mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-18 03:43:39 +00:00
Merge remote-tracking branch 'refs/remotes/origin/master' into jdvpn
This commit is contained in:
jdeckerMS
@ -6,7 +6,6 @@ keywords: deployment, task sequence, custom, customize
|
||||
ms.prod: w10
|
||||
localizationpriority: high
|
||||
ms.mktglfcycl: deploy
|
||||
localizationpriority: high
|
||||
ms.sitesec: library
|
||||
author: mtniehaus
|
||||
---
|
||||
|
||||
@ -7,7 +7,6 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
localizationpriority: high
|
||||
ms.sitesec: library
|
||||
localizationpriority: high
|
||||
author: mtniehaus
|
||||
ms.pagetype: mdt
|
||||
---
|
||||
|
||||
@ -6,7 +6,6 @@ keywords: install, configure, deploy, deployment
|
||||
ms.prod: w10
|
||||
localizationpriority: high
|
||||
ms.mktglfcycl: deploy
|
||||
localizationpriority: high
|
||||
ms.sitesec: library
|
||||
author: mtniehaus
|
||||
---
|
||||
|
||||
@ -7,7 +7,6 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
localizationpriority: high
|
||||
ms.sitesec: library
|
||||
localizationpriority: high
|
||||
ms.pagetype: mdt
|
||||
author: mtniehaus
|
||||
---
|
||||
|
||||
@ -35,6 +35,7 @@
|
||||
#### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
|
||||
#### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md)
|
||||
#### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
|
||||
#### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
|
||||
## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
|
||||
## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
|
||||
## [VPN technical guide](vpn-guide.md)
|
||||
|
||||
@ -16,6 +16,9 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
|
||||
|
||||
| New or changed topic | Description |
|
||||
| --- | --- |
|
||||
|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) | New |
|
||||
|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. |
|
||||
|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. |
|
||||
| [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) | Clarified how convenience PIN works in Windows 10, version 1607, on domain-joined PCs |
|
||||
| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | Corrected certreq ezxample and added a new Windows PowerShell example for creating a self-signed certficate |
|
||||
|
||||
|
||||
@ -138,8 +138,8 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the
|
||||
1. From the **App Rules** area, click **Add**.
|
||||
|
||||
The **Add App Rule** box appears.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*.
|
||||
|
||||
@ -278,8 +278,8 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules*
|
||||
1. From the **App Rules** area, click **Add**.
|
||||
|
||||
The **Add App Rule** box appears.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*.
|
||||
|
||||
@ -370,8 +370,8 @@ There are no default locations included with WIP, you must add each of your netw
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Enterprise Cloud Resources</td>
|
||||
<td>**With proxy:** contoso.sharepoint.com,proxy.contoso.com|<br>contoso.visualstudio.com,proxy.contoso.com<p>**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com</td>
|
||||
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`</td>
|
||||
<td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
|
||||
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL <,proxy>|URL <,proxy></code>.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the <code>/*AppCompat*/</code> string to this setting. For example: <code>URL <,proxy>|URL <,proxy>|/*AppCompat*/</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Enterprise Network Domain Names (Required)</td>
|
||||
@ -380,8 +380,8 @@ There are no default locations included with WIP, you must add each of your netw
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Enterprise Proxy Servers</td>
|
||||
<td>proxy.contoso.com:80;proxy2.contoso.com:137</td>
|
||||
<td>Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.<p>This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.<p>This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
|
||||
<td>proxy.contoso.com:80;proxy2.contoso.com:443</td>
|
||||
<td>Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.<p>This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.<p>This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Enterprise Internal Proxy Servers</td>
|
||||
|
||||
@ -391,18 +391,23 @@ There are no default locations included with WIP, you must add each of your netw
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Enterprise Cloud Resources</td>
|
||||
<td>**With proxy:** contoso.sharepoint.com,proxy.contoso.com|<br>contoso.visualstudio.com,proxy.contoso.com<p>**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com</td>
|
||||
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`</td>
|
||||
<td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
|
||||
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL <,proxy>|URL <,proxy></code>.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the <code>/*AppCompat*/</code> string to this setting. For example: <code>URL <,proxy>|URL <,proxy>|/*AppCompat*/</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Enterprise Network Domain Names (Required)</td>
|
||||
<td>corp.contoso.com,region.contoso.com</td>
|
||||
<td>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
|
||||
<td>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Enterprise Proxy Servers</td>
|
||||
<<<<<<< HEAD
|
||||
<td>proxy.contoso.com:80;proxy2.contoso.com:137</td>
|
||||
<td>Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.<p>This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.<p>TThis setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
|
||||
=======
|
||||
<td>proxy.contoso.com:80;proxy2.contoso.com:443</td>
|
||||
<td>Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.<p>This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.<p>This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
|
||||
>>>>>>> refs/remotes/origin/master
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Enterprise Internal Proxy Servers</td>
|
||||
|
||||
@ -30,7 +30,9 @@ Credential Guard isolates secrets that previous versions of Windows stored in th
|
||||
|
||||
For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
|
||||
|
||||
Credential Guard also does not allow unconstrained Kerberos delegation, NTLMv1, MS-CHAPv2, Digest, CredSSP, and Kerberos DES encryption.
|
||||
Credential Guard prevents NTLMv1, MS-CHAPv2, Digest, and CredSSP from using sign-on credentials. Thus, single sign-on does not work with these protocols. However, Credential guard allows these protocols to be used with prompted credentials or those saved in Credential Manager. It is strongly recommended that valuable credentials, such as the sign-on credentials, not be used with any of these protocols. If these protocols must be used by domain users, secondary credentials should be provisioned for these use cases.
|
||||
|
||||
Credential Guard does not allow unconstrained Kerberos delegation or Kerberos DES encryption at all. Neither sign-on nor prompted/saved credentials may be used.
|
||||
|
||||
Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
|
||||
|
||||
|
||||
@ -25,4 +25,5 @@ This section includes info about the enlightened Microsoft apps, including how t
|
||||
|[Windows Information Protection (WIP) overview](wip-enterprise-overview.md) |High-level overview info about why to use WIP, the enterprise scenarios, and how to turn it off. |
|
||||
|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. |
|
||||
|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
|
||||
|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. |
|
||||
|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. |
|
||||
|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |The most common problems you might encounter while using Windows Information Protection (WIP). |
|
||||
77
windows/keep-secure/limitations-with-wip.md
Normal file
77
windows/keep-secure/limitations-with-wip.md
Normal file
@ -0,0 +1,77 @@
|
||||
---
|
||||
title: Limitations while using Windows Information Protection (WIP) (Windows 10)
|
||||
description: This section includes info about the common problems you might encounter while using Windows Information Protection (WIP).
|
||||
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: explore
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: eross-msft
|
||||
localizationpriority: high
|
||||
---
|
||||
|
||||
# Limitations while using Windows Information Protection (WIP)
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10, version 1607
|
||||
- Windows 10 Mobile
|
||||
|
||||
This table provides info about the most common problems you might encounter while running WIP in your organization.
|
||||
|
||||
<table>
|
||||
<tr>
|
||||
<th>Limitation</th>
|
||||
<th>How it appears</th>
|
||||
<th>Workaround</th>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Enterprise data on USB drives is tied to the device it was protected on.</td>
|
||||
<td>Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.</td>
|
||||
<td>Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.<p>We strongly recommend educating employees about how to limit or eliminate the need for this decryption.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Direct Access is incompatible with WIP.</td>
|
||||
<td>Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource.</td>
|
||||
<td>We recommend that you use VPN for client access to your intranet resources.<p><strong>Note</strong><br>VPN is optional and isn’t required by WIP.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><strong>NetworkIsolation</strong> Group Policy setting is incompatible with WIP.</td>
|
||||
<td>The <strong>NetworkIsolation</strong> Group Policy setting has incompatible network settings that can conflict and cause problems with WIP.</td>
|
||||
<td>We recommend that you don’t use the NetworkIsolation Group Policy setting.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Cortana can potentially allow data leakage if it’s on the allowed apps list.</td>
|
||||
<td>If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft.</td>
|
||||
<td>We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>WIP is designed for use by a single user per device.</td>
|
||||
<td>A secondary user on a device might experience app compat issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process.</td>
|
||||
<td>We recommend only having one user per managed device.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Installers copied from an enterprise network file share might not work properly.</td>
|
||||
<td>An app might fail to properly install because it can’t read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.</td>
|
||||
<td>To fix this, you can:
|
||||
<ul>
|
||||
<li>Start the installer directly from the file share.<p>-OR-</li>
|
||||
<li>Decrypt the locally copied files needed by the installer.<p>-OR-</li>
|
||||
<li>Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as <strong>Authoritative</strong> and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.</li>
|
||||
</ul></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Changing your primary Corporate Identity isn’t supported.</td>
|
||||
<td>You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access.</td>
|
||||
<td>Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Redirected folders with Client Side Caching are not compatible with WIP.</td>
|
||||
<td>Apps might encounter access errors while attempting to read a cached, offline file.</td>
|
||||
<td>Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.</td>
|
||||
<td>A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**.</td>
|
||||
<td>Open File Explorer and change the file ownership to **Personal** before you upload.</td>
|
||||
</tr>
|
||||
</table>
|
||||
@ -30,6 +30,11 @@ App-V supports a number of different deployment options. Review this topic for i
|
||||
|
||||
This section provides a deployment checklist that can be used to assist with installing App-V.
|
||||
|
||||
- [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)<br>
|
||||
[Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
|
||||
|
||||
These sections describe how to use App-V to deliver Microsoft Office as a virtualized application to computers in your organization.
|
||||
|
||||
## Other Resources for Deploying App-V
|
||||
|
||||
|
||||
|
||||
@ -14,7 +14,7 @@ ms.prod: w10
|
||||
**Applies to**
|
||||
- Windows 10, version 1607
|
||||
|
||||
Use the information in this article to use Microsoft Application Virtualization (App-V), or later versions, to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). To successfully deploy Office 2013 with App-V, you need to be familiar with Office 2013 and App-V.
|
||||
Use the information in this article to use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). To successfully deploy Office 2013 with App-V, you need to be familiar with Office 2013 and App-V.
|
||||
|
||||
This topic contains the following sections:
|
||||
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 56 KiB |
@ -63,7 +63,7 @@ See the following table for a summary of the management settings for Windows 10
|
||||
| [2. Cortana and Search](#bkmk-cortana) |  |  |  | |  |
|
||||
| [3. Date & Time](#bkmk-datetime) |  | | |  | |
|
||||
| [4. Device metadata retrieval](#bkmk-devinst) | |  | | | |
|
||||
| [5. Font streaming](#font-streaming) | | | |  | |
|
||||
| [5. Font streaming](#font-streaming) | |  | |  | |
|
||||
| [6. Insider Preview builds](#bkmk-previewbuilds) |  |  |  | |  |
|
||||
| [7. Internet Explorer](#bkmk-ie) |  |  | | | |
|
||||
| [8. Live Tiles](#live-tiles) | |  | | | |
|
||||
@ -113,7 +113,7 @@ See the following table for a summary of the management settings for Windows Ser
|
||||
| [2. Cortana and Search](#bkmk-cortana) |  |  | | |
|
||||
| [3. Date & Time](#bkmk-datetime) |  | |  | |
|
||||
| [4. Device metadata retrieval](#bkmk-devinst) | |  | | |
|
||||
| [5. Font streaming](#font-streaming) | | |  | |
|
||||
| [5. Font streaming](#font-streaming) | |  |  | |
|
||||
| [6. Insider Preview builds](#bkmk-previewbuilds) |  |  | | |
|
||||
| [7. Internet Explorer](#bkmk-ie) |  |  | | |
|
||||
| [8. Live Tiles](#live-tiles) | |  | | |
|
||||
@ -137,7 +137,7 @@ See the following table for a summary of the management settings for Windows Ser
|
||||
| - | :-: | :-: | :-: | :-: | :-: |
|
||||
| [1. Certificate trust lists](#certificate-trust-lists) |  |  | |
|
||||
| [3. Date & Time](#bkmk-datetime) | |  | |
|
||||
| [5. Font streaming](#font-streaming) | |  | |
|
||||
| [5. Font streaming](#font-streaming) |  |  | |
|
||||
| [12. Network Connection Status Indicator](#bkmk-ncsi) |  | | |
|
||||
| [17. Software Protection Platform](#bkmk-spp) |  | | |
|
||||
| [19. Teredo](#bkmk-teredo) | | |  |
|
||||
@ -268,10 +268,13 @@ To prevent Windows from retrieving device metadata from the Internet, apply the
|
||||
|
||||
Fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
|
||||
|
||||
To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
|
||||
If you're running Windows 10, version 1607 or Windows Server 2016, disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **Fonts** > **Enable Font Providers**.
|
||||
|
||||
> [!NOTE]
|
||||
> After you apply this registry setting, you must restart the device for it to take effect.
|
||||
> After you apply this policy, you must restart the device for it to take effect.
|
||||
|
||||
If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
|
||||
|
||||
|
||||
### <a href="" id="bkmk-previewbuilds"></a>6. Insider Preview builds
|
||||
|
||||
|
||||
@ -56,7 +56,7 @@ Set up and manage Cortana by using the following Group Policy and mobile device
|
||||
|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.<p>**Note**<br>This setting only applies to Windows 10 for desktop devices. |
|
||||
|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in the enterprise.<p>**In Windows 10, version 1511**<br>Cortana won’t work if this setting is turned off (disabled).<p>**In Windows 10, version 1607 and later**<br>Cortana still works if this setting is turned off (disabled). |
|
||||
|None |System/AllowLocation |Specifies whether to allow app access to the Location service.<p>**In Windows 10, version 1511**<br>Cortana won’t work if this setting is turned off (disabled).<p>**In Windows 10, version 1607 and later**<br>Cortana still works if this setting is turned off (disabled). |
|
||||
|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.<p>Use this setting if you only want to support Azure AD in your organization. |
|
||||
|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps. |
|
||||
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders. |
|
||||
|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required.<p>**Note**<br>This setting only applies to Windows 10 Mobile. |
|
||||
|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference. |
|
||||
|
||||
@ -95,17 +95,6 @@ When Microsoft officially releases a feature update for Windows 10, that update
|
||||
|
||||
Organizations typically prefer to have a testing cycle before broadly deploying new features to business users. For Windows 10, most pilot testing will be done using the CB servicing branch. In contrast, the CBB servicing branch is typically used for broad deployment. Windows 10 clients in the CBB servicing branch receive the same build of Windows 10 as those in the CB servicing branch, just at a later time. CB releases are transitioned to CBB after about 4 months, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Therefore, CB and CBB have an inherent “staging” effect. Both of these branches have a purpose in the overall deployment process for an enterprise, providing another layer of testing capabilities in addition to the traditional phased deployment methods to specific groups of machines. Microsoft will support two CBB builds at a time, plus a 60 day grace period. Each feature update release will be supported and updated for a minimum of 18 months.
|
||||
|
||||
Figure 2 outlines an example release cycle for Windows 10 feature updates and shows how updates transition from development to the CB and CBB servicing branches. As shown in the key, the dark blue **Evaluate** region represents the time during which a feature update is in development. These builds are accessible for testing through the Windows Insider Program. For details about how to access pre-released builds by enrolling in the Windows Insider Program, see the section Windows Insider.
|
||||
|
||||
The diamond **Release** on each build represents the point at which Microsoft releases a feature update to the CB servicing branch. It identifies the start of the testing, or **Pilot**, phase. The 4 months in this phase is the approximate amount of time before Microsoft releases the feature update to the CBB servicing branch. The **Deploy and Use** phase represents the broad deployment of the Windows 10 feature update to the clients in the CBB servicing branch. Machines are divided into deployment rings, as discussed in the section Ongoing deployment process.
|
||||
|
||||
Finally, when a build’s support has ended, as represented by the **arrows**, organizations have a 60 day **grace** period to update to a newer release.
|
||||
|
||||
**Figure 2**
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
>[!NOTE]
|
||||
>Organizations can electively delay CB and CBB updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools.
|
||||
|
||||
Reference in New Issue
Block a user