your Windows Firewall configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app. diff --git a/windows/keep-secure/link-the-gpo-to-the-domain.md b/windows/keep-secure/link-the-gpo-to-the-domain.md index ba14d60b0e..ab224211e6 100644 --- a/windows/keep-secure/link-the-gpo-to-the-domain.md +++ b/windows/keep-secure/link-the-gpo-to-the-domain.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices. diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md index d5eb1a60e3..dccabd045e 100644 --- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md +++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md @@ -1,87 +1,73 @@ --- -title: Manage identity verification using Windows Hello for Business (Windows 10) -description: In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. +title: Manage identity verification using Microsoft Passport (Windows 10) +description: In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN. ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E -keywords: identity, PIN, biometric, Hello, passport +keywords: identity, PIN, biometric, Hello ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile author: jdeckerMS --- -# Manage identity verification using Windows Hello for Business +# Manage identity verification using Microsoft Passport **Applies to** - Windows 10 - Windows 10 Mobile -In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. +In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN. -> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. - -Hello addresses the following problems with passwords: +Passport addresses the following problems with passwords: - Passwords can be difficult to remember, and users often reuse passwords on multiple sites. - Server breaches can expose symmetric network credentials. - Passwords can be subject to [replay attacks](http://go.microsoft.com/fwlink/p/?LinkId=615673). - Users can inadvertently expose their passwords due to [phishing attacks](http://go.microsoft.com/fwlink/p/?LinkId=615674). -Hello lets users authenticate to: +Passport lets users authenticate to: - a Microsoft account. - an Active Directory account. - a Microsoft Azure Active Directory (AD) account. - Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](http://go.microsoft.com/fwlink/p/?LinkId=533889) authentication -After an initial two-step verification of the user during enrollment, Hello is set up on the user's device and the user is asked to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Hello to authenticate users and help them to access protected resources and services. +After an initial two-step verification of the user during Passport enrollment, Passport is set up on the user's device and the user is asked to set a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify their identity. Windows then uses Passport to authenticate users and help them to access protected resources and services. -As an administrator in an enterprise or educational organization, you can create policies to manage Hello use on Windows 10-based devices that connect to your organization. +As an administrator in an enterprise or educational organization, you can create policies to manage Passport use on Windows 10-based devices that connect to your organization. - - - -## The difference between Windows Hello and Windows Hello for Business - -- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Hello provides a layer of protection by being unique to the device on which it is set up, however it is not backed by key-based or certificate-based authentication. - -- Windows Hello for Business, which is configured by Group Policy or MDM policy, uses key-based or certificate-based authentication. - -## Benefits of Windows Hello +## Benefits of Microsoft Passport Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed. - You may wonder [how a PIN can help protect a device better than a password](why-a-pin-is-better-than-a-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials. -In Windows 10, Hello replaces passwords. The Hello provisioning process creates two cryptographic keys bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Hello keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Hello key is created in software. +In Windows 10, Passport replaces passwords. The Passport provisioning process creates two cryptographic keys bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Passport enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Passport keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Passport keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Passport key is created in software. -![how authentication works in windows hello](images/authflow.png) +![how authentication works in microsoft passport](images/authflow.png) Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device. -Hello helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of TPMs. - -Hello also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions. +Passport helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Passport credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of TPMs. +Microsoft Passport also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Microsoft Passport on the user’s Windows 10 Mobile device. Because users carry their phone with them, Microsoft Passport makes implementing two-factor authentication across the enterprise less costly and complex than other solutions. > **Note:**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. -   -## How Windows Hello for Business works: key points +## How Microsoft Passport works: key points -- Hello credentials are based on certificate or asymmetrical key pair. Hello credentials are bound to the device, and the token that is obtained using the credential is also bound to the device. -- Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Hello's public key to a user account during the registration step. +- Passport credentials are based on certificate or asymmetrical key pair. Passport credentials are bound to the device, and the token that is obtained using the credential is also bound to the device. +- Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Microsoft Passport's public key to a user account during the registration step. - Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy. -- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device. +- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Passport gesture does not roam between devices and is not shared with the server; it is stored locally on a device. - Private key never leaves a device. The authenticating server has a public key that is mapped to the user account during the registration process. -- PIN entry and biometric gesture both trigger Windows 10 to verify the user's identity and authenticate using Hello keys or certificates. -- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy. -- Certificates are added to the Hello container and are protected by the Hello gesture. +- PIN entry and Hello both trigger Windows 10 to verify the user's identity and authenticate using Passport keys or certificates. +- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use separate containers for keys. Non-Microsoft identity providers can generate keys for their users in the same container as the Microsoft account; however, all keys are separated by identity providers' domains to help ensure user privacy. +- Certificates are added to the Passport container and are protected by the Passport gesture. - Windows Update behavior: After a reboot is required by Windows Update, the last interactive user is automatically signed on without any user gesture and the session is locked so the user's lock screen apps can run. ## Comparing key-based and certificate-based authentication -Windows Hello for Business can use either keys (hardware or software) or certificates with keys in hardware or software to confirm identity. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Hello. +Passport can use either keys (hardware or software) or certificates with keys in hardware or software to confirm identity. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Passport. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Passport. Hardware-based keys, which are generated by TPM, provide the highest level of assurance. When the TPM is manufactured, an Endorsement Key (EK) certificate is resident in the TPM. This EK certificate creates a root trust for all other keys that are generated on this TPM. -EK certification is used to generate an attestation identity key (AIK) certificate issued by a Microsoft certificate authority. This AIK certificate can be used as an attestation claim to prove to identity providers that the Hello keys are generated on the same TPM. The Microsoft certificate authority (CA) generates the AIK certificate per device, per user, and per IDP to help ensure that user privacy is protected. +EK certification is used to generate an attestation identity key (AIK) certificate issued by a Microsoft certificate authority. This AIK certificate can be used as an attestation claim to prove to identity providers that the Passport keys are generated on the same TPM. The Microsoft certificate authority (CA) generates the AIK certificate per device, per user, and per IDP to help ensure that user privacy is protected. -When identity providers such as Active Directory or Azure AD enroll a certificate in Hello, Windows 10 will support the same set of scenarios as a smart card. When the credential type is a key, only key-based trust and operations will be supported. +When identity providers such as Active Directory or Azure AD enroll a certificate in Passport, Windows 10 will support the same set of scenarios as a smart card. When the credential type is a key, only key-based trust and operations will be supported. ## Learn more @@ -103,19 +89,15 @@ When identity providers such as Active Directory or Azure AD enroll a certificat ## Related topics -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) - -[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) +[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) -[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) +[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md) -[Windows Hello and password changes](microsoft-passport-and-password-changes.md) +[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md) -[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) +[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) -  +[Event ID 300 - Passport successfully created](passport-event-300.md) +  \ No newline at end of file diff --git a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md index 49dc1620f6..3187e17371 100644 --- a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md +++ b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview After you finish reviewing the existing Windows Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design. diff --git a/windows/keep-secure/microsoft-passport-and-password-changes.md b/windows/keep-secure/microsoft-passport-and-password-changes.md index ff90865f5e..ceebe00f0a 100644 --- a/windows/keep-secure/microsoft-passport-and-password-changes.md +++ b/windows/keep-secure/microsoft-passport-and-password-changes.md @@ -1,6 +1,6 @@ --- -title: Windows Hello and password changes (Windows 10) -description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello. +title: Microsoft Passport and password changes (Windows 10) +description: When you set up Microsoft Passport, the PIN or biometric (Windows Hello) gesture that you use is specific to that device. ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55 ms.prod: w10 ms.mktglfcycl: deploy @@ -14,17 +14,17 @@ author: jdeckerMS - Windows 10 - Windows 10 Mobile -When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello. +When you set up Microsoft Passport, the PIN or biometric (Windows Hello) gesture that you use is specific to that device. You can set up Passport for the same account on multiple devices. If the PIN or biometric is configured as part of a Microsoft Passport for Work, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Microsoft Passport for Work is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Passport. ## Example Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account. Because you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part. -Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated. -> **Note:**  This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](implement-microsoft-passport-in-your-organization.md). +Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Passport on **Device A** knows will be outdated. +> **Note:**  This example also applies to an Active Directory account when [Passport for Work is not implemented](implement-microsoft-passport-in-your-organization.md).   -## How to update Hello after you change your password on another device +## How to update Passport after you change your password on another device 1. When you try to sign in using your PIN or biometric, you will see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.** 2. Click **OK.** @@ -35,19 +35,16 @@ Suppose instead that you sign in on **Device B** and change your password for yo ## Related topics -[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) +[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) - -[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) +[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) -[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) +[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md) -[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) +[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) +[Event ID 300 - Passport successfully created](passport-event-300.md)   \ No newline at end of file diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md index 78dcefde4d..490c5c9e6e 100644 --- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md +++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md @@ -1,6 +1,6 @@ --- -title: Windows Hello errors during PIN creation (Windows 10) -description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step. +title: Microsoft Passport errors during PIN creation (Windows 10) +description: When you set up Microsoft Passport in Windows 10, you may get an error during the Create a work PIN step. ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502 keywords: PIN, error, create a work PIN ms.prod: w10 @@ -10,13 +10,13 @@ ms.pagetype: security author: jdeckerMS --- -# Windows Hello errors during PIN creation +# Microsoft Passport errors during PIN creation **Applies to** - Windows 10 - Windows 10 Mobile -When you set up Windows Hello in Windows 10, you may get an error during the **Create a work PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support. +When you set up Microsoft Passport in Windows 10, you may get an error during the **Create a work PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support. ## Where is the error code? @@ -221,18 +221,14 @@ For errors listed in this table, contact Microsoft Support for assistance. ## Related topics -[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) +[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) - -[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) +[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) -[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) +[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md) -[Windows Hello and password changes](microsoft-passport-and-password-changes.md) +[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md) -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) \ No newline at end of file +[Event ID 300 - Passport successfully created](passport-event-300.md) diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md index 45548bb40f..b78b6f94f7 100644 --- a/windows/keep-secure/microsoft-passport-guide.md +++ b/windows/keep-secure/microsoft-passport-guide.md @@ -101,7 +101,7 @@ Microsoft Passport offers four significant advantages over the current state of **It’s flexible** Microsoft Passport offers unprecedented flexibility. Although the format and use of reusable passwords are fixed, Microsoft Passport gives both administrators and users options to manage authentication. First and foremost, Microsoft Passport works with both biometric identifiers and PINs, so users’ credentials are protected even on devices that don’t support biometrics. Users can even use their phone to release their credentials instead of a PIN or biometric gesture on the main device. Microsoft Passport seamlessly takes advantage of the hardware of the devices in use; as users upgrade to newer devices, Microsoft Passport is ready to use them, and organizations can upgrade existing devices by adding biometric sensors where appropriate. -Microsoft Passport offers flexibility in the datacenter, too. To deploy it, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Microsoft Passport build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport on your network. The choice of which users you should enable for Microsoft Passport use is completely up to you: you choose the policies and devices to support and which authentication factors you want users to have access to. This makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding strong credential protection to users who don’t currently have it or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems (described in the [Design a Microsoft Passport deployment](#design) section). +Microsoft Passport offers flexibility in the datacenter, too. To deploy it, in some modes you must add Windows Server 2016 Technical Preview domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Microsoft Passport build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport on your network. The choice of which users you should enable for Microsoft Passport use is completely up to you: you choose the policies and devices to support and which authentication factors you want users to have access to. This makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding strong credential protection to users who don’t currently have it or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems (described in the [Design a Microsoft Passport deployment](#design) section). **It’s standardized** diff --git a/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md index d2ed73907e..95ab7cda01 100644 --- a/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md +++ b/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain. diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md index 420518e4ca..f29f5afbb7 100644 --- a/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md +++ b/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC). diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md index bbecb7b8ad..e179647bac 100644 --- a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security. diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md index 9712af0076..2d848ec539 100644 --- a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md +++ b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview To open a GPO to Windows Firewall diff --git a/windows/keep-secure/open-windows-firewall-with-advanced-security.md b/windows/keep-secure/open-windows-firewall-with-advanced-security.md index 8f20a73c1c..cda993d4ad 100644 --- a/windows/keep-secure/open-windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/open-windows-firewall-with-advanced-security.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This procedure shows you how to open the Windows Firewall with Advanced Security console. diff --git a/windows/keep-secure/passport-event-300.md b/windows/keep-secure/passport-event-300.md index 51e13a8d72..9a7c694ae0 100644 --- a/windows/keep-secure/passport-event-300.md +++ b/windows/keep-secure/passport-event-300.md @@ -1,6 +1,6 @@ --- -title: Event ID 300 - Windows Hello successfully created (Windows 10) -description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). +title: Event ID 300 - Passport successfully created (Windows 10) +description: This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD). ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04 keywords: ngc ms.prod: w10 @@ -10,13 +10,13 @@ ms.pagetype: security author: jdeckerMS --- -# Event ID 300 - Windows Hello successfully created +# Event ID 300 - Passport successfully created **Applies to** - Windows 10 - Windows 10 Mobile -This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. +This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. ## Event details | | | @@ -34,20 +34,9 @@ This is a normal condition. No further action is required. ## Related topics -[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) - -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) - -[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) - -[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) - -[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md) - -[Windows Hello and password changes](microsoft-passport-and-password-changes.md) - -[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) - -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) +- [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) +- [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) +- [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) +- [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md) +- [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md) +- [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) diff --git a/windows/keep-secure/planning-certificate-based-authentication.md b/windows/keep-secure/planning-certificate-based-authentication.md index ab5b21c69b..69e599b812 100644 --- a/windows/keep-secure/planning-certificate-based-authentication.md +++ b/windows/keep-secure/planning-certificate-based-authentication.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Sometimes a device cannot join an Active Directory domain, and therefore cannot use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication. diff --git a/windows/keep-secure/planning-domain-isolation-zones.md b/windows/keep-secure/planning-domain-isolation-zones.md index a18fb27051..208265eefb 100644 --- a/windows/keep-secure/planning-domain-isolation-zones.md +++ b/windows/keep-secure/planning-domain-isolation-zones.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview After you have the required information about your network, Active Directory, and client and server devices, you can use that information to make decisions about the isolation zones you want to use in your environment. diff --git a/windows/keep-secure/planning-gpo-deployment.md b/windows/keep-secure/planning-gpo-deployment.md index abdff4b8ca..050a5550f7 100644 --- a/windows/keep-secure/planning-gpo-deployment.md +++ b/windows/keep-secure/planning-gpo-deployment.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview You can control which GPOs are applied to devices in Active Directory in a combination of three ways: diff --git a/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md index 0718187682..fff34a12c7 100644 --- a/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md +++ b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview After you have decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan. diff --git a/windows/keep-secure/planning-isolation-groups-for-the-zones.md b/windows/keep-secure/planning-isolation-groups-for-the-zones.md index 0c4488940a..b4f667a50b 100644 --- a/windows/keep-secure/planning-isolation-groups-for-the-zones.md +++ b/windows/keep-secure/planning-isolation-groups-for-the-zones.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group which represents that zone. diff --git a/windows/keep-secure/planning-network-access-groups.md b/windows/keep-secure/planning-network-access-groups.md index 929c583624..4d9b002e7c 100644 --- a/windows/keep-secure/planning-network-access-groups.md +++ b/windows/keep-secure/planning-network-access-groups.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview A network access group (NAG) is used to identify users and devices that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a device, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required. diff --git a/windows/keep-secure/planning-server-isolation-zones.md b/windows/keep-secure/planning-server-isolation-zones.md index 9995c0e5fc..12688b93c9 100644 --- a/windows/keep-secure/planning-server-isolation-zones.md +++ b/windows/keep-secure/planning-server-isolation-zones.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any devices that are outside the isolated domain, and encrypts all network connections to server. diff --git a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md index fdcf972088..4fcbd977dc 100644 --- a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md +++ b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview After you have identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices. diff --git a/windows/keep-secure/planning-the-gpos.md b/windows/keep-secure/planning-the-gpos.md index 84b3750822..b22f0497cd 100644 --- a/windows/keep-secure/planning-the-gpos.md +++ b/windows/keep-secure/planning-the-gpos.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the devices to the zones. diff --git a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md index 8423e4b94f..1801d2a86a 100644 --- a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview After you collect information about your environment and decide on a design by following the guidance in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Firewall with Advanced Security in your organization. diff --git a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md index 736612379f..c800eca94d 100644 --- a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md +++ b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md index 8838e4982f..d377aafd3e 100644 --- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md +++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md @@ -1,6 +1,6 @@ --- -title: Prepare people to use Windows Hello (Windows 10) -description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization. +title: Prepare people to use Microsoft Passport (Windows 10) +description: When you set a policy to require Microsoft Passport in the workplace, you will want to prepare people in your organization. ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B keywords: identity, PIN, biometric, Hello ms.prod: w10 @@ -10,19 +10,19 @@ ms.pagetype: security author: jdeckerMS --- -# Prepare people to use Windows Hello +# Prepare people to use Microsoft Passport **Applies to** - Windows 10 - Windows 10 Mobile -When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello. +When you set a policy to require Microsoft Passport in the workplace, you will want to prepare people in your organization by explaining how to use Passport. -After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device. +After enrollment in Passport, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device. -Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Hello. +Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Passport. -People who are currently using virtual smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello. +People who are currently using virtual smart cards for authentication can use their virtual smart card to verify their identity when they set up Passport. ## On devices owned by the organization @@ -36,33 +36,33 @@ Next, they select a way to connect. Tell the people in your enterprise which opt They sign in, and are then asked to verify their identity. People have options to choose from, such as a text message, phone call, or authentication app. After verification, they create their PIN. The **Create a work PIN** screen displays any complexity requirements that you have set, such as minimum length. -After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on. +After Passport is set up, people use their PIN to unlock the device, and that will automatically log them on. ## On personal devices People who want to access work resources on their personal devices can add a work or school account in **Settings** > **Accounts** > **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials. (This work account gesture doesn't affect the device unlock PIN.) +Assure people that their work credentials and personal credentials are stored in separate containers; the enterprise has no access to their personal credentials. + People can go to **Settings** > **Accounts** > **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device. ## Using Windows Hello and biometrics -If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it. +If your policy allows it, people can add Windows Hello to their Passport. Windows Hello can be fingerprint, iris, and facial recognition, and is available to users only if the hardware supports it. ![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png) ## Use a phone to sign in to a PC -If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials. - +If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Microsoft Passport credentials. +> **Note:**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.   **Prerequisites:** - The PC must be joined to the Active Directory domain or Azure AD cloud domain. - The PC must have Bluetooth connectivity. - The phone must be joined to the Azure AD cloud domain, or the user must have added a work account to their personal phone. -- The **Microsoft Authenticator** app must be installed on the phone. - +- The free **Phone Sign-in** app must be installed on the phone. **Pair the PC and phone** - 1. On the PC, go to **Settings** > **Devices** > **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing. ![bluetooth pairing](images/btpair.png) @@ -72,30 +72,22 @@ If your enterprise enables phone sign-in, users can pair a phone running Windows ![bluetooth pairing passcode](images/bt-passcode.png) 3. On the PC, tap **Yes**. - **Sign in to PC using the phone** - -1. Open the **Microsoft Authenticator** app and tap the name of the PC to sign in to. - > **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account. +1. Open the **Phone Sign-in** app and tap the name of the PC to sign in to. + > **Note: **  The first time that you run the Phone-Sign app, you must add an account.   2. Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account. ## Related topics -[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) +[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) - -[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) +[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) -[Windows Hello and password changes](microsoft-passport-and-password-changes.md) - -[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) - -[Event ID 300 - Windows Hello successfully created](passport-event-300.md) - -[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) +[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md) +[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) +[Event ID 300 - Passport successfully created](passport-event-300.md) diff --git a/windows/keep-secure/procedures-used-in-this-guide.md b/windows/keep-secure/procedures-used-in-this-guide.md index 7374820ed8..d19699b94b 100644 --- a/windows/keep-secure/procedures-used-in-this-guide.md +++ b/windows/keep-secure/procedures-used-in-this-guide.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order. diff --git a/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md b/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md index f4134b9ce9..a24379dacf 100644 --- a/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md +++ b/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable device are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats. diff --git a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md index 42da77aa05..890eaf1d99 100644 --- a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted. diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index d9f6804c8a..9db41d44f1 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -32,7 +32,9 @@ For example, hardware that includes CPU virtualization extensions and SLAT will You can deploy Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh. -The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. +The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. + + > **Notes** > - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). @@ -49,39 +51,20 @@ The following tables provide more information about the hardware, firmware, and | Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).

    **Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | | Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT

    **Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | -> **Important**  The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide. + + +> **Important**  The preceding table lists requirements for baseline protections. The following table lists requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide. ## Device Guard requirements for improved security The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met. -### 2015 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4) +### 2015 Additional Qualification Requirements for Device Guard (Windows 10, version 1507 and Windows 10, version 1511) | Protections for Improved Security - requirement | Description | |---------------------------------------------|----------------------------------------------------| | Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    - BIOS password or stronger authentication must be supported.
    - In the BIOS configuration, BIOS authentication must be set.
    - There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
    - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.

    **Security benefits**:
    - BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
    - Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | -
    - -### 2016 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1607, and Windows Server 2016) - -> **Important**  The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Device Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them. - -| Protections for Improved Security - requirement | Description | -|---------------------------------------------|----------------------------------------------------| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
    Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
    - The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).

    **Security benefits**:
    - Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    - HSTI provides additional security assurance for correctly secured silicon and platform. | -| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.

    **Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. | -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    - Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
    - Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.

    **Security benefits**:
    - Enterprises can choose to allow proprietary EFI drivers/applications to run.
    - Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | - -
    - -### 2017 Additional Qualification Requirements for Device Guard (announced as options for future Windows operating systems for 2017) - -| Protections for Improved Security - requirement | Description | -|---------------------------------------------|----------------------------------------------------| -| Firmware: **UEFI NX Protections** | **Requirements**:
    - All UEFI memory that is marked executable must be read only. Memory marked writable must not be executable.

    UEFI Runtime Services:
    - Must implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table.
    - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.
    - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable.

    **Security benefits**:
    - Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
    - Reduces attack surface to VBS from system firmware. | -| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

    **Security benefits**:
    - Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
    - Reduces attack surface to VBS from system firmware.
    - Blocks additional security attacks against SMM. | - ## Device Guard deployment in different scenarios: types of devices Typically, deployment of Device Guard happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying Device Guard in your organization. diff --git a/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md b/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md index fa2225b9c4..049625343b 100644 --- a/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data. diff --git a/windows/keep-secure/restrict-access-to-only-trusted-devices.md b/windows/keep-secure/restrict-access-to-only-trusted-devices.md index dc34b9ac84..d2b47a2dbe 100644 --- a/windows/keep-secure/restrict-access-to-only-trusted-devices.md +++ b/windows/keep-secure/restrict-access-to-only-trusted-devices.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that are not owned by your organization to your network. Because you do not manage those devices, you cannot trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it is truly required. diff --git a/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md index 57d1bc1e9d..85d7267abb 100644 --- a/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md +++ b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview After you have configured the IPsec connection security rules that force client devices to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those devices or users who have been identified through the authentication process as members of the isolated server’s access group. diff --git a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md index e3cd578183..fa9c66bfb4 100644 --- a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -12,7 +12,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview IKEv2 offers the following: diff --git a/windows/keep-secure/security-considerations-for-applocker.md b/windows/keep-secure/security-considerations-for-applocker.md index c959f1bfd0..f7c0df0eab 100644 --- a/windows/keep-secure/security-considerations-for-applocker.md +++ b/windows/keep-secure/security-considerations-for-applocker.md @@ -40,8 +40,6 @@ AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Window AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules. >**Note:**  Two flags that illustrate this condition are `SANDBOX_INERT`, which can be passed to `CreateRestrictedToken`, and `LOAD_IGNORE_CODE_AUTHZ_LEVEL`, which can be passed to `LoadLibraryEx`. Both of these flags signal AppLocker to circumvent the rules and allow a child .exe or .dll to be loaded. - -You can block the Windows Subsystem for Linux by blocking LxssManager.dll.   ## Related topics diff --git a/windows/keep-secure/server-isolation-gpos.md b/windows/keep-secure/server-isolation-gpos.md index e0075d930f..149730d1a5 100644 --- a/windows/keep-secure/server-isolation-gpos.md +++ b/windows/keep-secure/server-isolation-gpos.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The Woodgrove Bank example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose. diff --git a/windows/keep-secure/server-isolation-policy-design-example.md b/windows/keep-secure/server-isolation-policy-design-example.md index f6ddc73bf4..4d38ed4c99 100644 --- a/windows/keep-secure/server-isolation-policy-design-example.md +++ b/windows/keep-secure/server-isolation-policy-design-example.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section. diff --git a/windows/keep-secure/server-isolation-policy-design.md b/windows/keep-secure/server-isolation-policy-design.md index de45c1b7c7..a2397773da 100644 --- a/windows/keep-secure/server-isolation-policy-design.md +++ b/windows/keep-secure/server-isolation-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview In the server isolation policy design, you assign servers to a zone that allows access only to users and devices that authenticate as members of an approved network access group (NAG). diff --git a/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md index 618894db96..758bffcd66 100644 --- a/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md +++ b/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview To enable Windows Firewall and configure its default behavior, use the Windows Firewall with Advanced Security node in the Group Policy Management console. diff --git a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md index 3aabc0a07e..e2e57dd1bd 100644 --- a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview ## Group Policy settings There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings). diff --git a/windows/keep-secure/user-account-control-overview.md b/windows/keep-secure/user-account-control-overview.md index 1e1801da84..32edfe0160 100644 --- a/windows/keep-secure/user-account-control-overview.md +++ b/windows/keep-secure/user-account-control-overview.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. diff --git a/windows/keep-secure/verify-that-network-traffic-is-authenticated.md b/windows/keep-secure/verify-that-network-traffic-is-authenticated.md index 03fcc34124..44e4ba7803 100644 --- a/windows/keep-secure/verify-that-network-traffic-is-authenticated.md +++ b/windows/keep-secure/verify-that-network-traffic-is-authenticated.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview After you have configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the devices on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the devices have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot. diff --git a/windows/keep-secure/vpn-profile-options.md b/windows/keep-secure/vpn-profile-options.md index 38ca11e906..425e451341 100644 --- a/windows/keep-secure/vpn-profile-options.md +++ b/windows/keep-secure/vpn-profile-options.md @@ -60,7 +60,8 @@ A VPN profile configured with LockDown secures the device to only allow network ## Learn more -- [Learn how to configure VPN connections in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/vpn-connections-in-microsoft-intune) -- [VPNv2 configuration service provider (CSP) reference](http://go.microsoft.com/fwlink/p/?LinkId=617588) -- [How to Create VPN Profiles in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=618028) +[VPNv2 configuration service provider (CSP) reference](http://go.microsoft.com/fwlink/p/?LinkId=617588) +[How to Create VPN Profiles in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=618028) + +[Help users connect to their work using VPN profiles with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=618029) diff --git a/windows/keep-secure/why-a-pin-is-better-than-a-password.md b/windows/keep-secure/why-a-pin-is-better-than-a-password.md index d254ddcb1a..21d3ce97d3 100644 --- a/windows/keep-secure/why-a-pin-is-better-than-a-password.md +++ b/windows/keep-secure/why-a-pin-is-better-than-a-password.md @@ -1,8 +1,8 @@ --- title: Why a PIN is better than a password (Windows 10) -description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password . +description: Microsoft Passport in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password . ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212 -keywords: pin, security, password, hello +keywords: pin, security, password ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,36 +16,36 @@ author: jdeckerMS - Windows 10 - Windows 10 Mobile -Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password? -On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works. +Microsoft Passport in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password? +On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Passport PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works. ## PIN is tied to the device -One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too! +One important difference between a password and a Passport PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too! -Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device. +Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Passport on each device. ## PIN is local to the device A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server. When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server. -> **Note:**  For details on how Hello uses asymetric key pairs for authentication, see [Microsoft Passport guide](http://go.microsoft.com/fwlink/p/?LinkId=691928). +> **Note:**  For details on how Passport uses asymetric key pairs for authentication, see [Microsoft Passport guide](http://go.microsoft.com/fwlink/p/?LinkId=691928).   ## PIN is backed by hardware -The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM. +The Passport PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM. -User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised. +User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Microsoft Passport uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked. ## PIN can be complex -The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](implement-microsoft-passport-in-your-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits. +The Passport PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](implement-microsoft-passport-in-your-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits. ## What if someone steals the laptop or phone? -To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device. +To compromise a Microsoft Passport credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device. You can provide additional protection for laptops that don't have TPM by enablng BitLocker and setting a policy to limit failed sign-ins. **Configure BitLocker without TPM** @@ -62,14 +62,14 @@ You can provide additional protection for laptops that don't have TPM by enablng 2. Set the number of invalid logon attempts to allow, and then click OK. -## Why do you need a PIN to use biometrics? -Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly. +## Why do you need a PIN to use Windows Hello? +Windows Hello is the biometric sign-in for Microsoft Passport in Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using Passport when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly. -If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello. +If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account name and password, which doesn't provide you the same level of protection as Passport. ## Related topics [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) -[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) +[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)   \ No newline at end of file diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md index e0fac10aa2..17ed75ffc7 100644 --- a/windows/keep-secure/windows-10-security-guide.md +++ b/windows/keep-secure/windows-10-security-guide.md @@ -334,7 +334,7 @@ The sections that follow describe these improvements in more detail. **SMB hardening improvements for SYSVOL and NETLOGON connections** -In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). +In Windows 10 and Windows Server 2016 Technical Preview, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). - **What value does this change add?** This change reduces the likelihood of man-in-the-middle attacks. - **What works differently?** diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index c70e57a4b1..23f9e3d1c0 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -12,7 +12,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview The Windows Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Firewall with Advanced Security management. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Firewall with Advanced Security management in Windows. diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md index 9cfe29f6c0..5dabaedf02 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview You can use the Windows Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network. diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md b/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md index 47830f44c9..acc229bd6a 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview Windows Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Firewall with Advanced Security supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot authenticate cannot communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices. diff --git a/windows/keep-secure/windows-firewall-with-advanced-security.md b/windows/keep-secure/windows-firewall-with-advanced-security.md index 4433aaf633..51c6967315 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security.md @@ -12,7 +12,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 Technical Preview This is an overview of the Windows Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md index c6eee85e2d..40a4efa80a 100644 --- a/windows/keep-secure/windows-hello-in-enterprise.md +++ b/windows/keep-secure/windows-hello-in-enterprise.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: jdeckerMS +author: eross-msft --- # Windows Hello biometrics in the enterprise @@ -17,23 +17,21 @@ author: jdeckerMS Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. -> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. - Because we realize your employees are going to want to use this new technology in your enterprise, we’ve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization. ##How does Windows Hello work? -Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials. +Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Microsoft Passport credentials. -The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device. +The Windows Hello authenticator works with Microsoft Passport to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device. ## Why should I let my employees use Windows Hello? Windows Hello provides many benefits, including: -- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it’s much more difficult to gain access without the employee’s knowledge. +- Combined with Microsoft Passport, it helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it’s much more difficult to gain access without the employee’s knowledge. - Employees get a simple authentication method (backed up with a PIN) that’s always with them, so there’s nothing to lose. No more forgetting passwords! -- Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
    For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) topic. +- Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
    For more info about the available Group Policies and MDM CSPs, see the [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) topic. ## Where is Microsoft Hello data stored? The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor. @@ -74,8 +72,8 @@ To allow facial recognition, you must have devices with integrated special infra - Effective, real world FRR with Anti-spoofing or liveness detection: <10% ## Related topics -- [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) -- [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) +- [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) +- [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) - [Microsoft Passport guide](microsoft-passport-guide.md) - [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md) - [PassportforWork CSP](http://go.microsoft.com/fwlink/p/?LinkId=708219)