diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md index 8ac1ba2c6b..79f9ff560f 100644 --- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -25,7 +25,7 @@ Using the GP configuration package ensures your endpoints will be correctly conf > **Note**  To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. The endpoints must be running Windows 10 Insider Preview Build 14332 or later. -1. Open the GP configuration package .zip file (*WindowsATPOnboardingPackage_GroupPolicy.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Client onboarding** on the **Navigation pane**. @@ -52,13 +52,13 @@ For additional settings, see the [Additional configuration settings section](add ## Configure with System Center Configuration Manager -1. Open the SCCM configuration package .zip file (*WindowsATPOnboardingPackage_ConfigurationManager.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Client onboarding** on the **Navigation pane**. b. Select **System Center Configuration Manager**, click **Download package**, and save the .zip file. -2. Copy the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. 3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. @@ -76,12 +76,12 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You a. Click **Client onboarding** on the **Navigation pane**. - b. Select **Manually on-board local machine**, click **Download package** and save the .zip file. + b. Select **Local Script**, click **Download package** and save the .zip file. 2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. -2. Open an elevated command-line prompt on the endpoint and run the script: +3. Open an elevated command-line prompt on the endpoint and run the script: a. Click **Start** and type **cmd**. @@ -89,9 +89,9 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) -3. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`* +4. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`* -4. Press the **Enter** key or click **OK**. +5. Press the **Enter** key or click **OK**. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry. diff --git a/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index 5d4da312b6..6fe17f05af 100644 --- a/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -2,86 +2,91 @@ title: DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax (Windows 10) description: Describes the best practices, location, values, and security considerations for the DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting. ms.assetid: 0fe3521a-5252-44df-8a47-8d92cf936e7c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting. + ## Reference + This policy setting allows you to define additional computer-wide controls that govern access to all Distributed Component Object Model (DCOM)–based applications on a device. These controls restrict call, activation, or launch requests on the device. A simple way to think about these access controls is as an additional access check that is performed against a device-wide access control list (ACL) on each call, activation, or launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to access any COM-based server. This policy setting controls access permissions to cover call rights. + These device-wide ACLs provide a way to override weak security settings that are specified by an application through the CoInitializeSecurity function or application-specific security settings. They provide a minimum security standard that must be passed, regardless of the settings of the specific server. + These ACLs also provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers on the device. + This policy setting allows you to specify an ACL in two different ways. You can type the security descriptor in SDDL, or you can grant or deny Local Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you are running. + ### Possible values + - *User-defined input* of the SDDL representation of the groups and privileges + When you specify the users or groups that are to be given permissions, the security descriptor field is populated with the Security Descriptor Definition Language representation of those groups and privileges. Users and groups can be given explicit Allow or Deny privileges for local access and remote access. + - Blank + This represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it as Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Blank

Default Domain Controller Policy

Blank

Stand-Alone Server Default Settings

Blank

DC Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value +| - | - | +| Default Domain Policy | Blank | +| Default Domain Controller Policy | Blank | +| Stand-Alone Server Default Settings | Blank | +| DC Effective Default Settings | Not defined | +| Member Server Effective Default Settings | Not defined | +| Client Computer Effective Default Settings | Not defined |   ## Policy management + This section describes features and tools that are available to help you manage this policy. ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Group Policy + The registry settings that are created as a result of enabling the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting take precedence over the previous registry settings when this policy setting was configured. The Remote Procedure Call (RPC) service checks the new registry keys in the Policies section for the computer restrictions, and these registry entries take precedence over the existing registry keys under OLE. This means that previously existing registry settings are no longer effective, and if you make changes to the existing settings, device access permissions for users are not changed. Use care in configuring the list of users and groups. -If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This will restore control of the DCOM application to the administrator and users. To do this, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click **Edit Security**. Specify the users or groups you want to include and the computer access permissions for those users or groups. This defines the setting and sets the appropriate SDDL value. + +If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This will restore control of the DCOM application to the administrator and users. To do this, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click +**Edit Security**. Specify the users or groups you want to include and the computer access permissions for those users or groups. This defines the setting and sets the appropriate SDDL value. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Many COM applications include some security-specific code (for example, to call CoInitializeSecurity), but they use weak settings that allow unauthenticated access to the process. Administrators cannot override these settings to force stronger security in earlier versions of Windows without modifying the application. An attacker could attempt to exploit weak security in an individual application by attacking it through COM calls. + Also, the COM infrastructure includes the Remote Procedure Call Services (RPCSS), a system service that runs during and after computer startup. This service manages activation of COM objects and the running object table and provides helper services to DCOM remoting. It exposes RPC interfaces that can be called remotely. Because some COM-based servers allow unauthenticated remote access, these interfaces can be called by anyone, including unauthenticated users. As a result, RPCSS can be attacked by malicious users who use remote, unauthenticated computers. + ### Countermeasure + To protect individual COM-based applications or services, set the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting to an appropriate device-wide ACL. + ### Potential impact + Windows implements default COM ACLs when they are installed. Modifying these ACLs from the default may cause some applications or components that communicate by using DCOM to fail. If you implement a COM-based server and you override the default security settings, confirm that the application-specific call permissions that ACL assigns are the correct permissions for appropriate users. If it does not, you must change your application-specific permission ACL to provide appropriate users with activation rights so that applications and Windows components that use DCOM do not fail. + ## Related topics -[Security Options](security-options.md) + +- [Security Options](security-options.md)     diff --git a/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index ec95e60bb9..d4c42764a5 100644 --- a/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -2,86 +2,90 @@ title: DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax (Windows 10) description: Describes the best practices, location, values, and security considerations for the DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax security policy setting. ms.assetid: 4b95d45f-dd62-4c34-ba32-43954528dabe -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft + --- + # DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** security policy setting. + ## Reference + This policy setting is similar to the [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) setting in that it allows you to define additional computer-wide controls that govern access to all DCOM–based applications on a device. However, the ACLs that are specified in this policy setting control local and remote COM launch requests (not access requests) on the device. A simple way to think about this access control is as an additional access check that is performed against a device-wide ACL on each launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to launch any COM-based server. The DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting differs in that it provides a minimum access check that is applied to attempts to access an already launched COM-based server. + These device-wide ACLs provide a way to override weak security settings that are specified by an application through CoInitializeSecurity or application-specific security settings. They provide a minimum security standard that must be passed, regardless of the settings of the specific COM-based server. These ACLs provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers. -The **DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax** setting allows you to specify an ACL in two ways. You can type the security descriptor in SDDL, or you can grant or deny Local Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you are running. +The **DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax** setting allows you to specify an ACL in two ways. You can type the security descriptor in SDDL, or you can grant or deny Local +Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you are running. + ### Possible values + - Blank + This represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it to Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK. + - *User-defined input* of the SDDL representation of the groups and privileges + When you specify the users or groups that are to be given permission, the security descriptor field is populated with the Security Descriptor Definition Language representation of those groups and privileges. Users and groups can be given explicit Allow or Deny privileges on both local access and remote access. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Blank

Default Domain Controller Policy

Blank

Stand-Alone Server Default Settings

Blank

DC Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Blank | +| Default Domain Controller Policy | Blank| +| Stand-Alone Server Default Settings |Blank | +| DC Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined | +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Group Policy + The registry settings that are created as a result of this policy take precedence over the previous registry settings in this area. The Remote Procedure Call (RPC) service (RpcSs) checks the new registry keys in the Policies section for the computer restrictions; these entries take precedence over the existing registry keys under OLE. + If you are denied access to activate and launch DCOM applications due to the changes made to DCOM in the Windows operating system, this policy setting can be used to control the DCOM activation and launch to the device. + You can specify which users and groups can launch and activate DCOM applications on the device locally and remotely by using the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting. This restores control of the DCOM application to the administrator and specified users. To do this, open the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click **Edit Security**. Specify the groups that you want to include and the device launch permissions for those groups. This defines the setting and sets the appropriate SDDL value. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Many COM applications include some security-specific code (for example, to call CoInitializeSecurity), but they use weak settings that allow unauthenticated access to the process. You cannot override these settings to force stronger security in earlier versions of Windows without modifying the application. An attacker could attempt to exploit weak security in an individual application by attacking it through COM calls. + Also, the COM infrastructure includes the Remote Procedure Call Service (RPCSS), a system service that runs during computer startup and always runs after that. This service manages activation of COM objects and the running object table and provides helper services to DCOM remoting. It exposes RPC interfaces that can be called remotely. Because some COM-based servers allow unauthenticated remote component activation, these interfaces can be called by anyone, including unauthenticated users. As a result, RPCSS can be attacked by malicious users using remote, unauthenticated computers. + ### Countermeasure + To protect individual COM-based applications or services, set this policy setting to an appropriate computer-wide ACL. + ### Potential impact + Windows implements default COM ACLs when they are installed. Modifying these ACLs from the default may cause some applications or components that communicate by using DCOM to fail. If you implement a COM-based server and you override the default security settings, confirm that the application-specific launch permissions ACL assigns include activation permissions to appropriate users. If it does not, you must change your application-specific launch permission ACL to provide appropriate users with activation rights so that applications and Windows components that use DCOM do not fail. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/debug-programs.md b/windows/keep-secure/debug-programs.md index cfcafef2b9..4b133fd251 100644 --- a/windows/keep-secure/debug-programs.md +++ b/windows/keep-secure/debug-programs.md @@ -2,88 +2,91 @@ title: Debug programs (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Debug programs security policy setting. ms.assetid: 594d9f2c-8ffc-444b-9522-75615ec87786 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Debug programs + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Debug programs** security policy setting. + ## Reference + This policy setting determines which users can attach to or open any process, even those they do not own. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating-system components. + Constant: SeDebugPrivilege + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + - Assign this user right only to trusted users to reduce security vulnerabilities. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, members of the Administrators group have this right. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Administrators

Stand-Alone Server Default Settings

Administrators

Domain Controller Effective Default Settings

Administrators

Member Server Effective Default Settings

Administrators

Client Computer Effective Default Settings

Administrators

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Administrators | +| Stand-Alone Server Default Settings | Administrators | +| Domain Controller Effective Default Settings | Administrators | +| Member Server Effective Default Settings | Administrators | +| Client Computer Effective Default Settings | Administrators |   ## Policy management + This section describes features and tools that are available to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -The **Debug programs** user right can be exploited to capture sensitive device information from system memory or to access and modify kernel or application structures. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert malware. By default, the **Debug programs** user right is assigned only to administrators, which helps mitigate risk from this vulnerability. + +The **Debug programs** user right can be exploited to capture sensitive device information from system memory or to access and modify kernel or application structures. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert malware. +By default, the **Debug programs** user right is assigned only to administrators, which helps mitigate risk from this vulnerability. + ### Countermeasure + Remove the accounts of all users and groups that do not require the **Debug programs** user right. + ### Potential impact -If you revoke this user right, no one can debug programs. However, typical circumstances rarely require this capability on production devices. If an issue arises that requires an application to be debugged on a production server, you can move the server to a different organizational unit (OU) temporarily and assign the **Debug programs** user right to a separate Group Policy for that OU. + +If you revoke this user right, no one can debug programs. However, typical circumstances rarely require this capability on production devices. If an issue arises that requires an application to be debugged on a production server, you can move the server to a different organizational unit (OU) +temporarily and assign the **Debug programs** user right to a separate Group Policy for that OU. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/delete-an-applocker-rule.md b/windows/keep-secure/delete-an-applocker-rule.md index 7b34477fad..ad342ee6cf 100644 --- a/windows/keep-secure/delete-an-applocker-rule.md +++ b/windows/keep-secure/delete-an-applocker-rule.md @@ -2,26 +2,33 @@ title: Delete an AppLocker rule (Windows 10) description: This topic for IT professionals describes the steps to delete an AppLocker rule. ms.assetid: 382b4be3-0df9-4308-89b2-dcf9df351eb5 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Delete an AppLocker rule + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to delete an AppLocker rule. + As older apps are retired and new apps are deployed in your organization, it will be necessary to modify the application control policies. If an app becomes unsupported by the IT department or is no longer allowed due to the organization's security policy, then deleting the rule or rules associated with that app will prevent the app from running. + For info about testing an AppLocker policy to see what rules affect which files or applications, see [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer +AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To delete a rule in an AppLocker policy** + 1. Open the AppLocker console. 2. Click the appropriate rule collection for which you want to delete the rule. 3. In the details pane, right-click the rule to delete, click **Delete**, and then click **Yes**. -**Note**   -When using Group Policy, for the rule deletion to take effect on computers within the domain, the GPO must be distributed or refreshed. + +>**Note:**  When using Group Policy, for the rule deletion to take effect on computers within the domain, the GPO must be distributed or refreshed. + When this procedure is performed on the local device, the AppLocker policy takes effect immediately. -  -  -  diff --git a/windows/keep-secure/deny-access-to-this-computer-from-the-network.md b/windows/keep-secure/deny-access-to-this-computer-from-the-network.md index 07247e4be1..df4e48dc46 100644 --- a/windows/keep-secure/deny-access-to-this-computer-from-the-network.md +++ b/windows/keep-secure/deny-access-to-this-computer-from-the-network.md @@ -2,94 +2,99 @@ title: Deny access to this computer from the network (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny access to this computer from the network security policy setting. ms.assetid: 935e9f89-951b-4163-b186-fc325682bb0b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Deny access to this computer from the network + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Deny access to this computer from the network** security policy setting. + ## Reference + This security setting determines which users are prevented from accessing a device over the network. + Constant: SeDenyNetworkLogonRight + ### Possible values + - User-defined list of accounts - Guest + ### Best practices + - Because all Active Directory Domain Services programs use a network logon for access, use caution when you assign this user right on domain controllers. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, this setting is Guest on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Guest

Stand-Alone Server Default Settings

Guest

Domain Controller Effective Default Settings

Guest

Member Server Effective Default Settings

Guest

Client Computer Effective Default Settings

Guest

+ + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Guest | +| Stand-Alone Server Default Settings | Guest | +| Domain Controller Effective Default Settings | Guest | +| Member Server Effective Default Settings | Guest | +| Client Computer Effective Default Settings | Guest |   ## Policy management + This section describes features and tools available to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + This policy setting supersedes the **Access this computer from the network** policy setting if a user account is subject to both policies. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users who can log on to the device over the network can enumerate lists of account names, group names, and shared resources. Users with permission to access shared folders and files can connect over the network and possibly view or modify data. + ### Countermeasure + Assign the **Deny access to this computer from the network** user right to the following accounts: + - Anonymous logon - Built-in local Administrator account - Local Guest account - All service accounts + An important exception to this list is any service accounts that are used to start services that must connect to the device over the network. For example, let’s say you have configured a shared folder for web servers to access, and you present content within that folder through a website. You may need to allow the account that runs IIS to log on to the server with the shared folder from the network. This user right is particularly effective when you must configure servers and workstations on which sensitive information is handled because of regulatory compliance concerns. + ### Potential impact + If you configure the **Deny access to this computer from the network** user right for other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should verify that delegated tasks are not negatively affected. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/deny-log-on-as-a-batch-job.md b/windows/keep-secure/deny-log-on-as-a-batch-job.md index 11dbb9313f..d3abeeb6d5 100644 --- a/windows/keep-secure/deny-log-on-as-a-batch-job.md +++ b/windows/keep-secure/deny-log-on-as-a-batch-job.md @@ -2,92 +2,98 @@ title: Deny log on as a batch job (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a batch job security policy setting. ms.assetid: 0ac36ebd-5e28-4b6a-9b4e-8924c6ecf44b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Deny log on as a batch job + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Deny log on as a batch job** security policy setting. + ## Reference -This policy setting determines which accounts are prevented from logging on by using a batch-queue tool to schedule and start jobs automatically in the future. The ability to log on by using a batch-queue tool is needed for any account that is used to start scheduled jobs by means of the Task Scheduler. + +This policy setting determines which accounts are prevented from logging on by using a batch-queue tool to schedule and start jobs automatically in the future. The ability to log on by using a batch-queue tool is needed for any account that is used to start scheduled jobs by means of the Task +Scheduler. + Constant: SeDenyBatchLogonRight + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + 1. When you assign this user right, thoroughly test that the effect is what you intended. 2. Within a domain, modify this setting on the applicable Group Policy Object (GPO). 3. **Deny log on as a batch job** prevents administrators or operators from using their personal accounts to schedule tasks, which helps with business continuity when that person transitions to other positions or responsibilities. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

Domain Controller Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Not defined | +| Domain Controller Effective Default Settings | Not defined | +| Member Server Effective Default Settings | Not defined | +| Client Computer Effective Default Settings | Not defined |   ## Policy management + This section describes features and tools available to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + This policy setting might conflict with and negate the **Log on as a batch job** setting. + ### Group Policy + On a domain-joined device, including the domain controller, this policy can be overwritten by a domain policy, which will prevent you from modifying the local policy setting. -For example, if you are trying to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account is not present in the **Deny log on as a batch job** User Rights Assignment and also correctly configured in the **Log on as a batch job** setting. + +For example, if you are trying to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account is not present in the **Deny log on as a batch job** + +User Rights Assignment and also correctly configured in the **Log on as a batch job** setting. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Accounts that have the **Deny log on as a batch job** user right could be used to schedule jobs that could consume excessive computer resources and cause a denial-of-service condition. + ### Countermeasure + Assign the **Deny log on as a batch job** user right to the local Guest account. + ### Potential impact + If you assign the **Deny log on as a batch job** user right to other accounts, you could deny the ability to perform required job activities to users who are assigned specific administrative roles. You should confirm that delegated tasks are not affected adversely. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/deny-log-on-as-a-service.md b/windows/keep-secure/deny-log-on-as-a-service.md index af4556d1b8..8fa66ee734 100644 --- a/windows/keep-secure/deny-log-on-as-a-service.md +++ b/windows/keep-secure/deny-log-on-as-a-service.md @@ -2,91 +2,95 @@ title: Deny log on as a service (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a service security policy setting. ms.assetid: f1114964-df86-4278-9b11-e35c66949794 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Deny log on as a service + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Deny log on as a service** security policy setting. + ## Reference + This policy setting determines which users are prevented from logging on to the service applications on a device. + A service is an application type that runs in the system background without a user interface. It provides core operating system features, such as web serving, event logging, file serving, printing, cryptography, and error reporting. + Constant: SeDenyServiceLogonRight + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + 1. When you assign this user right, thoroughly test that the effect is what you intended. 2. Within a domain, modify this setting on the applicable Group Policy Object (GPO). + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

Domain Controller Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined | +| Domain Controller Effective Default Settings | Not defined | +| Member Server Effective Default Settings | Not defined | +| Client Computer Effective Default Settings | Not defined |   ## Policy management + This section describes features and tools available to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + On a domain-joined device, including the domain controller, this policy can be overwritten by a domain policy, which will prevent you from modifying the local policy setting. + This policy setting might conflict with and negate the **Log on as a service** setting. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -Accounts that can log on to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is somewhat reduced by the fact that only users with administrative rights can install and configure services, and an attacker who has already attained that level of access could configure the service to run by using the System account. + +Accounts that can log on to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is somewhat reduced by the fact that only users with administrative rights can install and configure +services, and an attacker who has already attained that level of access could configure the service to run by using the System account. + ### Countermeasure + We recommend that you not assign the **Deny log on as a service** user right to any accounts. This is the default configuration. Organizations that are extremely concerned about security might assign this user right to groups and accounts when they are certain that they will never need to log on to a service application. + ### Potential impact + If you assign the **Deny log on as a service** user right to specific accounts, services may not start and a denial-of-service condition could result. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/deny-log-on-locally.md b/windows/keep-secure/deny-log-on-locally.md index e8bc095116..916d358f89 100644 --- a/windows/keep-secure/deny-log-on-locally.md +++ b/windows/keep-secure/deny-log-on-locally.md @@ -2,90 +2,92 @@ title: Deny log on locally (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on locally security policy setting. ms.assetid: 00150e88-ec9c-43e1-a70d-33bfe10434db -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Deny log on locally + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Deny log on locally** security policy setting. + ## Reference + This policy setting determines which users are prevented from logging on directly at the device's console. + Constant: SeDenyInteractiveLogonRight + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + 1. Assign the **Deny log on locally** user right to the local guest account to restrict access by potentially unauthorized users. 2. Test your modifications to this policy setting in conjunction with the **Allow log on locally** policy setting to determine if the user account is subject to both policies. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

Domain Controller Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| Domain Controller Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + If you apply this policy setting to the Everyone group, no one will be able to log on locally. + ### Group Policy + This policy setting supersedes the **Allow log on locally** policy setting if a user account is subject to both policies. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Any account with the ability to log on locally could be used to log on at the console of the device. If this user right is not restricted to legitimate users who must log on to the console of the device, unauthorized users might download and run malicious software that elevates their user rights. + ### Countermeasure + Assign the **Deny log on locally** user right to the local Guest account. If you have installed optional components such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components. + ### Potential impact + If you assign the **Deny log on locally** user right to additional accounts, you could limit the abilities of users who are assigned to specific roles in your environment. However, this user right should explicitly be assigned to the ASPNET account on device that are configured with the Web Server role. You should confirm that delegated activities are not adversely affected. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/deny-log-on-through-remote-desktop-services.md b/windows/keep-secure/deny-log-on-through-remote-desktop-services.md index 85f6651839..6877912bae 100644 --- a/windows/keep-secure/deny-log-on-through-remote-desktop-services.md +++ b/windows/keep-secure/deny-log-on-through-remote-desktop-services.md @@ -2,89 +2,91 @@ title: Deny log on through Remote Desktop Services (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on through Remote Desktop Services security policy setting. ms.assetid: 84bbb807-287c-4acc-a094-cf0ffdcbca67 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Deny log on through Remote Desktop Services + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Deny log on through Remote Desktop Services** security policy setting. + ## Reference + This policy setting determines which users are prevented from logging on to the device through a Remote Desktop connection through Remote Desktop Services. It is possible for a user to establish a Remote Desktop connection to a particular server, but not be able to log on to the console of that server. + Constant: SeDenyRemoteInteractiveLogonRight + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + - To control who can open a Remote Desktop connection and log on to the device, add the user account to or remove user accounts from the Remote Desktop Users group. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

Domain Controller Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| Domain Controller Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + The **Remote System** property controls settings for Remote Desktop Services (**Allow or prevent remote connections to the computer**) and for Remote Assistance (**Allow Remote Assistance connections to this computer**). + ### Group Policy + This policy setting supersedes the [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md) policy setting if a user account is subject to both policies. + Group Policy settings are applied in the following order. They overwrite settings on the local device at the next Group Policy update. + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. Organizational unit policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Any account with the right to log on through Remote Desktop Services could be used to log on to the remote console of the device. If this user right is not restricted to legitimate users who need to log on to the console of the computer, malicious users might download and run software that elevates their user rights. + ### Countermeasure + Assign the **Deny log on through Remote Desktop Services** user right to the built-in local guest account and all service accounts. If you have installed optional components, such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components. + ### Potential impact + If you assign the **Deny log on through Remote Desktop Services** user right to other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Accounts that have this user right cannot connect to the device through Remote Desktop Services or Remote Assistance. You should confirm that delegated tasks are not negatively affected. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/deploy-the-applocker-policy-into-production.md b/windows/keep-secure/deploy-the-applocker-policy-into-production.md index 1fbb0a2cc3..32e3cd0d65 100644 --- a/windows/keep-secure/deploy-the-applocker-policy-into-production.md +++ b/windows/keep-secure/deploy-the-applocker-policy-into-production.md @@ -2,31 +2,45 @@ title: Deploy the AppLocker policy into production (Windows 10) description: This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. ms.assetid: ebbb1907-92dc-499e-8cee-8e637483c9ae -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Deploy the AppLocker policy into production + **Applies to** - Windows 10 + This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. + After successfully testing and modifying the AppLocker policy for each Group Policy Object (GPO), you are ready to deploy the enforcement settings into production. For most organizations, this means switching the AppLocker enforcement setting from **Audit only** to **Enforce rules**. However, it is important to follow the deployment plan that you created earlier. For more info, see the [AppLocker Design Guide](applocker-policies-design-guide.md). Depending on the needs of different business groups in your organization, you might deploy different enforcement settings for linked GPOs. + ### Understand your design decisions + Before you deploy an AppLocker policy, you should determine: + - For each business group, which applications will be controlled and in what manner. For more info, see [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md). - How to handle requests for application access. For info about what to consider when developing your support policies, see [Plan for AppLocker policy management](plan-for-applocker-policy-management.md). - How to manage events, including forwarding events. For info about event management in AppLocker, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). - Your GPO structure, including how to include policies generated by Software Restriction Policies and AppLocker policies. For more info, see [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md). + For info about how AppLocker deployment is dependent on design decisions, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md). + ### AppLocker deployment methods -If you have configured a reference device, you can create and update your AppLocker policies on this device, test the policies, and then export the policies to the appropriate GPO for distribution. Another method is to create the policies and set the enforcement setting on **Audit only**, then observe the events that are generated. + +If you have configured a reference device, you can create and update your AppLocker policies on this device, test the policies, and then export the policies to the appropriate GPO for distribution. Another method is to create the policies and set the enforcement setting on **Audit only**, then +observe the events that are generated. - [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md) + This topic describes the steps to use an AppLocker reference computer to prepare application control policies for deployment by using Group Policy or other means. + - [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) + This topic describes the steps to deploy the AppLocker policy by changing the enforcement setting to **Audit only** or to **Enforce rules**. + ## See also -[AppLocker deployment guide](applocker-policies-deployment-guide.md) -  -  + +- [AppLocker deployment guide](applocker-policies-deployment-guide.md) diff --git a/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md b/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md index 68200b376d..5733fd532e 100644 --- a/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md @@ -2,51 +2,33 @@ title: Determine the Group Policy structure and rule enforcement (Windows 10) description: This overview topic describes the process to follow when you are planning to deploy AppLocker rules. ms.assetid: f435fcbe-c7ac-4ef0-9702-729aab64163f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Determine the Group Policy structure and rule enforcement + **Applies to** - Windows 10 + This overview topic describes the process to follow when you are planning to deploy AppLocker rules. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)

This topic describes the AppLocker enforcement settings for rule collections.

[Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)

This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.

[Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md)

This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.

+ +| Topic | Description | +| - | - | +| [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) | This topic describes the AppLocker enforcement settings for rule collections. | +| [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) | This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.| +| [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md) | This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. |   When you are determining how many Group Policy Objects (GPOs) to create when you apply an AppLocker policy in your organization, you should consider the following: + - Whether you are creating new GPOs or using existing GPOs - Whether you are implementing Software Restriction Policies (SRP) policies and AppLocker policies in the same GPO - GPO naming conventions - GPO size limits -**Note**   -There is no default limit on the number of AppLocker rules that you can create. However, in Windows Server 2008 R2, GPOs have a 2 MB size limit for performance. In subsequent versions, that limit is raised to 100 MB. -  -  -  + +>**Note:**  There is no default limit on the number of AppLocker rules that you can create. However, in Windows Server 2008 R2, GPOs have a 2 MB size limit for performance. In subsequent versions, that limit is raised to 100 MB. diff --git a/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index ad2925ee0a..a02d55ecc7 100644 --- a/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -2,24 +2,35 @@ title: Determine which apps are digitally signed on a reference device (Windows 10) description: This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. ms.assetid: 24609a6b-fdcb-4083-b234-73e23ff8bcb8 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Determine which apps are digitally signed on a reference device + **Applies to** - Windows 10 + This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. + The Windows PowerShell cmdlet **Get-AppLockerFileInformation** can be used to determine which apps installed on your reference devices are digitally signed. Perform the following steps on each reference computer that you used to define the AppLocker policy. The device does not need to be joined to the domain. + Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. + **To determine which apps are digitally signed on a reference device** 1. Run **Get-AppLockerFileInformation** with the appropriate parameters. + The **Get-AppLockerFileInformation** cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information. + 2. Analyze the publisher's name and digital signature status from the output of the command. + For command parameters, syntax, and examples, see [Get-AppLockerFileInformation](http://technet.microsoft.com/library/ee460961.aspx). + ## Related topics -[Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md) + +- [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)     diff --git a/windows/keep-secure/determine-your-application-control-objectives.md b/windows/keep-secure/determine-your-application-control-objectives.md index 55e77bdb3b..65098f5d72 100644 --- a/windows/keep-secure/determine-your-application-control-objectives.md +++ b/windows/keep-secure/determine-your-application-control-objectives.md @@ -2,19 +2,26 @@ title: Determine your application control objectives (Windows 10) description: This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. ms.assetid: 0e84003e-6095-46fb-8c4e-2065869bb53b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Determine your application control objectives + **Applies to** - Windows 10 + This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. + AppLocker is very effective for organizations with app restriction requirements whose environments have a simple topography and the application control policy goals are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the PCs that they manage for a relatively small number of apps. + There are management and maintenance costs associated with a list of allowed apps. In addition, the purpose of application control policies is to allow or prevent employees from using apps that might actually be productivity tools. Keeping employees or users productive while implementing the policies can cost time and effort. Lastly, creating user support processes and network support processes to keep the organization productive are also concerns. + Use the following table to develop your own objectives and determine which application control feature best addresses those objectives. + @@ -149,5 +156,3 @@ Use the following table to develop your own objectives and determine which appli
  For more general info, see [AppLocker](applocker-overview.md). -  -  diff --git a/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md b/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md index 1283cb2181..0d237c5cd4 100644 --- a/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md +++ b/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md @@ -2,84 +2,78 @@ title: Devices Allow undock without having to log on (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Allow undock without having to log on security policy setting. ms.assetid: 1d403f5d-ad41-4bb4-9f4a-0779c1c14b8c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Devices: Allow undock without having to log on + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Devices: Allow undock without having to log on** security policy setting. + ## Reference + This policy setting enables or disables the ability of a user to remove a portable device from a docking station without logging on. If you enable this policy setting, users can press a docked portable device's physical eject button to safely undock the device. If you disable this policy setting, the user must log on to receive permission to undock the device. Only users who have the **Remove Computer from Docking Station** privilege can obtain this permission. -**Note**   -Disabling this policy setting only reduces theft risk for portable devices that cannot be mechanically undocked. Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality. + +>**Note:**  Disabling this policy setting only reduces theft risk for portable devices that cannot be mechanically undocked. Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality.   Enabling this policy setting means that anyone with physical access to a device that has been placed in its docking station can remove the computer and possibly tamper with it. For devices that do not have docking stations, this policy setting has no impact. However, for users with a mobile computer that is normally docked while they are in the office, this policy setting will help lower the risk of equipment theft or a malicious user gaining physical access to these devices + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + It is advisable to disable the **Devices: Allow undock without having to log on** policy setting. Users who have docked their devices will have to log on to the local console before they can undock their systems. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings | Enabled| +| Client Computer Effective Default Settings| Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If this policy setting is enabled, anyone with physical access to portable computers in docking stations could remove them and possibly tamper with them. + ### Countermeasure + Disable the **Devices: Allow undock without having to log on** setting. ### Potential impact + Users who have docked their device must log on to the local console before they can undock their computers. For devices that do not have docking stations, this policy setting has no impact. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md b/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md index 146ef13dde..9c9a232738 100644 --- a/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md +++ b/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md @@ -2,82 +2,79 @@ title: Devices Allowed to format and eject removable media (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Allowed to format and eject removable media security policy setting. ms.assetid: d1b42425-7244-4ab1-9d46-d68de823459c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Devices: Allowed to format and eject removable media + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Devices: Allowed to format and eject removable media** security policy setting. + ## Reference + This policy setting determines who is allowed to format and eject removable media. + Users can move removable disks to a different device where they have administrative user rights and then take ownership of any file, assign themselves full control, and view or modify any file. The advantage of configuring this policy setting is diminished by the fact that most removable storage devices will eject media with the press of a button. + ### Possible values + - Administrators - Administrators and Power Users - Administrators and Interactive Users (not applicable to Windows Server 2008 R2 or Windows 7 and later) - Not defined + ### Best practices + - It is advisable to set **Allowed to format and eject removable media** to **Administrators**. Only administrators will be able to eject NTFS-formatted removable media. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Administrators

DC Effective Default Settings

Administrators

Member Server Effective Default Settings

Administrators

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Administrators| +| DC Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -Users could move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices eject media when a mechanical button is pressed diminishes the advantage of this policy setting. + +Users could move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices eject media when a mechanical button +is pressed diminishes the advantage of this policy setting. + ### Countermeasure + Configure the **Devices: Allowed to format and eject removable media** setting to **Administrators**. + ### Potential impact + Only administrators can format and eject removable media. If users are in the habit of using removable media for file transfers and storage, they must be informed of the change in policy. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md b/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md index 9a31968fed..c71b4b04d5 100644 --- a/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md +++ b/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md @@ -2,82 +2,80 @@ title: Devices Prevent users from installing printer drivers (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Prevent users from installing printer drivers security policy setting. ms.assetid: ab70a122-f7f9-47e0-ad8c-541f30a27ec3 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Devices: Prevent users from installing printer drivers + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Devices: Prevent users from installing printer drivers** security policy setting. + ## Reference + For a device to print to a network printer, the driver for that network printer must be installed locally. The **Devices: Prevent users from installing printer drivers** policy setting determines who can install a printer driver as part of adding a network printer. When you set the value to **Enabled**, only Administrators and Power Users can install a printer driver as part of adding a network printer. Setting the value to **Disabled** allows any user to install a printer driver as part of adding a network printer. This setting prevents unprivileged users from downloading and installing an untrusted printer driver. + This setting has no impact if you have configured a trusted path for downloading drivers. When using trusted paths, the print subsystem attempts to use the trusted path to download the driver. If the trusted path download succeeds, the driver is installed on behalf of any user. If the trusted path download fails, the driver is not installed and the network printer is not added. + Although it might be appropriate in some organizations to allow users to install printer drivers on their own workstations, this is not suitable for servers. Installing a printer driver on a server can cause the system to become less stable. Only administrators should have this user right on servers. A malicious user might deliberately try to damage the system by installing inappropriate printer drivers. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - It is advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting does not affect a user's ability to add a local printer. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Disabled

+ +Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings | Enabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only administrators, not users, to do so on servers because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. + +It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only administrators, not users, to do so on servers because printer driver installation on a server may unintentionally cause the computer to become less +stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. + ### Countermeasure + Enable the **Devices: Prevent users from installing printer drivers** setting. + ### Potential impact + Only members of the Administrator, Power Users, or Server Operator groups can install printers on the servers. If this policy setting is enabled but the driver for a network printer already exists on the local computer, users can still add the network printer. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md index d4a806d762..e42ea9042c 100644 --- a/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md +++ b/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md @@ -2,82 +2,79 @@ title: Devices Restrict CD-ROM access to locally logged-on user only (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Restrict CD-ROM access to locally logged-on user only security policy setting. ms.assetid: 8b8f44bb-84ce-4f18-af30-ab89910e234d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Devices: Restrict CD-ROM access to locally logged-on user only + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Devices: Restrict CD-ROM access to locally logged-on user only** security policy setting. + ## Reference + This policy setting determines whether a CD is accessible to local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is allowed to access removable CDs. If this policy setting is enabled and no one is logged on interactively, the CD can be accessed over the network. + The security benefit of enabling this policy setting is small because it only prevents network users from accessing the drive when someone is logged on to the local console of the system at the same time. Additionally, CD drives are not automatically made available as network shared drives; you must deliberately choose to share the drive. This is important when administrators are installing software or copying data from a CD-ROM, and they do not want network users to be able to execute the applications or view the data. + If this policy setting is enabled, users who connect to the server over the network will not be able to use any CD drives that are installed on the server when anyone is logged on to the local console of the server. Enabling this policy setting is not suitable for a system that serves as a CD jukebox for network users. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Best practices are dependent on your security and user accessibility requirements for CD drives. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Disabled | +| DC Effective Default Settings | Disabled | +| Member Server Effective Default Settings | Disabled | +| Client Computer Effective Default Settings | Disabled |   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives are not automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server. + +A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives are not automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run +applications from removable media on the server. + ### Countermeasure Enable the **Devices: Restrict CD-ROM drive access to locally logged-on user only** setting. + ### Potential impact Users who connect to the server over the network cannot use any CD drives that are installed on the server when anyone is logged on to the local console of the server. System tools that require access to the CD drive will fail. For example, the Volume Shadow Copy service attempts to access all CD and floppy disk drives that are present on the computer when it initializes, and if the service cannot access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail. This policy setting would not be suitable for a computer that serves as a CD jukebox for network users. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md index c031c438a6..3246e36da5 100644 --- a/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md +++ b/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md @@ -2,82 +2,79 @@ title: Devices Restrict floppy access to locally logged-on user only (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Restrict floppy access to locally logged-on user only security policy setting. ms.assetid: 92997910-da95-4c03-ae6f-832915423898 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Devices: Restrict floppy access to locally logged-on user only + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Devices: Restrict floppy access to locally logged-on user only** security policy setting. + ## Reference + This policy setting determines whether removable floppy disks are accessible to local and remote users simultaneously. Enabling this policy setting allows only the interactively logged-on user to access removable floppy disks. If this policy setting is enabled and no one is logged on interactively, the floppy disk can be accessed over the network. + The security benefit of enabling this policy setting is small because it only prevents network users from accessing the floppy disk drive when someone is logged on to the local console of the system at the same time. Additionally, floppy disk drives are not automatically made available as network shared drives; you must deliberately choose to share the drive. This becomes important when you are installing software or copying data from a floppy disk and they do not want network users to be able to execute the applications or view the data. + If this policy setting is enabled, users who connect to the server over the network will not be able to use any floppy disk drives that are installed on the server when anyone is logged on to the local console of the server. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Best practices are dependent on your security and user accessibility requirements for CD drives. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + A remote user could potentially access a mounted floppy disk that contains sensitive information. This risk is small because floppy disk drives are not automatically shared; administrators must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server. + ### Countermeasure + Enable the **Devices: Restrict floppy access to locally logged-on user only** setting. + ### Potential impact + Users who connect to the server over the network cannot use any floppy disk drives that are installed on the device when anyone is logged on to the local console of the server. System tools that require access to floppy disk drives fail. For example, the Volume Shadow Copy service attempts to access all CD-ROM and floppy disk drives that are present on the computer when it initializes, and if the service cannot access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md index ea5e8e17a8..267ba483ac 100644 --- a/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md +++ b/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md @@ -8,13 +8,20 @@ ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft --- + # Display a custom URL message when users try to run a blocked app + **Applies to** - Windows 10 + This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. + Using Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you do not display a custom message when an apps is blocked, the default access denied message is displayed. + To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. + **To display a custom URL message when users try to run a blocked app** + 1. On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC). 2. Navigate to the Group Policy Object (GPO) that you want to edit. 3. Right-click the GPO, and then click **Edit**. @@ -22,5 +29,3 @@ To complete this procedure, you must have the **Edit Setting** permission to ed 5. In the details pane, double-click **Set a support web page link**. 6. Click **Enabled**, and then type the URL of the custom Web page in the **Support Web page URL** box. 7. Click **OK** to apply the setting. -  -  diff --git a/windows/keep-secure/dll-rules-in-applocker.md b/windows/keep-secure/dll-rules-in-applocker.md index 545d8c5359..4f99109b04 100644 --- a/windows/keep-secure/dll-rules-in-applocker.md +++ b/windows/keep-secure/dll-rules-in-applocker.md @@ -2,64 +2,40 @@ title: DLL rules in AppLocker (Windows 10) description: This topic describes the file formats and available default rules for the DLL rule collection. ms.assetid: a083fd08-c07e-4534-b0e7-1e15d932ce8f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # DLL rules in AppLocker + **Applies to** - Windows 10 + This topic describes the file formats and available default rules for the DLL rule collection. + AppLocker defines DLL rules to include only the following file formats: + - .dll - .ocx + The following table lists the default rules that are available for the DLL rule collection. - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PurposeNameUserRule condition type

Allows members of the local Administrators group to run all DLLs

(Default Rule) All DLLs

BUILTIN\Administrators

Path: *

Allow all users to run DLLs in the Windows folder

(Default Rule) Microsoft Windows DLLs

Everyone

Path: %windir%\*

Allow all users to run DLLs in the Program Files folder

(Default Rule) All DLLs located in the Program Files folder

Everyone

Path: %programfiles%\*

+ +| Purpose | Name | User | Rule condition type | +| - | - | - | - | +| Allows members of the local Administrators group to run all DLLs | (Default Rule) All DLLs| +| BUILTIN\Administrators | Path: *| +| Allow all users to run DLLs in the Windows folder| (Default Rule) Microsoft Windows DLLs | +| Everyone | Path: %windir%\*| +| Allow all users to run DLLs in the Program Files folder | (Default Rule) All DLLs located in the Program Files folder| +| Everyone | Path: %programfiles%\*|   -**Important**   -If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps +>**Important:**  If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps   -**Caution**   -When DLL rules are used, AppLocker must check each DLL that an app loads. Therefore, users may experience a reduction in performance if DLL rules are used. +>**Caution:**  When DLL rules are used, AppLocker must check each DLL that an app loads. Therefore, users may experience a reduction in performance if DLL rules are used.   ## Related topics -[Understanding AppLocker default rules](understanding-applocker-default-rules.md) -  -  + +- [Understanding AppLocker default rules](understanding-applocker-default-rules.md) \ No newline at end of file diff --git a/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md index e97b186290..f583b63513 100644 --- a/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -2,23 +2,31 @@ title: Document the Group Policy structure and AppLocker rule enforcement (Windows 10) description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft +ms.pagetype: security --- + # Document the Group Policy structure and AppLocker rule enforcement + **Applies to** - Windows 10 + This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. + ## Record your findings + To complete this AppLocker planning document, you should first complete the following steps: + 1. [Determine your application control objectives](determine-your-application-control-objectives.md) 2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) 3. [Select the types of rules to create](select-types-of-rules-to-create.md) 4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) + After you determine how to structure your Group Policy Objects (GPOs) so that you can apply AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they are linked to. If you decided to create custom rules to allow system files to run, note the high-level rule configuration in the **Use default rule or define new rule condition** column. + The following table includes the sample data that was collected when you determined your enforcement settings and the GPO structure for your AppLocker policies. @@ -111,6 +119,7 @@ The following table includes the sample data that was collected when you determi
  ## Next steps + After you have determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain: - [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) - [Create your AppLocker planning document](create-your-applocker-planning-document.md) diff --git a/windows/keep-secure/document-your-application-control-management-processes.md b/windows/keep-secure/document-your-application-control-management-processes.md index b5a9cd95a7..e0ef522601 100644 --- a/windows/keep-secure/document-your-application-control-management-processes.md +++ b/windows/keep-secure/document-your-application-control-management-processes.md @@ -2,31 +2,46 @@ title: Document your application control management processes (Windows 10) description: This planning topic describes the AppLocker policy maintenance information to record for your design document. ms.assetid: 6397f789-0e36-4933-9f86-f3f6489cf1fb -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Document your application control management processes + **Applies to** - Windows 10 + This planning topic describes the AppLocker policy maintenance information to record for your design document. + ## Record your findings + To complete this AppLocker planning document, you should first complete the following steps: + 1. [Determine your application control objectives](determine-your-application-control-objectives.md) 2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) 3. [Select the types of rules to create](select-types-of-rules-to-create.md) 4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) 5. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) + The three key areas to determine for AppLocker policy management are: + 1. Support policy + Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel know recommended troubleshooting steps and escalation points for your policy. + 2. Event processing + Document whether events will be collected in a central location, how that store will be archived, and whether the events will be processed for analysis. + 3. Policy maintenance + Detail how rules will be added to the policy, in which Group Policy Object (GPO) the rules should be defined, and how to modify rules when apps are retired, updated, or added. + The following table contains the added sample data that was collected when determining how to maintain and manage AppLocker policies. + @@ -125,9 +140,13 @@ The following table contains the added sample data that was collected when deter
  The following two tables illustrate examples of documenting considerations to maintain and manage AppLocker policies. + **Event processing policy** + One discovery method for app usage is to set the AppLocker enforcement mode to **Audit only**. This will write events to the AppLocker logs, which can be managed and analyzed like other Windows logs. After apps have been identified, you can begin to develop policies regarding the processing and access to AppLocker events. + The following table is an example of what to consider and record. + @@ -210,7 +229,6 @@ The following table is an example of what to consider and record.
  ## Next steps + After you have determined your application control management strategy for each of the business group's applications, the following task remains: - [Create your AppLocker planning document](create-your-applocker-planning-document.md) -  -  diff --git a/windows/keep-secure/document-your-application-list.md b/windows/keep-secure/document-your-application-list.md index 1b7c7906fa..c20e6831ad 100644 --- a/windows/keep-secure/document-your-application-list.md +++ b/windows/keep-secure/document-your-application-list.md @@ -2,21 +2,30 @@ title: Document your app list (Windows 10) description: This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies. ms.assetid: b155284b-f75d-4405-aecf-b74221622dc0 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Document your app list + **Applies to** - Windows 10 + This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies. + ## Record your findings + **Apps** + Record the name of the app, whether it is signed as indicated by the publisher's name, and whether it is a mission critical, business productivity, optional, or personal app. Later, as you manage your rules, AppLocker displays this information in the format shown in the following example: *MICROSOFT OFFICE INFOPATH signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US*. + **Installation path** + Record the installation path of the apps. For example, Microsoft Office 2016 installs files to *%programfiles%\\Microsoft Office\\Office16\\*, which is *C:\\Program Files\\Microsoft Office\\Office16\\* on most devices. + The following table provides an example of how to list applications for each business group at the early stage of designing your application control policies. Eventually, as more planning information is added to the list, the information can be used to build AppLocker rules. @@ -81,29 +90,36 @@ The following table provides an example of how to list applications for each bus
  -**Note**   -AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary. +>**Note:**  AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.   **Event processing** + As you create your list of apps, you need to consider how to manage the events that are generated by user access, or you need to deny running those apps to make your users as productive as possible. The following list is an example of what to consider and what to record: + - Will event forwarding be implemented for AppLocker events? - What is the location of the AppLocker event collection? - Should an event archival policy be implemented? - Will the events be analyzed and how often? - Should a security policy be in place for event collection? + **Policy maintenance** + As you create your list of apps, you need to consider how to manage and maintain the policies that you will eventually create. The following list is an example of what to consider and what to record: + - How will rules be updated for emergency app access and permanent access? - How will apps be removed? - How many older versions of the same app will be maintained? - How will new apps be introduced? + ## Next steps + After you have created the list of applications, the next step is to identify the rule collections, which will become the application control policies. This information can be added to the table under the following columns: + - Use default rule or define new rule condition - Allow or deny - GPO name + To identify the rule collections, see the following topics: + - [Select the types of rules to create](select-types-of-rules-to-create.md) - [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) -  -  diff --git a/windows/keep-secure/document-your-applocker-rules.md b/windows/keep-secure/document-your-applocker-rules.md index 97bd6545ef..5603fcefdc 100644 --- a/windows/keep-secure/document-your-applocker-rules.md +++ b/windows/keep-secure/document-your-applocker-rules.md @@ -2,25 +2,35 @@ title: Document your AppLocker rules (Windows 10) description: This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded. ms.assetid: 91a198ce-104a-45ff-b49b-487fb40cd2dd -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Document your AppLocker rules + **Applies to** - Windows 10 + This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded. + ## Record your findings + To complete this AppLocker planning document, you should first complete the following steps: + 1. [Determine your application control objectives](determine-your-application-control-objectives.md) 2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) 3. [Select the types of rules to create](select-types-of-rules-to-create.md) + Document the following items for each business group or organizational unit: + - Whether your organization will use the built-in default AppLocker rules to allow system files to run. - The types of rule conditions that you will use to create rules, stated in order of preference. + The following table details sample data for documenting rule type and rule condition findings. In addition, you should now consider whether to allow an app to run or deny permission for it to run. For info about these settings, see [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md). + @@ -101,9 +111,9 @@ The following table details sample data for documenting rule type and rule condi
  ## Next steps + For each rule, determine whether to use the allow or deny option. Then, three tasks remain: + - [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) - [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) - [Create your AppLocker planning document](create-your-applocker-planning-document.md) -  -  diff --git a/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md index 9830087bd1..73dd753654 100644 --- a/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md +++ b/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md @@ -2,87 +2,85 @@ title: Domain controller Allow server operators to schedule tasks (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain controller Allow server operators to schedule tasks security policy setting. ms.assetid: 198b12a4-8a5d-48e8-a752-2073b8a2cb0d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain controller: Allow server operators to schedule tasks + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain controller: Allow server operators to schedule tasks** security policy setting. + ## Reference + This policy setting determines whether server operators can use the**at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators by means of the **at** command run in the context of the account that runs the Task Scheduler service. By default, that is the Local System account. -**Note**   -This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool. + +>**Note:**  This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool.   Enabling this policy setting means jobs that are created by server operators through the **at** command will be executed in the context of the account that is running that service—by default, that is the Local System account. This means that server operators can perform tasks that the Local System account is able to do, but server operators would normally not be able to do, such as add their account to the local Administrators group. + The impact of enabling this policy setting should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by using the Task Scheduler Wizard, but those jobs will run in the context of the account that the user authenticates with when setting up the job. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Best practices for this policy are dependent on your security and operational requirements for task scheduling. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

DC Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Command-line tools + The **at** command schedules commands and programs to run on a computer at a specified time and date. The Schedule service must be running to use the **at** command. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Tasks that run under the context of the Local System account can affect resources that are at a higher privilege level than the user account that scheduled the task. + ### Countermeasure + Disable the **Domain controller: Allow server operators to schedule tasks** setting. + ### Potential impact + The impact should be small for most organizations. Users (including those in the Server Operators group) can still create jobs by means of the Task Scheduler snap-in. However, those jobs run in the context of the account that the user authenticates with when setting up the job. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md index 50f94a37d3..8f75f7faa7 100644 --- a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md +++ b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md @@ -2,86 +2,83 @@ title: Domain controller LDAP server signing requirements (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server signing requirements security policy setting. ms.assetid: fe122179-7571-465b-98d0-b8ce0f224390 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain controller: LDAP server signing requirements + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server signing requirements** security policy setting. + ## Reference + This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. + Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, this means that a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower the risk of a malicious user accomplishing this in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks extremely difficult. + This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL. + If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected. -**Caution**   -If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server. + +>**Caution:**  If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server.   ### Possible values + - None. Data signatures are not required to bind with the server. If the client computer requests data signing, the server supports it. - Require signature. The LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Sockets Layer (TLS/SSL) is in use. - Not defined. + ### Best practices + - It is advisable to set **Domain controller: LDAP server signing requirements** to **Require signature**. Clients that do not support LDAP signing will be unable to execute LDAP queries against the domain controllers. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

DC Effective Default Settings

None

Member Server Effective Default Settings

None

Client Computer Effective Default Settings

None

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | None| +| Member Server Effective Default Settings | None| +| Client Computer Effective Default Settings | None|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Where LDAP servers are concerned, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks extremely difficult. + ### Countermeasure + Configure the **Domain controller: LDAP server signing requirements** setting to **Require signature**. + ### Potential impact + Client device that do not support LDAP signing cannot run LDAP queries against the domain controllers. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md b/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md index acab069b02..3d0dc98ace 100644 --- a/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md +++ b/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md @@ -2,83 +2,83 @@ title: Domain controller Refuse machine account password changes (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain controller Refuse machine account password changes security policy setting. ms.assetid: 5a7fa2e2-e1a8-4833-90f7-aa83e3b456a9 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain controller: Refuse machine account password changes + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain controller: Refuse machine account password changes** security policy setting. + ## Reference + This policy setting enables or disables blocking a domain controller from accepting password change requests for machine accounts. By default, devices joined to the domain change their machine account passwords every 30 days. If enabled, the domain controller will refuse machine account password change requests. + ### Possible values + - Enabled + When enabled, this setting does not allow a domain controller to accept any changes to a machine account's password. + - Disabled + When disabled, this setting allows a domain controller to accept any changes to a machine account's password. + - Not defined + Same as Disabled. + ### Best practices + - Enabling this policy setting on all domain controllers in a domain prevents domain members from changing their machine account passwords. This, in turn, leaves those passwords susceptible to attack. Make sure that this conforms to your overall security policy for the domain. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Not applicable

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Not applicable|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If you enable this policy setting on all domain controllers in a domain, domain members cannot change their machine account passwords, and those passwords are more susceptible to attack. + ### Countermeasure + Disable the **Domain controller: Refuse machine account password changes** setting. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md index b6ebe0166a..dde52ba0d7 100644 --- a/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md +++ b/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md @@ -2,103 +2,114 @@ title: Domain member Digitally encrypt or sign secure channel data (always) (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt or sign secure channel data (always) security policy setting. ms.assetid: 4480c7cb-adca-4f29-b4b8-06eb68d272bf -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain member: Digitally encrypt or sign secure channel data (always) + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt or sign secure channel data (always)** security policy setting. + ## Reference -This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. Logon information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. + +This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. Logon information that is +transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. + The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic: + - Domain member: Digitally encrypt or sign secure channel data (always) - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) + Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data. + To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a device running Windows othat has joined a domain to have access to the user account database in its domain and in any trusted domains. + To enable the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of signing or encrypting all secure-channel data. + Enabling the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting automatically enables the [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) policy setting. + When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass-through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + ### Possible values + - Enabled - The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. + + The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure + channel traffic. + - Disabled + The encryption and signing of all secure channel traffic is negotiated with the domain controller, in which case the level of signing and encryption depends on the version of the domain controller and the settings of the following policies: + 1. [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) 2. [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) + - Not defined ### Best practices + - Set **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled**. - Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**. - Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**. -**Note**   -You can enable the policy settings [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) on all devices in the domain that support these policy settings without affecting earlier-version clients and applications. + +>**Note:**  You can enable the policy settings [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) on all devices in the domain that support these policy settings without affecting earlier-version clients and applications.   ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Enabled

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Enabled | +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings | Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Distribution of this policy through Group Policy overrides the Local Security Policy setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + +When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and +sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + ### Countermeasure + Select one of the following settings as appropriate for your environment to configure the computers in your domain to encrypt or sign secure channel data. + - **Domain member: Digitally encrypt or sign secure channel data (always)** - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) + ### Potential impact + Digital encryption and signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md index 693a34601d..9412bf6ae7 100644 --- a/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md +++ b/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md @@ -2,99 +2,107 @@ title: Domain member Digitally encrypt secure channel data (when possible) (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt secure channel data (when possible) security policy setting. ms.assetid: 73e6023e-0af3-4531-8238-82f0f0e4965b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain member: Digitally encrypt secure channel data (when possible) + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt secure channel data (when possible)** security policy setting. + ## Reference -This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Logon information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. + +This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Logon information that is transmitted over +the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. + In addition to this policy setting, the following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic: + - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) + Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data. + To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains. + Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting. + When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + ### Possible values + - Enabled + The domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information that is transmitted over the secure channel will be encrypted. + - Disabled + The domain member will not attempt to negotiate secure channel encryption. - **Note**   - If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten. + + >**Note:**  If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten.   - Not defined + ### Best practices + - Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled**. - Set **Domain member: Digitally encrypt secure channel data (when possible)** to **Enabled**. - Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Enabled

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Enabled| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Distribution of this policy through Group Policy does not override the Local Security Policy setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + ### Countermeasure + Select one of the following settings as appropriate for your environment to configure the computers in your domain to encrypt or sign secure channel data: + - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - **Domain member: Digitally encrypt secure channel data (when possible)** - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) + ### Potential impact + Digital signing of the secure channel is a good idea because it protects domain credentials as they are sent to the domain controller. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md index 670f0b9024..6f0cdd5ea0 100644 --- a/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md +++ b/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md @@ -2,100 +2,105 @@ title: Domain member Digitally sign secure channel data (when possible) (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Digitally sign secure channel data (when possible) security policy setting. ms.assetid: a643e491-4f45-40ea-b12c-4dbe47e54f34 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain member: Digitally sign secure channel data (when possible) + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain member: Digitally sign secure channel data (when possible)** security policy setting. + ## Reference -This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Logon information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. + +This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Logon information that is transmitted over the +secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. + The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic: - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - Domain member: Digitally sign secure channel data (when possible) + Setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data. + To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate computer accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains. + Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting. When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + ### Possible values + - Enabled + The domain member will request signing of all secure channel traffic. If the domain controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit. + - Disabled + Signing will not be negotiated unless the policy [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled. + - Not defined + ### Best practices + - Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled**. - Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**. - Set **Domain member: Digitally sign secure channel data (when possible)** to **Enabled**. -**Note**   -You can enable the other two policy settings, Domain member: [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and **Domain member: Digitally sign secure channel data (when possible)**, on all devices joined to the domain that support these policy settings without affecting earlier-version clients and applications. +>**Note:**  You can enable the other two policy settings, Domain member: [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and **Domain member: Digitally sign secure channel data (when possible)**, on all devices joined to the domain that support these policy settings without affecting earlier-version clients and applications.   ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Enabled

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Enabled | +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Distribution of this policy through Group Policy does not override the Local Security Policy setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + ### Countermeasure + Because these policies are closely related and useful depending on your environment, select one of the following settings as appropriate to configure the devices in your domain to encrypt or sign secure channel data when possible. + - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - **Domain member: Digitally sign secure channel data (when possible)** + ### Potential impact + Digital signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-member-disable-machine-account-password-changes.md b/windows/keep-secure/domain-member-disable-machine-account-password-changes.md index 39fdae996b..a7e862cea4 100644 --- a/windows/keep-secure/domain-member-disable-machine-account-password-changes.md +++ b/windows/keep-secure/domain-member-disable-machine-account-password-changes.md @@ -2,82 +2,79 @@ title: Domain member Disable machine account password changes (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Disable machine account password changes security policy setting. ms.assetid: 1f660300-a07a-4243-a09f-140aa1ab8867 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain member: Disable machine account password changes + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain member: Disable machine account password changes** security policy setting. + ## Reference + The **Domain member: Disable machine account password changes** policy setting determines whether a domain member periodically changes its machine account password. Setting its value to **Enabled** prevents the domain member from changing the machine account password. Setting it to **Disabled** allows the domain member to change the machine account password as specified by the value of the [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md) policy setting, which is every 30 days by default. + By default, devices that belong to a domain are automatically required to change the passwords for their accounts every 30 days. Devices that are no longer able to automatically change their machine password are at risk of a malicious user determining the password for the system's domain account. Verify that the **Domain member: Disable machine account password changes** option is set to **Disabled**. + ### Possible values + - Enabled - Disabled + ### Best practices + 1. Do not enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions. 2. Do not use this policy setting in an attempt to support dual-boot scenarios that use the same machine account. If you want to dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to make it easier for organizations that stockpile pre-built computers that are put into production months later; those devices do not have to be rejoined to the domain. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Disabled

Default Domain Controller Policy

Disabled

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Disabled | +| Default Domain Controller Policy | Disabled| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices that cannot automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account. + +By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices +that cannot automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account. + ### Countermeasure + Verify that the **Domain member: Disable machine account password changes** setting is configured to **Disabled**. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-member-maximum-machine-account-password-age.md b/windows/keep-secure/domain-member-maximum-machine-account-password-age.md index 9deffaa2c2..b97cf3f485 100644 --- a/windows/keep-secure/domain-member-maximum-machine-account-password-age.md +++ b/windows/keep-secure/domain-member-maximum-machine-account-password-age.md @@ -2,81 +2,77 @@ title: Domain member Maximum machine account password age (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Maximum machine account password age security policy setting. ms.assetid: 0ec6f7c1-4d82-4339-94c0-debb2d1ac109 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain member: Maximum machine account password age + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain member: Maximum machine account password age** security policy setting. + ## Reference + The **Domain member: Maximum machine account password age** policy setting determines the maximum allowable age for a machine account password. + In Active Directory–based domains, each device has an account and password, just like every user. By default, the domain members automatically change their domain password every 30 days. Increasing this interval significantly, or setting it to **0** so that the device no longer change their passwords, gives a malicious user more time to undertake a brute-force password-guessing attack against one of the machine accounts. + ### Possible values + - User-defined number of days between 0 and 999 - Not defined. + ### Best practices + 1. It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days. 2. Some organizations pre-build devices and then store them for later use or ship them to remote locations. If the machine's account has expired, it will no longer be able to authenticate with the domain. Devices that cannot authenticate with the domain must be removed from the domain and rejoined to it. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and configure the value for this policy setting to a larger number of days. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

30 days

DC Effective Default Settings

30 days

Member Server Effective Default Settings

30 days

Client Computer Effective Default Settings

30 days

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | 30 days| +| DC Effective Default Settings | 30 days| +| Member Server Effective Default Settings|30 days| +| Client Computer Effective Default Settings | 30 days|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -In Active Directory–based domains, each device has an account and password, just as every user does. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their passwords, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts. + +In Active Directory–based domains, each device has an account and password, just as every user does. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their +passwords, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts. + ### Countermeasure + Configure the **Domain member: Maximum machine account password age** setting to 30 days. + ### Potential impact + None. This is the default configuration. ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md index 2a95144b2d..320d44e467 100644 --- a/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md +++ b/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md @@ -2,88 +2,95 @@ title: Domain member Require strong (Windows 2000 or later) session key (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Require strong (Windows 2000 or later) session key security policy setting. ms.assetid: 5ab8993c-5086-4f09-bc88-1b27454526bd -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain member: Require strong (Windows 2000 or later) session key + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain member: Require strong (Windows 2000 or later) session key** security policy setting. + ## Reference + The **Domain member: Require strong (Windows 2000 or later) session key** policy setting determines whether a secure channel can be established with a domain controller that is not capable of encrypting secure channel traffic with a strong, 128-bit session key. Enabling this policy setting prevents establishing a secure channel with any domain controller that cannot encrypt secure channel data with a strong key. Disabling this policy setting allows 64-bit session keys. + Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from eavesdropping and session-hijacking network attacks. Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the name of the sender, or it can be redirected. + ### Possible values + - Enabled + When enabled on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of encrypting secure channel data with a strong, 128-bit key. This means that all such domain controllers must be running at least Windows 2000 Server. + - Disabled + Allows 64-bit session keys to be used. + - Not defined. + ### Best practices + - It is advisable to set **Domain member: Require strong (Windows 2000 or later) session key** to Enabled. Enabling this policy setting ensures that all outgoing secure channel traffic will require a strong encryption key. Disabling this policy setting requires that key strength be negotiated. Only enable this option if the domain controllers in all trusted domains support strong keys. By default, this value is disabled. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO +| Default value +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. + You will you be able to join devices that do not support this policy setting to domains where the domain controllers have this policy setting enabled. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Session keys that are used to establish secure channel communications between domain controllers and member computers are much stronger starting with Windows 2000. + Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdrop. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.) + ### Countermeasure + Enable the **Domain member: Require strong (Windows 2000 or later) session key** setting. + If you enable this policy setting, all outgoing secure channel traffic requires a strong encryption key. If you disable this policy setting, the key strength is negotiated. You should enable this policy setting only if the domain controllers in all trusted domains support strong keys. By default, this policy setting is disabled. + ### Potential impact + Devices that do not support this policy setting cannot join domains in which the domain controllers have this policy setting enabled. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/manage-tpm-lockout.md b/windows/keep-secure/manage-tpm-lockout.md index efe696a11e..7c75700ed0 100644 --- a/windows/keep-secure/manage-tpm-lockout.md +++ b/windows/keep-secure/manage-tpm-lockout.md @@ -2,48 +2,73 @@ title: Manage TPM lockout (Windows 10) description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. ms.assetid: bf27adbe-404c-4691-a644-29ec722a3f7b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Manage TPM lockout + **Applies to** - Windows 10 + This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. + ## About TPM lockout + The TPM will lock itself to prevent tampering or malicious attacks. TPM lockout often lasts for a variable amount of time or until the computer is turned off. While the TPM is in lockout mode, it generally returns an error message when it receives commands that require an authorization value. One exception is that the TPM always allows the owner at least one attempt to reset the TPM lockout when it is in lockout mode. + TPM ownership is commonly taken the first time BitLocker Drive Encryption is turned on for the computer. In this case, the TPM owner authorization password is saved with the BitLocker recovery key. When the BitLocker recovery key is saved to a file, BitLocker also saves a TPM owner password file (.tpm) with the TPM owner password hash value. When the BitLocker recovery key is printed, the TPM owner password is printed at the same time. You can also save your TPM owner password hash value to Active Directory Domain Services (AD DS) if your organization's Group Policy settings are configured to do so. + In some cases, encryption keys are protected by a TPM by requiring a valid authorization value to access the key. A common example is configuring BitLocker Drive Encryption to use the TPM plus PIN key protector. In this scenario, the user must type the correct PIN during the boot process to access the volume encryption key protected by the TPM. To prevent malicious users or software from discovering authorization values, TPMs implement protection logic. The protection logic is designed to slow or stop responses from the TPM if it detects that an entity might be trying to guess authorization values. + The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM manufacturers implement different protection mechanisms and behavior. The general guidance is for the TPM chip to take exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. This can prevent them from using the TPM for a period of time. + If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. + ## Reset the TPM lockout by using the TPM MMC + The following procedure explains the steps to reset the TPM lockout by using the TPM MMC. + **To reset the TPM lockout** + 1. Open the TPM MMC (tpm.msc). 2. In the **Action** pane, click **Reset TPM Lockout** to start the Reset TPM Lockout Wizard. 3. Choose one of the following methods to enter the TPM owner password: - If you saved your TPM owner password to a .tpm file, click **I have the owner password file**, and then type the path to the file, or click **Browse** to navigate to the file location. - If you want to manually enter your TPM owner password, click **I want to enter the owner password**, and then type the password in the text box provided. - **Note**   - If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it. + + >**Note:**  If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it.   ## Use Group Policy to manage TPM lockout settings + The TPM Group Policy settings in the following list are located at: + **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\** + - [Standard User Lockout Duration](trusted-platform-module-services-group-policy-settings.md#bkmk-individual) + This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for TPM commands that require authorization. An authorization failure occurs each time a user sends a command to the TPM and receives an error message that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, the user is prevented from sending commands to the TPM that require authorization. + - [Standard User Individual Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-suld) + This policy setting allows you to manage the maximum number of authorization failures for the TPM for each user. This value is the maximum number of authorization failures that each user can have before the user is not allowed to send commands to the TPM that require authorization. If the number of authorization failures equals the duration that is set for the policy setting, the user is prevented from sending commands to the TPM that require authorization. + - [Standard User Total Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#bkmk-total) + This policy setting allows you to manage the maximum number of authorization failures for the TPM for all standard users. If the total number of authorization failures for all users equals the duration that is set for the policy, all users are prevented from sending commands to the TPM that require authorization. + For information about mitigating dictionary attacks that use the lockout settings, see [TPM fundamentals](tpm-fundamentals.md#bkmk-howtpmmitigates). + ## Use the TPM cmdlets + If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command: + **dism /online /enable-feature /FeatureName:tpm-psh-cmdlets** + For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). + ## Additional resources -For more info about TPM, see [TPM technology overview](trusted-platform-module-overview.md#bkmk-additionalresources). -  -  + +For more info about TPM, see [TPM technology overview](trusted-platform-module-overview.md#bkmk-additionalresources). \ No newline at end of file diff --git a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md new file mode 100644 index 0000000000..9eb59d5dc1 --- /dev/null +++ b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md @@ -0,0 +1,53 @@ +--- +title: Run a scan from the command line in Windows Defender in Windows 10 (Windows 10) +description: IT professionals can run a scan using the command line in Windows Defender in Windows 10. +keywords: scan, command line, mpcmdrun, defender +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: manage +ms.sitesec: library +author: mjcaparas +--- + +# Run a Windows Defender scan from the command line + +**Applies to:** + +- Windows 10 + +IT professionals can use a command-line utility to run a Windows Defender scan. + +The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_ + +This utility can be handy when you want to automate the use of Windows Defender. + +**To run a full system scan from the command line** + +1. Click **Start**, type **cmd**, and press **Enter**. +2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**: + +``` +C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 2 +``` +The full scan will start. When the scan completes, you'll see a message indicating that the scan is finished. + + +The utility also provides other commands that you can run: + +``` +MpCmdRun.exe [command] [-options] +``` + +Command | Description +:---|:--- +\- ? / -h | Displays all available options for the tool +\-Scan [-ScanType #] [-File [-DisableRemediation] [-BootSectorScan]][-Timeout ] | Scans for malicious softare +\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing +\-GetFiles | Collects support information +\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures +\-AddDynamicSignature [-Path] | Loads a dyanmic signature +\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures +\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature +\-EnableIntegrityServices | Enables integrity services +\-SubmitSamples | Submit all sample requests \ No newline at end of file diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 09251bb1f6..9199881438 100644 --- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -38,7 +38,7 @@ If the endpoints aren't reporting correctly, you might need to check that the Wi **Check the onboarding state in Registry**: -1. Click **Start**, type **Run**, and press **Enter** +1. Click **Start**, type **Run**, and press **Enter**. 2. From the **Run** dialog box, type **regedit** and press **Enter**. diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index 64b224d198..621ce3f5ca 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -4,6 +4,7 @@ ## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) ## [Manage corporate devices](manage-corporate-devices.md) ### [New policies for Windows 10](new-policies-for-windows-10.md) +### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) ### [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) ### [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) ### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md) @@ -25,7 +26,6 @@ #### [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) #### [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) ### [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) -### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) ## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) ## [Configure devices without MDM](configure-devices-without-mdm.md) ## [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md index ee2fd20508..5d5f71e9f1 100644 --- a/windows/manage/group-policies-for-enterprise-and-education-editions.md +++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md @@ -16,4 +16,7 @@ In Windows 10, version 1511, the following Group Policies apply only to Windows | Policy name | Policy path | Comments | | - | - | - | -| Turn off the Store application | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/en-us/kb/3135657). \ No newline at end of file +| Turn off the Store application | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/en-us/kb/3135657). | +| Start layout | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) | +| Force a specific default lock screen image | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) | + \ No newline at end of file diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md index f0782128f5..142d9f3824 100644 --- a/windows/manage/lock-down-windows-10.md +++ b/windows/manage/lock-down-windows-10.md @@ -67,10 +67,7 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p

[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)

There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset.

- -

[Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)

-

New

- + diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md index 227070a768..bbfa571b02 100644 --- a/windows/manage/manage-corporate-devices.md +++ b/windows/manage/manage-corporate-devices.md @@ -117,6 +117,8 @@ Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & [New policies for Windows 10](new-policies-for-windows-10.md) +[Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) + [Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md) [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) diff --git a/windows/manage/windows-10-mobile-and-mdm.md b/windows/manage/windows-10-mobile-and-mdm.md index 076e220c88..a818238913 100644 --- a/windows/manage/windows-10-mobile-and-mdm.md +++ b/windows/manage/windows-10-mobile-and-mdm.md @@ -2,48 +2,74 @@ title: Windows 10 Mobile and mobile device management (Windows 10) description: This guide provides an overview of the mobile device and app management technologies in the Windows 10 Mobile operating system. ms.assetid: 6CAA1004-CB65-4FEC-9B84-61AAD2125E5E -ms.pagetype: mobile; devices -keywords: ["telemetry", "BYOD", "MDM"] +keywords: telemetry, BYOD, MDM ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library +ms.pagetype: mobile; devices author: AMeeus --- + # Windows 10 Mobile and mobile device management + **Applies to** - Windows 10 Mobile + This guide provides an overview of the mobile device and app management technologies in the Windows 10 Mobile operating system. It describes how mobile device management (MDM) systems use the built-in device management client to deploy, configure, maintain, and support phones and small tablets running Windows 10 Mobile. + Bring Your Own Device (BYOD—that is, personal devices) and corporate devices are key scenarios that Windows 10 Mobile MDM capabilities support. The operating system offers a flexible approach to registering devices with directory services and MDM systems, and IT organizations can provision comprehensive device-configuration profiles based on their company’s need to control and secure mobile business data. Windows 10 Mobile not only delivers more comprehensive, restrictive configuration settings than Windows Phone 8.1 did but also provides capabilities to deploy and manage apps built on the Universal Windows Platform (UWP). Companies can distribute apps directly from Windows Store or by using their MDM system. They can control and distribute custom line-of-business (LOB) apps the same way. + ## Overview + Organizations’ users increasingly depend on their mobile devices, but phones and tablets bring new and unfamiliar challenges for IT departments. IT must be able to deploy and manage mobile devices and apps quickly to support the business while balancing the growing need to protect corporate data because of evolving laws, regulations, and cybercrime. IT must ensure that the apps and data on those mobile devices are safe, especially on personal devices. Windows 10 Mobile helps organizations address these challenges by providing a robust, flexible, built-in MDM client. IT departments can use the MDM system of their choice to manage this client. + ### Built-in MDM client + The built-in MDM client is common to all editions of the Windows 10 operating system, including desktop, mobile, and Internet of Things (IoT). The client provides a single interface through which you can manage any device that runs Windows 10. The client has two important roles: device enrollment in an MDM system and device management. + - **Device enrollment.** Users can enroll in the MDM system. On Windows 10, a user can register a device with Microsoft Azure Active Directory (Azure AD) and enroll in an MDM system at the same time so that the system can manage the device, the apps running on it, and the confidential data it holds. Enrollment establishes the management authority for the device. Only one management authority (or MDM enrollment) is possible at a time, which helps prevent unauthorized access to devices and ensures their stability and reliability. - **Device management.** The MDM client allows the MDM system to configure policy settings; deploy apps and updates; and perform other management tasks, such as remotely wiping the device. The MDM system sends configuration requests and collects inventory through the MDM client. The client uses [configuration service providers (CSPs)](http://go.microsoft.com/fwlink/p/?LinkId=734049) to configure and inventory settings. A CSP is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. (The security architecture of Windows 10 Mobile prevents direct access to registry settings and operating system files. For more information, see the [Windows 10 Mobile security guide](../keep-secure/windows-10-mobile-security-guide.md).) + The MDM client is an integral part of Windows 10 Mobile. As a result, there is no need for an additional, custom MDM app to enroll the device or to allow an MDM system to manage it. All MDM systems have equal access to Windows 10 Mobile MDM application programming interfaces (APIs), so you can choose Microsoft Intune or a third-party MDM product to manage Windows 10 Mobile devices. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=734050). + ### Windows 10 Mobile editions + Every device that runs Windows 10 Mobile includes all the enterprise mobile device security and management capabilities the MDM client provides. Microsoft also offers an Enterprise edition of Windows 10 Mobile, which includes three additional capabilities. To enable these capabilities, you can provision a license file without reinstalling the operating system: + - **Ability to postpone software updates.**Windows 10 Mobile gets software updates directly from Windows Update, and you cannot curate updates prior to deployment. Windows 10 Mobile Enterprise, however, allows you to curate and validate updates prior to deploying them. - **No limit on the number of self-signed LOB apps that you can deploy to a single device.** To use an MDM system to deploy LOB apps directly to devices, you must cryptographically sign the software packages with a code signing certificate that your organization’s certificate authority (CA) generates. You can deploy a maximum of 20 self-signed LOB apps to a Windows 10 Mobile device, more than 20 if your organization’s devices run Windows 10 Mobile Enterprise. - **Set telemetry to security level.** The telemetry security level configures the operating system to gather only the telemetry information required to keep devices secured. -**Note**   -Your organization can opt to purchase a code signing certificate from Verisign to sign LOB apps or use [Windows Store for Business](windows-store-for-business.md) to obtain apps. With either method, you can distribute more than 20 apps to a single device without activating Windows 10 Mobile Enterprise on that device by using your MDM system. + +>**Note:**  Your organization can opt to purchase a code signing certificate from Verisign to sign LOB apps or use [Windows Store for Business](windows-store-for-business.md) to obtain apps. With either method, you can distribute more than 20 apps to a single device without activating Windows 10 Mobile Enterprise on that device by using your MDM system.   To activate Windows 10 Mobile Enterprise on any Windows 10 Mobile device, use your company’s MDM system or a provisioning package to inject a license onto the device. You can download a Windows 10 Mobile Enterprise license from the Business Support Portal. + ### Lifecycle management + Windows 10 Mobile supports end-to-end lifecycle device management to give companies control of their devices, data, and apps. Comprehensive MDM systems use the built-in MDM client to manage devices throughout their lifecycle, as Figure 1 illustrates. The remainder of this guide describes the operating system’s mobile device and app management capabilities through each phase of the lifecycle, showing how MDM systems use specific features. + ![figure 1](images/win10-mobile-mdm-fig1.png) + Figure 1. Device management lifecycle + ## Device deployment + Device deployment includes the initial registration and configuration of the device, including its enrollment with an MDM system. Sometimes, companies preinstall apps. The major factors in how you deploy devices and which controls you put in place are device ownership and how the user will use the device. This guide covers two scenarios: + 1. Companies allow users to personalize their devices because the users own the devices or because company policy doesn’t require tight controls (defined as *personal devices* in this guide). 2. Companies don’t allow users to personalize their devices or they limit personalization, usually because the organization owns the devices and security considerations are high (defined as *corporate devices* in this guide). + Often, employees can choose devices from a list of supported models, or companies provide devices that they preconfigure, or bootstrap, with a baseline configuration. + Microsoft recommends Azure AD Join and MDM enrollment and management for corporate devices and Azure AD Registration and MDM enrollment and management for personal devices. + ### Deployment scenarios + Most organizations support both personal and corporate device scenarios. The infrastructure for these scenarios is similar, but the deployment process and configuration policies differ. Table 1 describes characteristics of the personal and corporate device scenarios. Activation of a device with an organizational identity is unique to Windows 10 Mobile. + Table 1. Characteristics of personal and corporate device scenarios + @@ -75,10 +101,14 @@ Table 1. Characteristics of personal and corporate device scenarios
  ### Identity management + People can use only one account to activate a device, so it’s imperative that your organization control which account you enable first. The account you choose will determine who controls the device and influence your management capabilities. The following list describes the impact that users’ identities have on management (Table 2 summarizes these considerations): + - **Personal identity.** In this scenario, employees use their Microsoft account to activate the device. Then, they use their Azure AD account (organizational identity) to register the device in Azure AD and enroll it with the company’s MDM solution. You can apply policies to help protect and contain corporate apps and data on the devices, designed to prevent intellectual property leaks, but users keep full control over personal activities, such as downloading and installing apps and games. - **Organizational identity.** In this scenario, employees use their Azure AD account to register the device to Azure AD and automatically enroll it with the organization’s MDM solution. In this case, companies can block personal use of devices. Using organizational Identities to initialize devices gives organizations complete control over devices and allows them to prevent personalization. + Table 2. Personal vs. organizational identity + @@ -127,33 +157,45 @@ Table 2. Personal vs. organizational identity
  ### Infrastructure requirements + For both device scenarios, the essential infrastructure and tools required to deploy and manage Windows 10 Mobile devices include an Azure AD subscription and an MDM system. + Azure AD is a cloud-based directory service that provides identity and access management. You can integrate it with existing on-premises directories to create a hybrid solution. Azure AD has three editions: Free, Basic, and Premium (see [Azure Active Directory editions](http://go.microsoft.com/fwlink/p/?LinkId=723980)). All editions support Azure AD device registration, but the Premium edition is required to enable MDM auto-enrollment and conditional access based on device state. Organizations that use Microsoft Office 365 or Intune are already using Azure AD. -**Note**   -Most industry-leading MDM vendors already support integration with Azure AD or are working on integration. You can find the MDM vendors that support Azure AD in [Azure Marketplace](http://go.microsoft.com/fwlink/p/?LinkId=723981). + +>**Note:**  Most industry-leading MDM vendors already support integration with Azure AD or are working on integration. You can find the MDM vendors that support Azure AD in [Azure Marketplace](http://go.microsoft.com/fwlink/p/?LinkId=723981).   Users can enroll Windows 10 Mobile devices in third-party MDM systems without using an Azure AD organizational account. (By default, Intune uses Azure AD and includes a license). If your organization doesn’t use Azure AD, you must use a personal identity to activate devices and enable common scenarios, such as downloading apps from Windows Store. + Multiple MDM systems that support Windows 10 Mobile are available. Most support personal and corporate device deployment scenarios. Microsoft offers [Intune](http://go.microsoft.com/fwlink/p/?LinkId=723983), which is part of the [Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=723984) and a cloud-based MDM system that manages devices off premises. Like Office 365, Intune uses Azure AD for identity management, so employees use the same credentials to enroll devices in Intune or sign in to Office 365. Intune supports devices that run other operating systems, as well, such as iOS and Android, to provide a complete MDM solution. + You can also integrate Intune with System Center Configuration Manager to gain a single console in which to manage all devices—in the cloud and on premises. For more information, see [Manage Mobile Devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=734051). For guidance on choosing between a stand-alone Intune installation and Intune integrated with Configuration Manager, see [Choose between Intune by itself or integrating Intune with System Center Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=723985). In addition to Intune, other MDM providers support Windows 10 Mobile. Currently, the following MDM systems claim to support Windows 10 and Windows 10 Mobile: [AirWatch](http://go.microsoft.com/fwlink/p/?LinkId=723986), [Citrix](http://go.microsoft.com/fwlink/p/?LinkId=723987), [Lightspeed Systems](http://go.microsoft.com/fwlink/p/?LinkId=723988), [Matrix42](http://go.microsoft.com/fwlink/p/?LinkId=723989), [MobileIron](http://go.microsoft.com/fwlink/p/?LinkId=723990), [SAP](http://go.microsoft.com/fwlink/p/?LinkId=723991), [SOTI](http://go.microsoft.com/fwlink/p/?LinkId=723992), and [Symantec](http://go.microsoft.com/fwlink/p/?LinkId=723993). + All MDM vendors have equal access to the [Windows 10 MDM APIs](http://go.microsoft.com/fwlink/p/?LinkId=734050). The extent to which they implement these APIs depends on the vendor. Contact your preferred MDM vendor to determine its level of support. -**Note**   -Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Office 365. + +>**Note:**  Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Office 365. In addition, Microsoft recently added MDM capabilities powered by Intune to Office 365. MDM for Office 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android. MDM for Office 365 offers a subset of the management capabilities found in Intune, including the ability to remotely wipe a device, block a device from accessing Exchange Server email, and configure device policies (for example, passcode requirements). For more information about MDM for Office 365 capabilities, see [Overview of Mobile Device Management for Office 365](http://go.microsoft.com/fwlink/p/?LinkId=734052).   ### Provisioning + Provisioning is new to Windows 10 and uses the MDM client in Windows 10 Mobile. You can create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10. To assist users with MDM system enrollment, use a provisioning package. To do so, use the [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911) to create a provisioning package, and then install that package on the device. Users can perform self-service MDM enrollment based on the following deployment scenarios: + - **Corporate device.** During the out-of-the-box experience (OOBE), you can instruct the user to select **This device is owned by my organization** and join the device to Azure AD and the MDM system. - **Personal device.** The user activates the device with a Microsoft account, but you can instruct him or her to register the device with Azure AD and enroll in Intune. To do so in Windows 10 Mobile, the user clicks, **Settings**, clicks **Accounts**, and then clicks **Work access**. To automate MDM enrollment, use provisioning packages as follows: - **Corporate device.** You can create a provisioning package and apply it to a corporate device before delivery to the user, or instruct the user to apply the package during OOBE. After application of the provisioning package, the OOBE process automatically chooses the enterprise path and requires the user to register the device with Azure AD and enroll it in the MDM system. - **Personal device.** You can create a provisioning package and make it available to users who want to enroll their personal device in the enterprise. The user enrolls the device in the corporate MDM for further configuration by applying the provisioning package. To do so in Windows 10 Mobile, the user clicks **Settings**, clicks **Accounts**, and then clicks **Provisioning**). + Distribute provisioning packages to devices by publishing them in an easily accessible location (e.g., an email attachment or a web page). You can cryptographically sign or encrypt provisioning packages and require that the user enter a password to apply them. + See [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkId=734054) for more information on creating provisioning packages. + ## Device configuration + The following sections describe the device configuration capabilities of the built-in Windows 10 Mobile MDM client. This client exposes the capabilities to any MDM system compatible with Windows 10. Configurable settings include: + - [Email accounts](#email) - [Account restrictions](#restrictions) - [Device lock restrictions](#device-lock) @@ -165,13 +207,17 @@ The following sections describe the device configuration capabilities of the bui - [Access point name (APN) profiles](#apn) - [Data leak prevention](#data) - [Storage management](#storage) -**Note**   -Although all the MDM settings this section describes are available in Windows 10 Mobile, not all MDM systems may show them in their user interface. In addition, naming may vary among MDM systems. Consult your MDM system’s documentation for more information. + +>**Note:**  Although all the MDM settings this section describes are available in Windows 10 Mobile, not all MDM systems may show them in their user interface. In addition, naming may vary among MDM systems. Consult your MDM system’s documentation for more information.   ### Email accounts + You can use your corporate MDM system to manage corporate email accounts. Define email account profiles in the MDM system, and then deploy them to devices. You would usually deploy these settings immediately after enrollment, regardless of scenario. + This capability extends to email systems that use EAS. Table 3 lists settings that you can configure in EAS email profiles. + Table 3. Windows 10 Mobile settings for EAS email profiles + | Setting | Description | |----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Email Address | The email address associated with the EAS account | @@ -191,7 +237,9 @@ Table 3. Windows 10 Mobile settings for EAS email profiles | Content Types | The content type that is synchronized (e.g., email, contacts, calendar, task items) |   Table 4 lists settings that you can configure in other email profiles. + Table 4. Windows 10 Mobile settings for other email profiles + | Setting | Description | |-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------| | User logon name | The user logon name for the email account | @@ -224,21 +272,26 @@ Table 4. Windows 10 Mobile settings for other email profiles | Incoming and outgoing servers require SSL | A group of properties that specify whether the incoming and outgoing email servers use SSL |   ### Account restrictions + On a corporate device registered with Azure AD and enrolled in the MDM system, you can control whether users can use a Microsoft account or add other consumer email accounts. Table 5 lists the settings that you can use to manage accounts on Windows 10 Mobile devices. + Table 5. Windows 10 Mobile account management settings -| Setting | Description | -|-------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Allow Microsoft Account | Specifies whether users are allowed to add a Microsoft account to the device after MDM enrollment and use this account for connection authentication and services, such as purchasing apps in Windows Store, or cloud-based consumer services, such as Xbox or Groove. If a device was activated with a Microsoft account, the MDM system would not be able to block that account from being used. | -| Allow Adding Non Microsoft Accounts | Specifies whether users are allowed to add email accounts other than Microsoft accounts after MDM enrollment. If **Allow Microsoft Account** is applied, user can also not use a Microsoft account. | -| Allow “Your Account” | Specifies whether users are able to change account configuration in the **Your Email and Accounts** panel in Settings. | +| Setting | Description | +| - | -| +| Allow Microsoft Account | Specifies whether users are allowed to add a Microsoft account to the device after MDM enrollment and use this account for connection authentication and services, such as purchasing apps in Windows Store, or cloud-based consumer services, such as Xbox or Groove. If a device was activated with a Microsoft account, the MDM system would not be able to block that account from being used. | +| Allow Adding Non Microsoft Accounts | Specifies whether users are allowed to add email accounts other than Microsoft accounts after MDM enrollment. If **Allow Microsoft Account** is applied, user can also not use a Microsoft account. | +| Allow “Your Account” | Specifies whether users are able to change account configuration in the **Your Email and Accounts** panel in Settings.|   ### Device lock restrictions + It’s common sense to lock a device when it is not in use. Microsoft recommends that you secure Windows 10 Mobile devices and implement a device lock policy. A device password or PIN lock is a best practice for securing apps and data on devices. [Windows Hello](http://go.microsoft.com/fwlink/p/?LinkId=723994) is the name given to the new biometric sign-in option that allows users to use their face, iris, or fingerprints to unlock their compatible device, all of which Windows 10 supports. -**Note**   -In addition to the device lock restrictions discussed in this section, Windows 10 supports Microsoft Passport for Work, which lets you access apps and services without a password. + +>**Note:**  In addition to the device lock restrictions discussed in this section, Windows 10 supports Microsoft Passport for Work, which lets you access apps and services without a password.   Table 6 lists the MDM settings in Windows 10 Mobile that you can use to configure device lock restrictions. + Table 6. Windows 10 Mobile device lock restrictions + @@ -314,9 +367,10 @@ Table 6. Windows 10 Mobile device lock restrictions
  ### Hardware restrictions + Windows 10 Mobile devices use state-of-the-art technology that includes popular hardware features such as cameras, global positioning system (GPS) sensors, microphones, speakers, near-field communication (NFC) radios, storage card slots, USB interfaces, Bluetooth interfaces, cellular radios, and Wi-Fi. You can also use hardware restrictions to control the availability of these features. Table 7 lists the MDM settings that Windows 10 Mobile supports to configure hardware restrictions. -**Note**   -Some of these hardware restrictions provide connectivity and assist in data protection. Enterprise data protection is currently being tested in select customer evaluation programs. + +>**Note:**  Some of these hardware restrictions provide connectivity and assist in data protection. Enterprise data protection is currently being tested in select customer evaluation programs.   Table 7. Windows 10 Mobile hardware restrictions | Setting | Description | @@ -338,8 +392,11 @@ Table 7. Windows 10 Mobile hardware restrictions | Allow Location | Whether the device can use the GPS sensor or other methods to determine location so applications can use location information |   ### Certificate management + Managing certificates can be difficult for users, but certificates are pervasive for a variety of uses, including, account authentication, Wi-Fi authentication, VPN encryption, and SSL encryption of web content. Although users could manage certificates on devices manually, it’s a best practice to use your MDM system to manage those certificates for their entire life cycle, from enrollment through renewal to revocation. You can use the Simple Certificate Enrollment Protocol (SCEP) and Personal Information Exchange (PFX) certificates files to install certificates on Windows 10 Mobile. Certificate management through SCEP and MDM systems is fully transparent to users and requires no user intervention, so it helps improve user productivity and reduce support calls. Your MDM system can automatically deploy these certificates to the devices’ certificate stores after you enroll the device. Table 8 lists the SCEP settings that the MDM client in Windows 10 Mobile provides. + Table 8. Windows 10 Mobile SCEP certificate enrollment settings + | Setting | Description | |------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Certificate enrollment server URLs | The certificate enrollment servers (to specify multiple server URLs, separate the URLs with semicolons \[;\]) | @@ -361,7 +418,9 @@ Table 8. Windows 10 Mobile SCEP certificate enrollment settings | Thumbprint | The current certificate thumbprint, if certificate enrollment succeeds |   In addition to SCEP certificate management, Windows 10 Mobile supports deployment of PFX certificates. Table 9 lists the Windows 10 Mobile PFX certificate deployment settings. + Table 9. Windows 10 Mobile PFX certificate deployment settings + | Setting | Description | |-----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Private key storage | Where to store the private key (in other words, the TPM, a software KSP, or the Microsoft Passport KSP) | @@ -373,8 +432,9 @@ Table 9. Windows 10 Mobile PFX certificate deployment settings | Thumbprint | The thumbprint of the installed PFX certificate |   Use the **Allow Manual Root Certificate Installation** setting to prevent users from manually installing root and intermediate CA certificates intentionally or accidently. -**Note**   -To diagnose certificate-related issues on Windows 10 Mobile devices, use the free [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=723996) in Windows Store. This Windows 10 Mobile app can help you: + +>**Note:**  To diagnose certificate-related issues on Windows 10 Mobile devices, use the free [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=723996) in Windows Store. This Windows 10 Mobile app can help you: + - View a summary of all personal certificates. - View the details of individual certificates. - View the certificates used for VPN, Wi-Fi, and email authentication. @@ -383,9 +443,13 @@ To diagnose certificate-related issues on Windows 10 Mobile devices, use the fr - View the certificate keys stored in the device TPM.   ### Wi-Fi + People use Wi-Fi on their mobile devices as much as or more than cellular data. Most corporate Wi-Fi networks require certificates and other complex information to restrict and secure user access. This advanced Wi-Fi information is difficult for typical users to configure, but you can use your MDM system to fully configure Wi-Fi settings without user intervention. + Table 10 lists the Windows 10 Mobile Wi-Fi connection profile settings. Use the information in this table to help you create Wi-Fi connection profiles in your MDM system. + Table 10. Windows 10 Mobile Wi-Fi connection profile settings + @@ -456,7 +520,9 @@ Table 10. Windows 10 Mobile Wi-Fi connection profile settings
  Table 11 lists the Windows 10 Mobile settings for managing Wi-Fi connectivity. + Table 11. Windows 10 Mobile Wi-Fi connectivity settings + | Setting | Configuration | |--------------------------------------------|----------------------------------------------------------------------------| | Allow Auto Connect To Wi-Fi Sense Hotspots | Whether the device will automatically detect and connect to Wi-Fi networks | @@ -465,12 +531,15 @@ Table 11. Windows 10 Mobile Wi-Fi connectivity settings | WLAN Scan Mode | How actively the device scans for Wi-Fi networks |   ### Proxy + Apps running on Windows 10 Mobile (for example, Microsoft Edge) can use proxy connections to access Internet content, but Wi-Fi connections on the corporate intranet most typically use proxy connections, instead. You can define multiple proxies in Windows 10 Mobile. -**Note**   -Windows 10 Mobile also supports proxy auto-configuration (PAC) files, which can automatically configure proxy settings. The Web Proxy Auto-Discovery Protocol (WPAD) lets apps use Dynamic Host Configuration Protocol and Domain Name System (DNS) lookups to locate the PAC file. + +>**Note:**  Windows 10 Mobile also supports proxy auto-configuration (PAC) files, which can automatically configure proxy settings. The Web Proxy Auto-Discovery Protocol (WPAD) lets apps use Dynamic Host Configuration Protocol and Domain Name System (DNS) lookups to locate the PAC file.   Table 12 lists the Windows 10 Mobile settings for proxy connections. + Table 12. Windows 10 Mobile proxy connection settings + @@ -538,14 +607,21 @@ Table 12. Windows 10 Mobile proxy connection settings
  ### VPN -In addition to Wi-Fi, users often use a VPN to securely access apps and resources on their company’s intranet behind a firewall. Windows 10 Mobile supports several VPN vendors in addition to native Microsoft VPNs (such as Point to Point Tunneling Protocol \[PPTP\], Layer 2 Tunneling Protocol \[L2TP\], and Internet Key Exchange Protocol version 2 \[IKEv2\]), including: + +In addition to Wi-Fi, users often use a VPN to securely access apps and resources on their company’s intranet behind a firewall. Windows 10 Mobile supports several VPN vendors in addition to native Microsoft VPNs (such as Point to Point Tunneling Protocol \[PPTP\], Layer 2 Tunneling Protocol \ +[L2TP\], and Internet Key Exchange Protocol version 2 \[IKEv2\]), including: + - IKEv2 - IP security - SSL VPN connections (which require a downloadable plug-in from the VPN server vendor) + You can configure Windows 10 Mobile to use auto-triggered VPN connections, as well. You define a VPN connection for each app that requires intranet connectivity. When users switch between apps, the operating system automatically establishes the VPN connection for that app. In the event the device drops the VPN connection, Windows 10 Mobile automatically reconnects to the VPN without user intervention. + With always-on VPN, Windows 10 Mobile can automatically start a VPN connection when a user signs-in, as well. The VPN stays connected until the user manually disconnects it. MDM support for VPN connections in Windows 10 Mobile includes provisioning and updating VPN connection profiles and associating VPN connections with apps. You can create and provision VPN connection profiles, and then deploy them to managed devices that run Windows 10 Mobile. Table 13 lists the Windows 10 Mobile fields for VPN connection profiles. + Table 13. Windows 10 Mobile VPN connection profile settings + @@ -680,7 +756,9 @@ Table 13. Windows 10 Mobile VPN connection profile settings
  Table 14 lists the Windows 10 Mobile settings for managing VPN connections. These settings help you manage VPNs over cellular data connections, which in turn help reduce costs associated with roaming or data plan charges. + Table 14. Windows 10 Mobile VPN management settings + | Setting | Description | |--------------------------------------|---------------------------------------------------------------------------------| | Allow VPN | Whether users can change VPN settings | @@ -688,10 +766,15 @@ Table 14. Windows 10 Mobile VPN management settings | Allow VPN Over Cellular when Roaming | Whether users can establish VPN connections over cellular networks when roaming |   ### APN profiles + An APN defines network paths for cellular data connectivity. Typically, you define just one APN for a device in collaboration with a mobile operator, but you can define multiple APNs if your company uses multiple mobile operators. + An APN provides a private connection to the corporate network that is unavailable to other companies on the mobile operator network. Corporations in Europe and the Asia-Pacific use APNs, but they are not common in the United States. + You can define and deploy APN profiles in MDM systems that configure cellular data connectivity for Windows 10 Mobile. Devices running Windows 10 Mobile can have only one APN profile. Table 15 lists the MDM settings that Windows 10 Mobile supports for APN profiles. + Table 15. Windows 10 Mobile APN profile settings + @@ -753,8 +836,12 @@ Table 15. Windows 10 Mobile APN profile settings
  ### Data leak protection -Some user experiences can risk corporate data stored on corporate devices. For example, allowing users to copy and paste information out of the organization’s LOB app can put data at risk. To mitigate the risk, you can restrict the Windows 10 Mobile user experience to help protect corporate data and prevent data leaks. For example, you can prevent settings synchronization, copy-and-paste operations, and screen captures. Table 16 lists the MDM settings in Windows 10 Mobile that you can use to help prevent data leaks. + +Some user experiences can risk corporate data stored on corporate devices. For example, allowing users to copy and paste information out of the organization’s LOB app can put data at risk. To mitigate the risk, you can restrict the Windows 10 Mobile user experience to help protect corporate data +and prevent data leaks. For example, you can prevent settings synchronization, copy-and-paste operations, and screen captures. Table 16 lists the MDM settings in Windows 10 Mobile that you can use to help prevent data leaks. + Table 16. Windows 10 Mobile data leak protection settings + | Setting | Description | |----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Allow copy and paste | Whether users can copy and paste content | @@ -769,13 +856,19 @@ Table 16. Windows 10 Mobile data leak protection settings | Allow voice recording | Whether users are allowed to perform voice recordings. |   ### Storage management + Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage by using the device encryption in Windows 10 Mobile. This encryption helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device. + A feature in Windows 10 Mobile is the ability to install apps on a secure digital (SD) card. The operating system stores apps on a partition specifically designated for that purpose. This feature is always on, so you don’t need to set a policy explicitly to enable it. The SD card is uniquely paired with a device. No other devices can see the apps or data on the encrypted partition, but they can access the data stored on the unencrypted partition of the SD card, such as music or photos. You can disable the **Allow Storage Card** setting to prevent users from using SD cards altogether, but the primary advantage of the SD card app partition–encryption feature is that organizations can give users the flexibility to use an SD card while still protecting the confidential apps and data on it. + If you don’t encrypt storage, you can help protect your corporate apps and data by using the **Restrict app data to the system volume** and **Restrict apps to the system volume** settings. They help ensure that users cannot copy your apps and data to SD cards. + Table 17 lists the MDM storage-management settings that Windows 10 Mobile provides. + Table 17. Windows 10 Mobile storage management settings + @@ -826,33 +919,52 @@ Table 17. Windows 10 Mobile storage management settings
  ## App management + Apps help improve user productivity on mobile devices. New to Windows 10 is the ability for organizations purchase apps from Windows Store for their employees and deploy those apps from Windows Store or an MDM system. App management is becoming a key capability of MDM systems, helping reduce the effort required to perform common app-related tasks, such as distributing apps, and protecting data through app policies. This section describes the app management features in Windows 10 Mobile and includes the following topics: + - [Universal Windows Platform (UWP)](#uwp) - [Sourcing the right app](#sourcing) - [Windows Store for Business](#store) - [Mobile application management (MAM) policies](#mam) - [Microsoft Edge](#edge) + ### Universal Windows Platform + Windows 10 introduces UWP, converging the application platform for all devices running some edition of Windows 10. UWP apps run without modification on all editions of Windows 10, and Windows Store now has apps that you can license and purchased for all your Windows 10 devices. Windows Phone 8.1 and Windows 8.1 apps still run on Windows 10 devices, but the MAM improvements in Windows 10 work only with UWP apps. See the [Guide to Universal Windows Platform (UWP) apps](http://go.microsoft.com/fwlink/p/?LinkId=734056) for additional information. + ### Sourcing the right app + The first step in app management is to obtain the apps your users need, and you can now acquire apps from Windows Store. Developers can also create apps specific to an organization, known as *line-of-business (LOB) apps* (the developers of these apps are *LOB publishers*). An LOB developer (internal or external) can now publish these apps to Windows Store at your request, or you can obtain the app packages offline and distribute them through your MDM system. + To install Windows Store or LOB apps, use the Windows Store cloud service or your MDM system to distribute the app packages. Your MDM system can deploy apps online by redirecting the user to a licensed app in Windows Store or offline by distributing a package that you downloaded from Windows Store (also called *sideloading*) on Windows 10 Mobile devices. You can fully automate the app deployment process so that no user intervention is required. + IT administrators can obtain apps through Store for Business. Most apps can be distributed online, meaning that the user must be logged in to the device with an Azure AD account and have Internet access at the time of installation. To distribute an app offline, the developer must opt in. If the app developer doesn’t allow download of the app from Windows Store, then you must obtain the files directly from the developer or use the online method. See [Windows Store for Business](windows-store-for-business.md) for additional information about apps obtained through Store for Business. Windows Store apps are automatically trusted. For custom LOB apps developed internally or by a trusted software vendor, ensure that the device trusts the app signing certificate. There are two ways to establish this trust: use a signing certificate from a trusted source, or generate your own signing certificate and add your chain of trust to the trusted certificates on the device. You can install up to 20 self-signed apps on a Windows 10 Mobile device. When you purchase a signing certificate from a public CA, you can install more than 20 apps on a device, although you can install more than 20 self-signed apps per device with [Windows 10 Mobile Enterprise](#mobile-edition). + Users can install apps from Windows Store that the organization purchases through the Store app on their device. If you allow your users to log in with a Microsoft account, the Store app on the device provides a unified method for installing personal and corporate apps. + ### Store for Business + [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910) is a web portal that IT pros and purchasers use to find, acquire, manage, and distribute apps to Windows 10 devices. This online portal gives Azure AD authenticated managers access to Store for Business functionality and settings. Store managers can create a private section of Windows Store in which organizations can manage apps specific and private to them. Store for Business allows organizations to make apps available to their users and purchase app licenses for them. They can also integrate their Store for Business subscriptions with their MDM systems, so the MDM system can deploy apps from their free Store for Business subscription. + The process for using Store for Business is as follows: + 1. Create a Store for Business subscription for your organization. 2. In the Store for Business portal, acquire apps from Windows Store (only free apps are available at this time). 3. In Store for Business, distribute apps to users, and manage the app licenses for the apps acquired in the previous step. 4. Integrate your MDM system with your organization’s Store for Business subscription. 5. Use your MDM system to deploy the apps. + For more information about Store for Business, see [Windows Store for Business](windows-store-for-business.md). + ### Mobile application management (MAM) policies + With MDM, you can manage Device Guard on Windows 10 Mobile and create an allow (whitelist) or deny (blacklist) list of apps. This capability extends to built-in apps, as well, such as phone, text messaging, email, and calendar. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes. + You can also control users’ access to Windows Store and whether the Store service updates apps automatically. You can manage all these capabilities through your MDM system. Table 18 lists the Windows 10 Mobile app management settings. + Table 18. Windows 10 Mobile app management settings + | Setting | Description | |------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Allow All Trusted Apps | Whether users can sideload apps on the device | @@ -868,9 +980,13 @@ Table 18. Windows 10 Mobile app management settings | Start screen layout | An XML blob used to configure the Start screen (See [Start layout for Windows 10 Mobile editions](http://go.microsoft.com/fwlink/p/?LinkId=734057) for more information.) |   One potential security issue is that users can register as Windows 10 Mobile app developers and turn on developer features on their device, potentially installing apps from unknown sources and opening the device to malware threats. To prevent users from turning on developer features on their devices, set the **Disable development unlock (side loading)** policy, which you can configure through your MDM system. + ### Microsoft Edge + MDM systems give you the ability to manage Microsoft Edge on mobile devices. Table 19 lists the Microsoft Edge settings for Windows 10 Mobile. + Table 19. Microsoft Edge settings for Windows 10 Mobile + | Setting | Description | |-------------------------------------------------|-------------------------------------------------------------------------------------------------------| | Allow Active Scripting | Whether active scripting is allowed | @@ -886,16 +1002,24 @@ Table 19. Microsoft Edge settings for Windows 10 Mobile | Prevent Smart Screen Prompt Override For Files | Whether users can override the SmartScreen Filter warnings about downloading unverified files |   ## Device operations + In this section, you learn how MDM settings in Windows 10 Mobile enable the following scenarios: + - [Device update](#device-update) - [Device compliance monitoring](#device-comp) - [Device inventory](#data-inv) - [Remote assistance](#remote-assist) - [Cloud services](#cloud-serv) + ### Device update + To help protect mobile devices and their data, you must keep those devices updated. Windows Update automatically installs updates and upgrades when they become available. -The device update features described in this section are available only in [Windows 10 Mobile Enterprise](#mobile-edition). You can use your MDM system to postpone system upgrades when you activate an Enterprise license on managed Windows 10 Mobile devices and control how updates and upgrades are applied. For example, you can disable updates altogether, defer updates and upgrades, and schedule the day and time to install updates, as you would with Windows Server Update Services (WSUS) on Windows 10 desktops running the [Current Branch for Business](introduction-to-windows-10-servicing.md). Table 20 lists the Windows 10 Mobile Enterprise settings that you can use to configure updates and upgrades. + +The device update features described in this section are available only in [Windows 10 Mobile Enterprise](#mobile-edition). You can use your MDM system to postpone system upgrades when you activate an Enterprise license on managed Windows 10 Mobile devices and control how updates and upgrades are applied. For example, you can disable updates altogether, defer updates and upgrades, and schedule the day and time to install updates, as you would with Windows Server Update Services (WSUS) on Windows 10 desktops running the [Current Branch for Business](introduction-to-windows-10-servicing.md). +Table 20 lists the Windows 10 Mobile Enterprise settings that you can use to configure updates and upgrades. + Table 20. Windows 10 Mobile Enterprise update management settings + @@ -968,7 +1092,9 @@ Table 20. Windows 10 Mobile Enterprise update management settings
  In addition to configuring how Windows 10 Mobile Enterprise obtains updates, you can manage individual Windows 10 Mobile updates. Table 21 provides information about approved updates to help you control the rollout of new updates to Windows 10 Mobile Enterprise devices. + Table 21. Windows 10 Mobile Enterprise approved update information + @@ -1025,25 +1151,36 @@ Table 21. Windows 10 Mobile Enterprise approved update information
  + ### Device compliance monitoring + You can use your MDM system to monitor compliance. Windows 10 Mobile provides audit information to track issues or perform remedial actions. This information helps you ensure that devices are configured to comply with organizational standards. + You can also assess the health of devices that run Windows 10 Mobile and take enterprise policy actions. The process that the health attestation feature in Windows 10 Mobile uses is as follows: + 1. The health attestation client collects data used to verify device health. 2. The client forwards the data to the Health Attestation Service (HAS). 3. The HAS generates a Health Attestation Certificate. 4. The client forwards the Health Attestation Certificate and related information to the MDM system for verification. + For more information about health attestation in Windows 10 Mobile, see the [Windows 10 Mobile security guide](../keep-secure/windows-10-mobile-security-guide.md). + Depending on the results of the health state validation, an MDM system can take one of the following actions: + - Allow the device to access resources. - Allow the device to access resources but identify the device for further investigation. - Prevent the device from accessing resources. + Table 21 lists data points that the HAS collects and evaluates from devices that run Windows 10 Mobile to determine the action to perform. For most of these data points, the MDM system can take one of the following actions: + - Disallow all access. - Disallow access to high-business-impact assets. - Allow conditional access based on other data points that are present at evaluation time—for example, other attributes on the health certificate or a device’s past activities and trust history. - Take one of the previous actions, and also place the device on a watch list to monitor it more closely for potential risks. - Take corrective action, such as informing IT administrators to contact the owner and investigate the issue. + Table 21. Windows 10 Mobile HAS data points + | Data point | Description | |----------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Attestation Identity Key (AIK) present | Indicates that an AIK is present (in other words, the device can be trusted more than a device without an AIK). | @@ -1062,38 +1199,46 @@ Table 21. Windows 10 Mobile HAS data points | Boot cycle whitelist | The view of the host platform between boot cycles as defined by the manufacturer compared to a published whitelist. A device that complies with the whitelist is more trustworthy (secure) than a device that is noncompliant. |   ### Device inventory + Device inventory helps organizations better manage devices because it provides in-depth information about those devices. MDM systems collect inventory information remotely, and you can use the system’s reporting capabilities to analyze device resources and information. With this information, you can determine the current hardware and software resources of the device (for example, installed updates). + Table 22 lists examples of the Windows 10 Mobile software and hardware information that a device inventory provides. In addition to this information, the MDM system can read any of the configuration settings described in this guide. + Table 22. Windows 10 Mobile software and hardware inventory examples -| Setting | Description | -|----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Installed enterprise apps | List of the enterprise apps installed on the device | -| Device name | The device name configured for the device | -| Firmware version | Version of firmware installed on the device | -| Operating system version | Version of the operating system installed on the device | -| Device local time | Local time on the device | -| Processor type | Processor type for the device | -| Device model | Model of the device as defined by the manufacturer | -| Device manufacturer | Manufacturer of the device | -| Device processor architecture | Processor architecture for the device | -| Device language | Language in use on the device | -| Phone number | Phone number assigned to the device | -| Roaming status | Indicates whether the device has a roaming cellular connection | -| International mobile equipment identity (IMEI) and international mobile subscriber identity (IMSI) | Unique identifiers for the cellular connection for the phone; Global System for Mobile Communications networks identify valid devices by using the IMEI, and all cellular networks use the IMSI to identify the device and user | -| Wi-Fi IP address | IPv4 and IPv6 addresses currently assigned to the Wi-Fi adapter in the device | -| Wi-Fi media access control (MAC) address | MAC address assigned to the Wi-Fi adapter in the device | -| Wi-Fi DNS suffix and subnet mask | DNS suffix and IP subnet mask assigned to the Wi-Fi adapter in the device | -| Secure Boot state | Indicates whether Secure Boot is enabled | -| Enterprise encryption policy compliance | Indicates whether the device is encrypted | + +| Setting | Description | +| - | - | +| Installed enterprise apps | List of the enterprise apps installed on the device | +| Device name | The device name configured for the device | +| Firmware version | Version of firmware installed on the device | +| Operating system version | Version of the operating system installed on the device | +| Device local time | Local time on the device | +| Processor type | Processor type for the device | +| Device model | Model of the device as defined by the manufacturer | +| Device manufacturer | Manufacturer of the device | +| Device processor architecture | Processor architecture for the device | +| Device language | Language in use on the device | +| Phone number | Phone number assigned to the device | +| Roaming status | Indicates whether the device has a roaming cellular connection | +| International mobile equipment identity (IMEI) and international mobile subscriber identity (IMSI) | Unique identifiers for the cellular connection for the phone; Global System for Mobile Communications networks identify valid devices by using the IMEI, and all cellular networks use the IMSI to identify the device and user | | IPv4 and IPv6 addresses currently assigned to the Wi-Fi adapter in the device | +| Wi-Fi media access control (MAC) address | MAC address assigned to the Wi-Fi adapter in the device | +| Wi-Fi DNS suffix and subnet mask | DNS suffix and IP subnet mask assigned to the Wi-Fi adapter in the device | +| Secure Boot state | Indicates whether Secure Boot is enabled | +| Enterprise encryption policy compliance | Indicates whether the device is encrypted |   ### Remote assistance + The remote assistance features in Windows 10 Mobile help resolve issues that users might encounter even when the help desk does not have physical access to the device. These features include: + - **Remote lock.** Support personnel can remotely lock a device. This ability can help when a user loses his or her mobile device and can retrieve it but not immediately (for example, leaving the device at a customer site). - **Remote PIN reset.** Support personnel can remotely reset the PIN, which helps when users forget their PIN and are unable to access their device. No corporate or user data is lost, and users are able to gain access to their devices quickly. - **Remote ring.** Support personnel can remotely make devices ring. This ability can help users locate misplaced devices and, in conjunction with the Remote Lock feature, help ensure that unauthorized users are unable to access the device if they find it. - **Remote find.** Support personnel can remotely locate a device on a map, which helps identify the geographic location of the device. To configure Windows 10 Mobile remote find, use the settings in Table 23. The remote find feature returns the most current latitude, longitude, and altitude of the device. + These remote management features help organizations reduce the IT effort required to manage devices. They also help users quickly regain use of their device should they misplace it or forget the device password. + Table 23. Windows 10 Mobile remote find settings + | Setting | Description | |---------------------------|---------------------------------------------------------------------------------------------------------------------------------| | Desired location accuracy | The desired accuracy as a radius value in meters; has a value between 1 and 1,000 meters | @@ -1101,37 +1246,49 @@ Table 23. Windows 10 Mobile remote find settings | Remote find timeout | The number of seconds devices should wait for a remote find to finish; has a value between 0 and 1,800 seconds |   ### Cloud services + On mobile devices that run Windows 10 Mobile, users can easily connect to apps and data. As a result, they frequently connect to cloud services that provide user notifications and collect telemetry (usage data). Windows 10 Mobile enables organizations to manage how devices consume these cloud services. + **Manage push notifications** + The Windows Push Notification Services enable software developers to send toast, tile, badge, and raw updates from their cloud services. It provides a mechanism to deliver updates to users in a power-efficient and dependable way. Push notifications can affect battery life, however, so the battery saver in Windows 10 Mobile limits background activity on the devices to extend battery life. Users can configure battery saver to turn on automatically when the battery drops below a set threshold. When battery saver is on, Windows 10 Mobile disables the receipt of push notifications to save energy. + There is an exception to this behavior, however. In Windows 10 Mobile, the **Always allowed** battery saver settings (found in the Settings app) allow apps to receive push notifications even when battery saver is on. Users can manually configure this list, or you can use the MDM system to configure it—that is, you can use the battery saver settings URI scheme in Windows 10 Mobile (**ms-settings:batterysaver-settings**) to configure these settings. For more information about push notifications, see [Windows Push Notification Services (WNS) overview](http://go.microsoft.com/fwlink/p/?LinkId=734060). + **Manage telemetry** + As people use Windows 10 Mobile, it can collect performance and usage telemetry that helps Microsoft identify and troubleshoot problems as well as improve its products and services. Microsoft recommends that you select **Full** for this setting. Microsoft employees, contractors, vendors, and partners might have access to relevant portions of the information that Windows 10 Mobile collects, but they are permitted to use the information only to repair or improve Microsoft products and services or third-party software and hardware designed for use with Microsoft products and services. + You can control the level of data that MDM systems collect. Table 24 lists the data levels that Windows 10 Mobile collects and provides a brief description of each. To configure devices, specify one of these levels in the **Allow Telemetry** setting. Table 24. Windows 10 Mobile data collection levels -| Level of data | Description | -|---------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Security | Collects only the information required to keep Windows 10 Mobile enterprise-grade secure, including information about telemetry client settings, the Malicious Software Removal Tool, and Windows Defender. This level is available only on Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core. For Windows 10 Mobile, this setting disables Windows 10 Mobile telemetry. | +| Level of data | Description | +|- | - | +| Security | Collects only the information required to keep Windows 10 Mobile enterprise-grade secure, including information about telemetry client settings, the Malicious Software Removal Tool, and Windows Defender. This level is available only on Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core. For Windows 10 Mobile, this setting disables Windows 10 Mobile telemetry. | | Basic | Provides only the data vital to the operation of Windows 10 Mobile. This data level helps keep Windows 10 Mobile and apps running properly by letting Microsoft know the device’s capabilities, what’s installed, and whether Windows is operating correctly. This option also turns on basic error reporting back to Microsoft. By selecting this option, you allow Microsoft to provide updates through Windows Update, including malicious software protection through the Malicious Software Removal Tool. | | Enhanced | Includes all Basic data plus data about how users use Windows 10 Mobile, such as how frequently or how long they use certain features or apps and which apps they use most often. This option also lets operating system collect enhanced diagnostic information, such as the memory state of a device when a system or app crash occurs, and measure reliability of devices, the operating system, and apps. | | Full | Includes all Basic and Enhanced data and also turns on advanced diagnostic features that collect additional data from devices, such as system files or memory snapshots, which may unintentionally include parts of documents user are working on when a problem occurred. This information helps Microsoft further troubleshoot and fix problems. If an error report contains personal data, Microsoft does not use that information to identify, contact, or target advertising to users. |   ## Device retirement + Device retirement (unenrollment) is the last phase of the device life cycle. Historically, mobile device retirement has been a complex and difficult process for organizations. When the organization no longer needs devices, it must remove (wipe) corporate data from them. BYOD scenarios make retirement even more complex because users expect their personal apps and data to remain untouched. Therefore, organizations must remove their data without affecting users’ data. + You can remotely remove all corporate data from devices that run Windows 10 Mobile without affecting existing user data (partial or enterprise wipe). The help desk or the devices’ users can initiate device retirement. When retirement is complete, Windows 10 Mobile returns the devices to a consumer state, as they were before enrollment. The following list summarizes the corporate data removed from a device when it’s retired: + - Email accounts - Enterprise-issued certificates - Network profiles - Enterprise-deployed apps - Any data associated with the enterprise-deployed apps -**Note**   -All these features are in addition to the device’s software and hardware factory reset features, which users can use to restore devices to their factory configuration. + +>**Note:**  All these features are in addition to the device’s software and hardware factory reset features, which users can use to restore devices to their factory configuration.   To specify whether users can delete the workplace account in Control Panel and unenroll from the MDM system, enable the **Allow Manual MDM Unenrollment** setting. Table 25 lists additional Windows 10 remote wipe settings that you can use the MDM system to configure. + Table 25. Windows 10 Mobile remote wipe settings + | Setting | Description | |-------------------------------|----------------------------------------------------------------------------------------------------------------------| | Wipe | Specifies that a remote wipe of the device should be performed | @@ -1139,9 +1296,8 @@ Table 25. Windows 10 Mobile remote wipe settings | Allow user to reset phone | Whether users are allowed to use Control Panel or hardware key combinations to return the device to factory defaults |   ## Related topics -[Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=734050) -[Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=723984) -[Overview of Mobile Device Management for Office 365](http://go.microsoft.com/fwlink/p/?LinkId=734052) -[Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910) -  -  + +- [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=734050) +- [Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=723984) +- [Overview of Mobile Device Management for Office 365](http://go.microsoft.com/fwlink/p/?LinkId=734052) +- [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910) diff --git a/windows/plan/act-community-ratings-and-process.md b/windows/plan/act-community-ratings-and-process.md index 90c94ca481..6d28ac6493 100644 --- a/windows/plan/act-community-ratings-and-process.md +++ b/windows/plan/act-community-ratings-and-process.md @@ -2,9 +2,10 @@ title: ACT Community Ratings and Process (Windows 10) description: The Application Compatibility Toolkit (ACT) Community uses the Microsoft® Compatibility Exchange to share compatibility ratings between all registered ACT Community members. ms.assetid: be6c8c71-785b-4adf-a375-64ca7d24e26c -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan ms.sitesec: library +ms.pagetype: appcompat author: TrudyHa --- diff --git a/windows/plan/act-database-configuration.md b/windows/plan/act-database-configuration.md index 528cd9a8e2..dc8103e03e 100644 --- a/windows/plan/act-database-configuration.md +++ b/windows/plan/act-database-configuration.md @@ -2,8 +2,9 @@ title: ACT Database Configuration (Windows 10) description: The Application Compatibility Toolkit (ACT) uses a Microsoft® SQL Server® database for storing and sharing compatibility issue data. ms.assetid: 032bbfe0-86fa-48ff-b638-b9d6a908c45e -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-database-migration.md b/windows/plan/act-database-migration.md index 38d1886347..4b4009c05e 100644 --- a/windows/plan/act-database-migration.md +++ b/windows/plan/act-database-migration.md @@ -2,8 +2,9 @@ title: ACT Database Migration (Windows 10) description: The schema for an ACT database can change when ACT is updated or when a new version of ACT is released. ms.assetid: b13369b4-1fb7-4889-b0b8-6d0ab61aac3d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-deployment-options.md b/windows/plan/act-deployment-options.md index bf817c11b1..32bb1e10f0 100644 --- a/windows/plan/act-deployment-options.md +++ b/windows/plan/act-deployment-options.md @@ -2,8 +2,9 @@ title: ACT Deployment Options (Windows 10) description: While planning your deployment of the Application Compatibility Toolkit (ACT), consider which computers you want running the various tools, packages, and services for ACT. ms.assetid: 90d56dd8-8d57-44e8-bf7a-29aabede45ba -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-glossary.md b/windows/plan/act-glossary.md index ed5fb09904..87b42aab6e 100644 --- a/windows/plan/act-glossary.md +++ b/windows/plan/act-glossary.md @@ -2,8 +2,9 @@ title: ACT Glossary (Windows 10) description: The following table lists terms and definitions used by the Application Compatibility Toolkit (ACT). ms.assetid: 984d1cce-c1ac-4aa8-839a-a23e15da6f32 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-lps-share-permissions.md b/windows/plan/act-lps-share-permissions.md index f9299c2fed..f2496dc915 100644 --- a/windows/plan/act-lps-share-permissions.md +++ b/windows/plan/act-lps-share-permissions.md @@ -2,8 +2,9 @@ title: ACT LPS Share Permissions (Windows 10) description: To upload log files to the ACT Log Processing Service (LPS) share, certain permissions must be set at the share level and folder level. ms.assetid: 51f6ddf7-f424-4abe-a0e0-71fe616f9e84 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-operatingsystem-application-report.md b/windows/plan/act-operatingsystem-application-report.md index ef3cee87c4..3c0f49d348 100644 --- a/windows/plan/act-operatingsystem-application-report.md +++ b/windows/plan/act-operatingsystem-application-report.md @@ -2,8 +2,9 @@ title: OperatingSystem - Application Report (Windows 10) description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. ms.assetid: 9721485b-6092-4974-8cfe-c84472237a57 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-operatingsystem-computer-report.md b/windows/plan/act-operatingsystem-computer-report.md index 4a49ff56db..3547b28c17 100644 --- a/windows/plan/act-operatingsystem-computer-report.md +++ b/windows/plan/act-operatingsystem-computer-report.md @@ -2,8 +2,9 @@ title: OperatingSystem - Computer Report (Windows 10) ms.assetid: ed0a56fc-9f2a-4df0-8cef-3a09d6616de8 description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-operatingsystem-device-report.md b/windows/plan/act-operatingsystem-device-report.md index e4be3521b9..67e74536c6 100644 --- a/windows/plan/act-operatingsystem-device-report.md +++ b/windows/plan/act-operatingsystem-device-report.md @@ -2,8 +2,9 @@ title: OperatingSystem - Device Report (Windows 10) ms.assetid: 8b5a936f-a92e-46a7-ac44-6edace262355 description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-product-and-documentation-resources.md b/windows/plan/act-product-and-documentation-resources.md index 54cb4635de..02677af71d 100644 --- a/windows/plan/act-product-and-documentation-resources.md +++ b/windows/plan/act-product-and-documentation-resources.md @@ -2,8 +2,9 @@ title: ACT Product and Documentation Resources (Windows 10) description: The following sections provide links to resources and reference material for the Application Compatibility Toolkit (ACT). ms.assetid: c7954b5a-164d-4548-af58-cd3a1de5cc43 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-settings-dialog-box-preferences-tab.md b/windows/plan/act-settings-dialog-box-preferences-tab.md index bfaea35f75..6af88e476e 100644 --- a/windows/plan/act-settings-dialog-box-preferences-tab.md +++ b/windows/plan/act-settings-dialog-box-preferences-tab.md @@ -2,8 +2,9 @@ title: Settings Dialog Box - Preferences Tab (Windows 10) description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings. ms.assetid: deae2100-4110-4d72-b5ee-7c167f80bfa4 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-settings-dialog-box-settings-tab.md b/windows/plan/act-settings-dialog-box-settings-tab.md index 411450f21f..0f1b179b3c 100644 --- a/windows/plan/act-settings-dialog-box-settings-tab.md +++ b/windows/plan/act-settings-dialog-box-settings-tab.md @@ -2,8 +2,9 @@ title: Settings Dialog Box - Settings Tab (Windows 10) description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings. ms.assetid: aeec1647-cf91-4f8b-9f6d-dbf4b898d901 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-technical-reference.md b/windows/plan/act-technical-reference.md index 6544f9dc8e..c05f03fc92 100644 --- a/windows/plan/act-technical-reference.md +++ b/windows/plan/act-technical-reference.md @@ -2,8 +2,9 @@ title: Application Compatibility Toolkit (ACT) Technical Reference (Windows 10) description: The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. ms.assetid: d90d38b2-2718-4481-90eb-4480719627ba -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-toolbar-icons-in-acm.md b/windows/plan/act-toolbar-icons-in-acm.md index 1620557d16..9a0d2b3e79 100644 --- a/windows/plan/act-toolbar-icons-in-acm.md +++ b/windows/plan/act-toolbar-icons-in-acm.md @@ -2,8 +2,9 @@ title: Toolbar Icons in ACM (Windows 10) description: The following table shows icons that appear on toolbars and navigational elements in Application Compatibility Manager (ACM). ms.assetid: 44872da1-c7ad-41b9-8323-d3c3f49b2706 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-tools-packages-and-services.md b/windows/plan/act-tools-packages-and-services.md index 5d3ef9ba47..bf9c2bf728 100644 --- a/windows/plan/act-tools-packages-and-services.md +++ b/windows/plan/act-tools-packages-and-services.md @@ -2,8 +2,9 @@ title: ACT Tools, Packages, and Services (Windows 10) description: The Application Compatibility Toolkit is included with the Windows ADK. Download the Windows ADK. ms.assetid: f5a16548-7d7b-4be9-835e-c06158dd0b89 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-user-interface-reference.md b/windows/plan/act-user-interface-reference.md index 80687eea7c..ff28470715 100644 --- a/windows/plan/act-user-interface-reference.md +++ b/windows/plan/act-user-interface-reference.md @@ -2,8 +2,9 @@ title: ACT User Interface Reference (Windows 10) description: This section contains information about the user interface for Application Compatibility Manager (ACM), which is a tool in the Application Compatibility Toolkit (ACT). ms.assetid: 303d3dd7-2cc1-4f5f-b032-b7e288b04893 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/activating-and-closing-windows-in-acm.md b/windows/plan/activating-and-closing-windows-in-acm.md index 3e7eaaef87..dfa085659e 100644 --- a/windows/plan/activating-and-closing-windows-in-acm.md +++ b/windows/plan/activating-and-closing-windows-in-acm.md @@ -2,8 +2,9 @@ title: Activating and Closing Windows in ACM (Windows 10) description: The Windows dialog box shows the windows that are open in Application Compatibility Manager (ACM). ms.assetid: 747bf356-d861-4ce7-933e-fa4ecfac7be5 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/adding-or-editing-a-solution.md b/windows/plan/adding-or-editing-a-solution.md index a3ebf8c8ff..f16e5237b2 100644 --- a/windows/plan/adding-or-editing-a-solution.md +++ b/windows/plan/adding-or-editing-a-solution.md @@ -2,8 +2,9 @@ title: Adding or Editing a Solution (Windows 10) description: If you find your own solutions to compatibility issues, you can enter the solutions in Application Compatibility Manager (ACM). You can use the Microsoft Compatibility Exchange to upload solutions to Microsoft Corporation. ms.assetid: 86cb8804-d577-4af6-b96f-5e0409784a23 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/adding-or-editing-an-issue.md b/windows/plan/adding-or-editing-an-issue.md index 51a8522a05..75e4e67390 100644 --- a/windows/plan/adding-or-editing-an-issue.md +++ b/windows/plan/adding-or-editing-an-issue.md @@ -2,8 +2,9 @@ title: Adding or Editing an Issue (Windows 10) description: In Application Compatibility Manager (ACM), you can enter information about the compatibility issues that you discover. ms.assetid: 8a9fff79-9f88-4ce2-a4e6-b9382f28143d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/analyzing-your-compatibility-data.md b/windows/plan/analyzing-your-compatibility-data.md index 4b145ad92f..30f6a43c24 100644 --- a/windows/plan/analyzing-your-compatibility-data.md +++ b/windows/plan/analyzing-your-compatibility-data.md @@ -2,8 +2,9 @@ title: Analyzing Your Compatibility Data (Windows 10) description: This section provides information about viewing and working with your compatibility data in Application Compatibility Manager (ACM). ms.assetid: b98f3d74-fe22-41a2-afe8-2eb2799933a1 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/application-dialog-box.md b/windows/plan/application-dialog-box.md index 1700305f86..c8d9515fa6 100644 --- a/windows/plan/application-dialog-box.md +++ b/windows/plan/application-dialog-box.md @@ -2,8 +2,9 @@ title: Application Dialog Box (Windows 10) description: In Application Compatibility Manager (ACM), the Application dialog box shows information about the selected application. ms.assetid: a43e85a6-3cd4-4235-bc4d-01e4d097db7e -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/applying-filters-to-data-in-the-sua-tool.md b/windows/plan/applying-filters-to-data-in-the-sua-tool.md index 7f960b8cf6..7b716d119a 100644 --- a/windows/plan/applying-filters-to-data-in-the-sua-tool.md +++ b/windows/plan/applying-filters-to-data-in-the-sua-tool.md @@ -2,8 +2,9 @@ title: Applying Filters to Data in the SUA Tool (Windows 10) description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply filters to the issues that the tool has found so that you can view only the information that interests you. ms.assetid: 48c39919-3501-405d-bcf5-d2784cbb011f -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md b/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md index bc5e40d571..8076d0787c 100644 --- a/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md +++ b/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Available Data Types and Operators in Compatibility Administrator (Windows 10) description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases. ms.assetid: 67d9c03e-ab9d-4fda-8a55-8c5b90266d3b -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/best-practice-recommendations-for-windows-to-go.md b/windows/plan/best-practice-recommendations-for-windows-to-go.md index 4ef9e9177e..c9cc2ac741 100644 --- a/windows/plan/best-practice-recommendations-for-windows-to-go.md +++ b/windows/plan/best-practice-recommendations-for-windows-to-go.md @@ -2,9 +2,10 @@ title: Best practice recommendations for Windows To Go (Windows 10) description: Best practice recommendations for Windows To Go ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86 -keywords: ["best practices, USB, device, boot"] +keywords: best practices, USB, device, boot ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: plan +pagetype: mobility ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/categorizing-your-compatibility-data.md b/windows/plan/categorizing-your-compatibility-data.md index 637af36069..f00d576eee 100644 --- a/windows/plan/categorizing-your-compatibility-data.md +++ b/windows/plan/categorizing-your-compatibility-data.md @@ -2,8 +2,9 @@ title: Categorizing Your Compatibility Data (Windows 10) ms.assetid: 6420f012-316f-4ef0-bfbb-14baaa664e6e description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/change-history-for-plan-for-windows-10-deployment.md b/windows/plan/change-history-for-plan-for-windows-10-deployment.md index 7d8965c6d6..4f0b96a684 100644 --- a/windows/plan/change-history-for-plan-for-windows-10-deployment.md +++ b/windows/plan/change-history-for-plan-for-windows-10-deployment.md @@ -2,8 +2,8 @@ title: Change history for Plan for Windows 10 deployment (Windows 10) description: This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for Windows 10 and Windows 10 Mobile. ms.assetid: 70D9F4F8-F2A4-4FB4-9459-5B2BE7BCAC66 -ms.prod: W10 -ms.mktglfcycl: deploy +ms.prod: w10 +ms.mktglfcycl: plan ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/chromebook-migration-guide.md b/windows/plan/chromebook-migration-guide.md index 5f6f426691..9504345b46 100644 --- a/windows/plan/chromebook-migration-guide.md +++ b/windows/plan/chromebook-migration-guide.md @@ -3,7 +3,7 @@ title: Chromebook migration guide (Windows 10) description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA keywords: migrate, automate, device -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu; devices diff --git a/windows/plan/common-compatibility-issues.md b/windows/plan/common-compatibility-issues.md index e9feba9487..4e96594b85 100644 --- a/windows/plan/common-compatibility-issues.md +++ b/windows/plan/common-compatibility-issues.md @@ -2,8 +2,9 @@ title: Common Compatibility Issues (Windows 10) ms.assetid: f5ad621d-bda2-45b5-ae85-bc92970f602f description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/compatibility-administrator-users-guide.md b/windows/plan/compatibility-administrator-users-guide.md index 06246f50b6..8625f9e210 100644 --- a/windows/plan/compatibility-administrator-users-guide.md +++ b/windows/plan/compatibility-administrator-users-guide.md @@ -2,8 +2,9 @@ title: Compatibility Administrator User's Guide (Windows 10) ms.assetid: 0ce05f66-9009-4739-a789-60f3ce380e76 description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md b/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md index 9abe28e94d..f608310bd6 100644 --- a/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md +++ b/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md @@ -2,8 +2,9 @@ title: Compatibility Fix Database Management Strategies and Deployment (Windows 10) ms.assetid: fdfbf02f-c4c4-4739-a400-782204fd3c6c description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md index 1efec32cb1..688cf0a0d5 100644 --- a/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md +++ b/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md @@ -2,8 +2,9 @@ title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista (Windows 10) description: You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. ms.assetid: cd51c824-557f-462a-83bb-54b0771b7dff -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/compatibility-monitor-users-guide.md b/windows/plan/compatibility-monitor-users-guide.md index f5b56c4858..9a72ed30d3 100644 --- a/windows/plan/compatibility-monitor-users-guide.md +++ b/windows/plan/compatibility-monitor-users-guide.md @@ -2,8 +2,9 @@ title: Compatibility Monitor User's Guide (Windows 10) description: Compatibility Monitor is a tool in the runtime analysis package that you can use to monitor applications for compatibility issues. You can also use the Compatibility Monitor tool to submit compatibility feedback. ms.assetid: 67d6eff0-1576-44bd-99b4-a3ffa5e205ac -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/computer-dialog-box.md b/windows/plan/computer-dialog-box.md index 498f20d93c..b191d79a79 100644 --- a/windows/plan/computer-dialog-box.md +++ b/windows/plan/computer-dialog-box.md @@ -2,8 +2,9 @@ title: Computer Dialog Box (Windows 10) description: In Application Compatibility Manager (ACM), the Computer dialog box shows information about the selected computer. ms.assetid: f89cbb28-adcd-41cd-9a54-402bc4aaffd9 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/configuring-act.md b/windows/plan/configuring-act.md index ef72f68d43..f5803ddd81 100644 --- a/windows/plan/configuring-act.md +++ b/windows/plan/configuring-act.md @@ -2,8 +2,9 @@ title: Configuring ACT (Windows 10) description: This section provides information about setting up the Application Compatibility Toolkit (ACT) in your organization. ms.assetid: aacbe35e-ea40-47ac-bebf-ed2660c8fd86 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md b/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md index 26d4a51ca0..a88189a7a2 100644 --- a/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md +++ b/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Creating a Custom Compatibility Fix in Compatibility Administrator (Windows 10) description: The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. ms.assetid: e4f2853a-0e46-49c5-afd7-0ed12f1fe0c2 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md index 75f3706089..ac5091d0bb 100644 --- a/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md +++ b/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Creating a Custom Compatibility Mode in Compatibility Administrator (Windows 10) description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. ms.assetid: 661a1c0d-267f-4a79-8445-62a9a98d09b0 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-a-runtime-analysis-package.md b/windows/plan/creating-a-runtime-analysis-package.md index 8246a9de4a..04411a5fa7 100644 --- a/windows/plan/creating-a-runtime-analysis-package.md +++ b/windows/plan/creating-a-runtime-analysis-package.md @@ -2,8 +2,9 @@ title: Creating a Runtime-Analysis Package (Windows 10) description: In Application Compatibility Manager (ACM), you can create runtime-analysis packages, which you can then deploy to computers for compatibility testing in your test environment. ms.assetid: 3c703ebe-46b3-4dcd-b355-b28344bc159b -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md index 4fc5707012..5b48ebdbb8 100644 --- a/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md +++ b/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Creating an AppHelp Message in Compatibility Administrator (Windows 10) description: The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system. ms.assetid: 5c6e89f5-1942-4aa4-8439-ccf0ecd02848 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md b/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md index 339ef48aaf..840fa87695 100644 --- a/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md +++ b/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md @@ -2,8 +2,9 @@ title: Creating an Enterprise Environment for Compatibility Testing (Windows 10) description: The goal of the test environment is to model the operating system that you want to deploy and assess compatibility before deploying the operating system to your production environment. ms.assetid: cbf6d8b6-7ebc-4faa-bbbd-e02653ed4adb -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-an-inventory-collector-package.md b/windows/plan/creating-an-inventory-collector-package.md index 01d9dcf89c..c174e746e0 100644 --- a/windows/plan/creating-an-inventory-collector-package.md +++ b/windows/plan/creating-an-inventory-collector-package.md @@ -2,8 +2,9 @@ title: Creating an Inventory-Collector Package (Windows 10) description: You can use Application Compatibility Manager (ACM) to create an inventory-collector package. ms.assetid: 61d041d6-e308-47b3-921b-709d72926d6d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-and-editing-issues-and-solutions.md b/windows/plan/creating-and-editing-issues-and-solutions.md index d4e183c235..0ce76a3f2f 100644 --- a/windows/plan/creating-and-editing-issues-and-solutions.md +++ b/windows/plan/creating-and-editing-issues-and-solutions.md @@ -2,8 +2,9 @@ title: Creating and Editing Issues and Solutions (Windows 10) description: This section provides step-by-step instructions for adding and editing application compatibility issues and solutions. Your issue and solution data can be uploaded to Microsoft through the Microsoft® Compatibility Exchange. ms.assetid: b64fe4e0-24bd-4bbd-9645-80ae5644e774 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/customizing-your-report-views.md b/windows/plan/customizing-your-report-views.md index 97566482eb..a68961a2e6 100644 --- a/windows/plan/customizing-your-report-views.md +++ b/windows/plan/customizing-your-report-views.md @@ -2,8 +2,9 @@ title: Customizing Your Report Views (Windows 10) description: You can customize how you view your report data in Application Compatibility Manager (ACM). ms.assetid: ba8da888-6749-43b4-8efb-4f26c7954721 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md b/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md index 4f5456aa5d..8bb30d37a8 100644 --- a/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md +++ b/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md @@ -2,8 +2,9 @@ title: Data Sent Through the Microsoft Compatibility Exchange (Windows 10) description: The Microsoft Compatibility Exchange propagates data of various types between Microsoft Corporation, independent software vendors (ISVs) and the Application Compatibility Toolkit (ACT) Community. ms.assetid: 3ec61e33-9db8-4367-99d5-e05c2f50e144 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md b/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md index ed48afa8a9..0bf24136b1 100644 --- a/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md +++ b/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md @@ -2,8 +2,9 @@ title: Deciding Whether to Fix an Application or Deploy a Workaround (Windows 10) description: You can fix a compatibility issue by changing the code for the application or by deploying a workaround. ms.assetid: e495d0c8-bfba-4537-bccd-64c4b52206f1 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/deciding-which-applications-to-test.md b/windows/plan/deciding-which-applications-to-test.md index f5719dbdb7..a0d4d06986 100644 --- a/windows/plan/deciding-which-applications-to-test.md +++ b/windows/plan/deciding-which-applications-to-test.md @@ -2,8 +2,9 @@ title: Deciding Which Applications to Test (Windows 10) description: Before starting your compatibility testing on the version of Windows that you want to deploy, you can use the Application Compatibility Toolkit (ACT) to identify which applications should be the focus of your testing. ms.assetid: d7c1c28f-b7b4-43ac-bf87-2910a2b603bf -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/deleting-a-data-collection-package.md b/windows/plan/deleting-a-data-collection-package.md index ade04833e1..002a431377 100644 --- a/windows/plan/deleting-a-data-collection-package.md +++ b/windows/plan/deleting-a-data-collection-package.md @@ -2,8 +2,9 @@ title: Deleting a Data-Collection Package (Windows 10) description: In Application Compatibility Manager (ACM), you can delete any of your existing data-collection packages from the database. ms.assetid: 1b397d7a-7216-4078-93d9-47c7becbf73e -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/deploying-a-runtime-analysis-package.md b/windows/plan/deploying-a-runtime-analysis-package.md index 09c49b1cc9..bf01c5258c 100644 --- a/windows/plan/deploying-a-runtime-analysis-package.md +++ b/windows/plan/deploying-a-runtime-analysis-package.md @@ -2,8 +2,9 @@ title: Deploying a Runtime-Analysis Package (Windows 10) description: When you deploy a runtime-analysis package, you are deploying it to your test environment for compatibility testing. ms.assetid: 304bf0be-0e7c-4c5f-baac-bed7f8bef509 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/deploying-an-inventory-collector-package.md b/windows/plan/deploying-an-inventory-collector-package.md index a3d471a410..406a2823fd 100644 --- a/windows/plan/deploying-an-inventory-collector-package.md +++ b/windows/plan/deploying-an-inventory-collector-package.md @@ -2,8 +2,8 @@ title: Deploying an Inventory-Collector Package (Windows 10) ms.assetid: 8726ff71-0d17-4449-bdb7-66957ae51c62 description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/deployment-considerations-for-windows-to-go.md b/windows/plan/deployment-considerations-for-windows-to-go.md index 8d512f6395..da2f4412e7 100644 --- a/windows/plan/deployment-considerations-for-windows-to-go.md +++ b/windows/plan/deployment-considerations-for-windows-to-go.md @@ -2,9 +2,10 @@ title: Deployment considerations for Windows To Go (Windows 10) description: Deployment considerations for Windows To Go ms.assetid: dcfc5d96-b96b-44cd-ab65-416b5611c65e -keywords: ["deploy, mobile, device, USB, boot, image, workspace, driver"] +keywords: deploy, mobile, device, USB, boot, image, workspace, driver ms.prod: W10 -ms.mktglfcycl: deploy +ms.mktglfcycl: plan +ms.pagetype: mobility ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/device-dialog-box.md b/windows/plan/device-dialog-box.md index ae65f7330b..7cd1c0d3ec 100644 --- a/windows/plan/device-dialog-box.md +++ b/windows/plan/device-dialog-box.md @@ -2,8 +2,9 @@ title: Device Dialog Box (Windows 10) description: In Application Compatibility Manager (ACM), the Device dialog box shows information about the selected device. ms.assetid: 5bd7cfda-31ea-4967-8b64-6c0425092f4e -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md index 0f3ad7aa3d..85c5e0ba27 100644 --- a/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md +++ b/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator (Windows 10) description: You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes. ms.assetid: 6bd4a7c5-0ed9-4a35-948c-c438aa4d6cb6 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/example-filter-queries.md b/windows/plan/example-filter-queries.md index a128516e95..7b7732863d 100644 --- a/windows/plan/example-filter-queries.md +++ b/windows/plan/example-filter-queries.md @@ -2,8 +2,9 @@ title: Example Filter Queries (Windows 10) description: You can filter your compatibility-issue data or reports by selecting specific restriction criteria. ms.assetid: eae59380-56cc-4d57-bd2c-11a0e3c689c9 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/exporting-a-data-collection-package.md b/windows/plan/exporting-a-data-collection-package.md index c1eef9d0ad..5baee693f6 100644 --- a/windows/plan/exporting-a-data-collection-package.md +++ b/windows/plan/exporting-a-data-collection-package.md @@ -2,8 +2,9 @@ title: Exporting a Data-Collection Package (Windows 10) description: In Application Compatibility Manager (ACM), you can export a data-collection package as a Windows installer (.msi) file. You can then use the .msi file to install the data-collection package on the computers from which you want to gather data. ms.assetid: 98fe19e4-9533-4ffc-a275-8b3776ee93ed -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/filtering-your-compatibility-data.md b/windows/plan/filtering-your-compatibility-data.md index 36776e764a..fcc724c2d5 100644 --- a/windows/plan/filtering-your-compatibility-data.md +++ b/windows/plan/filtering-your-compatibility-data.md @@ -2,8 +2,9 @@ title: Filtering Your Compatibility Data (Windows 10) description: You can use Query Builder to filter your compatibility-issue data or reports by selecting specific restriction criteria. ms.assetid: b64267b5-83c0-4b4d-a075-0975d3a359c8 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/fixing-applications-by-using-the-sua-tool.md b/windows/plan/fixing-applications-by-using-the-sua-tool.md index 99bd4deb6e..bdfe9b9c63 100644 --- a/windows/plan/fixing-applications-by-using-the-sua-tool.md +++ b/windows/plan/fixing-applications-by-using-the-sua-tool.md @@ -2,8 +2,9 @@ title: Fixing Applications by Using the SUA Tool (Windows 10) description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application. ms.assetid: 7f5947b1-977b-4d7e-bb52-fbe8e76f6b8b -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/fixing-compatibility-issues.md b/windows/plan/fixing-compatibility-issues.md index dc3e884415..b7f338d5ac 100644 --- a/windows/plan/fixing-compatibility-issues.md +++ b/windows/plan/fixing-compatibility-issues.md @@ -2,8 +2,9 @@ title: Fixing Compatibility Issues (Windows 10) description: This section provides step-by-step instructions and describes development tools that you can use to help fix your compatibility issues. ms.assetid: 30ba8d14-a41a-41b3-9019-e8658d6974de -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/identifying-computers-for-inventory-collection.md b/windows/plan/identifying-computers-for-inventory-collection.md index 638addad76..a7378b9820 100644 --- a/windows/plan/identifying-computers-for-inventory-collection.md +++ b/windows/plan/identifying-computers-for-inventory-collection.md @@ -2,8 +2,8 @@ title: Identifying Computers for Inventory Collection (Windows 10) ms.assetid: f5bf2d89-fff2-4960-a153-dc1146b442fb description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/index.md b/windows/plan/index.md index 3c830e97d4..a82ad27fb5 100644 --- a/windows/plan/index.md +++ b/windows/plan/index.md @@ -2,8 +2,8 @@ title: Plan for Windows 10 deployment (Windows 10) description: Windows 10 provides new deployment capabilities, scenarios, and tools by building on technologies introduced in Windows 7, and Windows 8.1, while at the same time introducing new Windows as a service concepts to keep the operating system up to date. ms.assetid: 002F9B79-B50F-40C5-A7A5-0B4770E6EC15 -keywords: ["deploy", "upgrade", "update", "configure"] -ms.prod: W10 +keywords: deploy, upgrade, update, configure +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library author: TrudyHa diff --git a/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md index 2d040ed0be..c55deebb84 100644 --- a/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md +++ b/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator (Windows 10) description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. ms.assetid: 659c9d62-5f32-433d-94aa-12141c01368f -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/integration-with-management-solutions-.md b/windows/plan/integration-with-management-solutions-.md index 788d1ad4e8..83dcaee001 100644 --- a/windows/plan/integration-with-management-solutions-.md +++ b/windows/plan/integration-with-management-solutions-.md @@ -6,7 +6,7 @@ keywords: update, upgrade, deployment, manage, tools ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library -ms.pagetype: servicing; devices +ms.pagetype: servicing, devices author: TrudyHa --- diff --git a/windows/plan/internet-explorer-web-site-report.md b/windows/plan/internet-explorer-web-site-report.md index fdcd6ef921..da0098b6c3 100644 --- a/windows/plan/internet-explorer-web-site-report.md +++ b/windows/plan/internet-explorer-web-site-report.md @@ -2,8 +2,9 @@ title: Internet Explorer - Web Site Report (Windows 10) ms.assetid: f072033d-9d42-47ed-8fb0-dbdc28442910 description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/labeling-data-in-acm.md b/windows/plan/labeling-data-in-acm.md index d9fe6d9da7..1e0ae71639 100644 --- a/windows/plan/labeling-data-in-acm.md +++ b/windows/plan/labeling-data-in-acm.md @@ -2,8 +2,9 @@ title: Labeling Data in ACM (Windows 10) description: Application data and its associated compatibility issues can vary within an organization. ms.assetid: d099c747-e68a-4cad-a639-9f33efab35b3 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/log-file-locations-for-data-collection-packages.md b/windows/plan/log-file-locations-for-data-collection-packages.md index 6483bf1b49..99ea5bc63f 100644 --- a/windows/plan/log-file-locations-for-data-collection-packages.md +++ b/windows/plan/log-file-locations-for-data-collection-packages.md @@ -2,8 +2,9 @@ title: Log File Locations for Data-Collection Packages (Windows 10) ms.assetid: dcc395e7-2d9c-4935-abab-33c5934ce24a description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md index d85029f97f..7c8a961d1d 100644 --- a/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md +++ b/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md @@ -2,8 +2,9 @@ title: Managing Application-Compatibility Fixes and Custom Fix Databases (Windows 10) description: This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases. ms.assetid: 9c2e9396-908e-4a36-ad67-2e40452ce017 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/managing-your-data-collection-packages.md b/windows/plan/managing-your-data-collection-packages.md index eb9af845ad..46eaa26130 100644 --- a/windows/plan/managing-your-data-collection-packages.md +++ b/windows/plan/managing-your-data-collection-packages.md @@ -2,8 +2,9 @@ title: Managing Your Data-Collection Packages (Windows 10) description: This section provides information about using Application Compatibility Manager (ACM) to manage your data-collection packages. ms.assetid: 369ae82f-c8ca-42ec-85df-1b760a74e70a -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/organizational-tasks-for-each-report-type.md b/windows/plan/organizational-tasks-for-each-report-type.md index e49ccba8f8..e572f3b042 100644 --- a/windows/plan/organizational-tasks-for-each-report-type.md +++ b/windows/plan/organizational-tasks-for-each-report-type.md @@ -2,8 +2,9 @@ title: Organizational Tasks for Each Report Type (Windows 10) description: The following table shows which tasks can be performed for each report type. ms.assetid: 7463fab1-ba6e-4a9a-9112-0b69a18fe353 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/organizing-your-compatibility-data.md b/windows/plan/organizing-your-compatibility-data.md index 15d1d152b6..54bc38d151 100644 --- a/windows/plan/organizing-your-compatibility-data.md +++ b/windows/plan/organizing-your-compatibility-data.md @@ -2,8 +2,9 @@ title: Organizing Your Compatibility Data (Windows 10) description: This section provides step-by-step instructions for organizing your compatibility data in Application Compatibility Manager (ACM). ms.assetid: e91ae444-5d85-4b5f-b655-a765ecc78b1e -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/prepare-your-organization-for-windows-to-go.md b/windows/plan/prepare-your-organization-for-windows-to-go.md index f66acaff2b..fabf25bc73 100644 --- a/windows/plan/prepare-your-organization-for-windows-to-go.md +++ b/windows/plan/prepare-your-organization-for-windows-to-go.md @@ -3,8 +3,9 @@ title: Prepare your organization for Windows To Go (Windows 10) description: Prepare your organization for Windows To Go ms.assetid: f3f3c160-90ad-40a8-aeba-2aedee18f7ff keywords: ["mobile, device, USB, deploy"] -ms.prod: W10 -ms.mktglfcycl: deploy +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: mobility ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/prioritizing-your-compatibility-data.md b/windows/plan/prioritizing-your-compatibility-data.md index b597b63fc8..3d55e9d1f3 100644 --- a/windows/plan/prioritizing-your-compatibility-data.md +++ b/windows/plan/prioritizing-your-compatibility-data.md @@ -2,8 +2,9 @@ title: Prioritizing Your Compatibility Data (Windows 10) ms.assetid: 103e125a-bd2b-4019-9d6a-2e1d50c380b1 description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/ratings-icons-in-acm.md b/windows/plan/ratings-icons-in-acm.md index ab8a3a47ec..e8f095c0ac 100644 --- a/windows/plan/ratings-icons-in-acm.md +++ b/windows/plan/ratings-icons-in-acm.md @@ -2,8 +2,9 @@ title: Ratings Icons in ACM (Windows 10) description: Compatibility ratings can originate from Microsoft, the application vendor, your organization, and from the Application Compatibility Toolkit (ACT) community. ms.assetid: 0165499e-cb47-4d76-98a6-b871d23e4e83 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/resolving-an-issue.md b/windows/plan/resolving-an-issue.md index 74ffe1f620..4d5557c944 100644 --- a/windows/plan/resolving-an-issue.md +++ b/windows/plan/resolving-an-issue.md @@ -2,8 +2,9 @@ title: Resolving an Issue (Windows 10) description: You can use Application Compatibility Manager (ACM) to flag issues as resolved. Resolving an issue changes the status of the issue from a red x to a green check mark on your report and report detail screens. ms.assetid: 96195122-185d-4f6a-8e84-79c3d069e933 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/saving-opening-and-exporting-reports.md b/windows/plan/saving-opening-and-exporting-reports.md index 2f947a935e..67d940bd0d 100644 --- a/windows/plan/saving-opening-and-exporting-reports.md +++ b/windows/plan/saving-opening-and-exporting-reports.md @@ -2,8 +2,9 @@ title: Saving, Opening, and Exporting Reports (Windows 10) description: You can perform several common reporting tasks from the Analyze screen, including saving a compatibility report, opening a saved compatibility report (.adq) file, and exporting your report data to a spreadsheet (.xls) file. ms.assetid: 8be72a6c-63ab-4451-ad79-815e2ac18aa2 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md index 6c83a990ee..99b2f4a61f 100644 --- a/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md +++ b/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Searching for Fixed Applications in Compatibility Administrator (Windows 10) description: With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. ms.assetid: 1051a2dc-0362-43a4-8ae8-07dae39b1cb8 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md index bdc0043f6b..25906a1746 100644 --- a/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md +++ b/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator (Windows 10) description: You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature. ms.assetid: dd213b55-c71c-407a-ad49-33db54f82f22 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md b/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md index 7343863528..999d2e6956 100644 --- a/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md @@ -2,9 +2,10 @@ title: Security and data protection considerations for Windows To Go (Windows 10) description: One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure. ms.assetid: 5f27339f-6761-44f4-8c29-9a25cf8e75fe -keywords: ["mobile, device, USB, secure, BitLocker"] -ms.prod: W10 -ms.mktglfcycl: deploy +keywords: mobile, device, USB, secure, BitLocker +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: mobility, security ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/selecting-the-send-and-receive-status-for-an-application.md b/windows/plan/selecting-the-send-and-receive-status-for-an-application.md index 0a8f1c3450..782d3c1651 100644 --- a/windows/plan/selecting-the-send-and-receive-status-for-an-application.md +++ b/windows/plan/selecting-the-send-and-receive-status-for-an-application.md @@ -2,8 +2,9 @@ title: Selecting the Send and Receive Status for an Application (Windows 10) description: For each application listed in Application Compatibility Manager (ACM), you can select whether to send and receive specific application data through the Microsoft Compatibility Exchange. ms.assetid: ae139093-27cf-4ad8-882d-e0509e78d33a -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/selecting-your-compatibility-rating.md b/windows/plan/selecting-your-compatibility-rating.md index 3b64974c1d..b7042d456d 100644 --- a/windows/plan/selecting-your-compatibility-rating.md +++ b/windows/plan/selecting-your-compatibility-rating.md @@ -2,8 +2,9 @@ title: Selecting Your Compatibility Rating (Windows 10) description: You can rate the compatibility of your applications, installation packages, or websites, based on whether they run successfully on a 32-bit or 64-bit operating system. ms.assetid: 959da499-8fd6-4f32-8771-a0580dd8e0d3 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/selecting-your-deployment-status.md b/windows/plan/selecting-your-deployment-status.md index 4d47ec35fb..8cc4a070bc 100644 --- a/windows/plan/selecting-your-deployment-status.md +++ b/windows/plan/selecting-your-deployment-status.md @@ -2,8 +2,9 @@ title: Selecting Your Deployment Status (Windows 10) description: In Application Compatibility Manager (ACM), you can track the deployment status of your applications and websites. ms.assetid: 7735d256-77eb-4498-93aa-c838ee6e00fc -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/sending-and-receiving-compatibility-data.md b/windows/plan/sending-and-receiving-compatibility-data.md index e2165cb7e6..5a694085b2 100644 --- a/windows/plan/sending-and-receiving-compatibility-data.md +++ b/windows/plan/sending-and-receiving-compatibility-data.md @@ -2,8 +2,9 @@ title: Sending and Receiving Compatibility Data (Windows 10) description: The Microsoft® Compatibility Exchange is a web service that propagates application compatibility issues between various data sources, for example Microsoft Corporation, independent software vendors (ISVs) and the ACT Community. ms.assetid: b86d2431-1caa-4f95-baf9-52ff6af546cd -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/settings-for-acm.md b/windows/plan/settings-for-acm.md index b548b8f403..6abb406ec3 100644 --- a/windows/plan/settings-for-acm.md +++ b/windows/plan/settings-for-acm.md @@ -2,8 +2,9 @@ title: Settings for ACM (Windows 10) description: This section provides information about settings that you can configure in Application Compatibility Manager (ACM). ms.assetid: e0126284-4348-4708-8976-a1e404f35971 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/setup-and-deployment.md b/windows/plan/setup-and-deployment.md index 590be310dd..618c4b80a0 100644 --- a/windows/plan/setup-and-deployment.md +++ b/windows/plan/setup-and-deployment.md @@ -6,7 +6,7 @@ keywords: update, upgrade, deployment ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library -ms.pagetype: servicing; devices +ms.pagetype: servicing, devices author: TrudyHa --- diff --git a/windows/plan/showing-messages-generated-by-the-sua-tool.md b/windows/plan/showing-messages-generated-by-the-sua-tool.md index 1b34533117..03651875c5 100644 --- a/windows/plan/showing-messages-generated-by-the-sua-tool.md +++ b/windows/plan/showing-messages-generated-by-the-sua-tool.md @@ -2,8 +2,9 @@ title: Showing Messages Generated by the SUA Tool (Windows 10) description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated. ms.assetid: 767eb7f2-d6c4-414c-a7b3-a997337d904a -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/software-requirements-for-act.md b/windows/plan/software-requirements-for-act.md index 5b3047ffaf..3564e2d753 100644 --- a/windows/plan/software-requirements-for-act.md +++ b/windows/plan/software-requirements-for-act.md @@ -2,8 +2,9 @@ title: Software Requirements for ACT (Windows 10) description: The Application Compatibility Toolkit (ACT) has the following software requirements. ms.assetid: 9bbc21d4-f2ac-4a91-8add-017b1eacdeee -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/software-requirements-for-rap.md b/windows/plan/software-requirements-for-rap.md index 18462f9bd7..07311438e4 100644 --- a/windows/plan/software-requirements-for-rap.md +++ b/windows/plan/software-requirements-for-rap.md @@ -2,8 +2,9 @@ title: Software Requirements for RAP (Windows 10) description: The runtime-analysis package (RAP) has the following software requirements. ms.assetid: 0163ce70-f5ba-400c-bdd5-a25511aac91f -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/sua-users-guide.md b/windows/plan/sua-users-guide.md index d907f4229d..e0f2921b80 100644 --- a/windows/plan/sua-users-guide.md +++ b/windows/plan/sua-users-guide.md @@ -2,8 +2,9 @@ title: SUA User's Guide (Windows 10) description: You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. ms.assetid: ea525c25-b557-4ed4-b042-3e4d0e543e10 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/tabs-on-the-sua-tool-interface.md b/windows/plan/tabs-on-the-sua-tool-interface.md index 70a9ac7535..721e32bca7 100644 --- a/windows/plan/tabs-on-the-sua-tool-interface.md +++ b/windows/plan/tabs-on-the-sua-tool-interface.md @@ -2,8 +2,9 @@ title: Tabs on the SUA Tool Interface (Windows 10) description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze. ms.assetid: 0d705321-1d85-4217-bf2c-0ca231ca303b -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/taking-inventory-of-your-organization.md b/windows/plan/taking-inventory-of-your-organization.md index d42fc430b2..07b40d240a 100644 --- a/windows/plan/taking-inventory-of-your-organization.md +++ b/windows/plan/taking-inventory-of-your-organization.md @@ -2,8 +2,9 @@ title: Taking Inventory of Your Organization (Windows 10) description: This section provides information about how to use the Application Compatibility Toolkit (ACT) to identify applications and devices that are installed in your organization. ms.assetid: d52f138d-c6b2-4ab1-bb38-5b036311a51d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/testing-compatibility-on-the-target-platform.md b/windows/plan/testing-compatibility-on-the-target-platform.md index 10111af439..621a8bfeb2 100644 --- a/windows/plan/testing-compatibility-on-the-target-platform.md +++ b/windows/plan/testing-compatibility-on-the-target-platform.md @@ -2,8 +2,9 @@ title: Testing Compatibility on the Target Platform (Windows 10) description: This section provides information about setting up a test environment for compatibility testing, and about creating and deploying runtime-analysis packages to the test environment. ms.assetid: 8f3e9d58-37c2-41ea-a216-32712baf6cf4 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/testing-your-application-mitigation-packages.md b/windows/plan/testing-your-application-mitigation-packages.md index df727951fd..669904c1e6 100644 --- a/windows/plan/testing-your-application-mitigation-packages.md +++ b/windows/plan/testing-your-application-mitigation-packages.md @@ -2,8 +2,9 @@ title: Testing Your Application Mitigation Packages (Windows 10) description: This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues. ms.assetid: ae946f27-d377-4db9-b179-e8875d454ccf -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/troubleshooting-act-database-issues.md b/windows/plan/troubleshooting-act-database-issues.md index 758df1a050..ba1e7c4f7a 100644 --- a/windows/plan/troubleshooting-act-database-issues.md +++ b/windows/plan/troubleshooting-act-database-issues.md @@ -2,8 +2,9 @@ title: Troubleshooting ACT Database Issues (Windows 10) description: The following solutions may help you resolve issues that are related to your Microsoft® SQL Server® database for the Application Compatibility Toolkit (ACT). ms.assetid: c36ab5d8-cc82-4681-808d-3d491551b75e -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/troubleshooting-act.md b/windows/plan/troubleshooting-act.md index 1dbfeee130..3de62348a2 100644 --- a/windows/plan/troubleshooting-act.md +++ b/windows/plan/troubleshooting-act.md @@ -2,8 +2,9 @@ title: Troubleshooting ACT (Windows 10) description: This section provides troubleshooting information for the Application Compatibility Toolkit (ACT). ms.assetid: 5696b0c0-5db5-4111-a1e1-825129e683d8 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/troubleshooting-the-act-configuration-wizard.md b/windows/plan/troubleshooting-the-act-configuration-wizard.md index 058b39db72..709b60fb6d 100644 --- a/windows/plan/troubleshooting-the-act-configuration-wizard.md +++ b/windows/plan/troubleshooting-the-act-configuration-wizard.md @@ -2,8 +2,9 @@ title: Troubleshooting the ACT Configuration Wizard (Windows 10) description: When you start Application Compatibility Manager (ACM) for the first time, the Application Compatibility Toolkit (ACT) Configuration Wizard appears. ms.assetid: f4f489c7-50b7-4b07-8b03-79777e1aaefd -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/troubleshooting-the-act-log-processing-service.md b/windows/plan/troubleshooting-the-act-log-processing-service.md index 8fef3bc4b5..0fff19e588 100644 --- a/windows/plan/troubleshooting-the-act-log-processing-service.md +++ b/windows/plan/troubleshooting-the-act-log-processing-service.md @@ -2,8 +2,9 @@ title: Troubleshooting the ACT Log Processing Service (Windows 10) description: The following solutions may help you resolve issues that are related to the Application Compatibility Toolkit (ACT) Log Processing Service. ms.assetid: cb6f90c2-9f7d-4a34-a91e-8ed55b8c256d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/understanding-and-using-compatibility-fixes.md b/windows/plan/understanding-and-using-compatibility-fixes.md index bde6db5bc2..6c73a5645b 100644 --- a/windows/plan/understanding-and-using-compatibility-fixes.md +++ b/windows/plan/understanding-and-using-compatibility-fixes.md @@ -2,8 +2,9 @@ title: Understanding and Using Compatibility Fixes (Windows 10) description: As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. ms.assetid: 84bf663d-3e0b-4168-99d6-a26e054821b7 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/using-act.md b/windows/plan/using-act.md index a091159a76..3793af0dd1 100644 --- a/windows/plan/using-act.md +++ b/windows/plan/using-act.md @@ -2,8 +2,9 @@ title: Using ACT (Windows 10) description: This section describes how to use the Application Compatibility Toolkit (ACT) in your organization. ms.assetid: e6a68f44-7503-450d-a000-a04fbb93a146 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/using-compatibility-monitor-to-send-feedback.md b/windows/plan/using-compatibility-monitor-to-send-feedback.md index 4bf3abf7e8..9a86a64d25 100644 --- a/windows/plan/using-compatibility-monitor-to-send-feedback.md +++ b/windows/plan/using-compatibility-monitor-to-send-feedback.md @@ -2,8 +2,9 @@ title: Using Compatibility Monitor to Send Feedback (Windows 10) description: The Microsoft Compatibility Monitor tool is installed as part of the runtime-analysis package. ms.assetid: dc59193e-7ff4-4950-8c20-e90c246e469d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/using-the-compatibility-administrator-tool.md b/windows/plan/using-the-compatibility-administrator-tool.md index 09f3b30d05..26bd9c4a90 100644 --- a/windows/plan/using-the-compatibility-administrator-tool.md +++ b/windows/plan/using-the-compatibility-administrator-tool.md @@ -2,8 +2,9 @@ title: Using the Compatibility Administrator Tool (Windows 10) description: This section provides information about using the Compatibility Administrator tool. ms.assetid: 57271e47-b9b9-4018-a0b5-7115a533166d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/using-the-sdbinstexe-command-line-tool.md b/windows/plan/using-the-sdbinstexe-command-line-tool.md index 26fdc888d1..fdd93bf2f3 100644 --- a/windows/plan/using-the-sdbinstexe-command-line-tool.md +++ b/windows/plan/using-the-sdbinstexe-command-line-tool.md @@ -2,8 +2,9 @@ title: Using the Sdbinst.exe Command-Line Tool (Windows 10) description: You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. ms.assetid: c1945425-3f8d-4de8-9d2d-59f801f07034 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/using-the-sua-tool.md b/windows/plan/using-the-sua-tool.md index 978389cd95..c758d2f32d 100644 --- a/windows/plan/using-the-sua-tool.md +++ b/windows/plan/using-the-sua-tool.md @@ -2,8 +2,9 @@ title: Using the SUA Tool (Windows 10) description: By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature. ms.assetid: ebe52061-3816-47f7-a865-07bc5f405f03 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/using-the-sua-wizard.md b/windows/plan/using-the-sua-wizard.md index 7571be582c..a8f3b3ce03 100644 --- a/windows/plan/using-the-sua-wizard.md +++ b/windows/plan/using-the-sua-wizard.md @@ -2,8 +2,9 @@ title: Using the SUA Wizard (Windows 10) description: The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions. ms.assetid: 29d07074-3de7-4ace-9a54-678af7255d6c -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md b/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md index 29d76d517d..8c89db2a64 100644 --- a/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md +++ b/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Viewing the Events Screen in Compatibility Administrator (Windows 10) description: The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities. ms.assetid: f2b2ada4-1b7b-4558-989d-5b52b40454b3 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/viewing-your-compatibility-reports.md b/windows/plan/viewing-your-compatibility-reports.md index b1a40653dc..c0f5ffaae9 100644 --- a/windows/plan/viewing-your-compatibility-reports.md +++ b/windows/plan/viewing-your-compatibility-reports.md @@ -2,8 +2,9 @@ title: Viewing Your Compatibility Reports (Windows 10) description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. ms.assetid: a28bbfbe-5f05-4a1e-9397-0a3ceb585871 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/websiteurl-dialog-box.md b/windows/plan/websiteurl-dialog-box.md index 10f108276b..f9f44433db 100644 --- a/windows/plan/websiteurl-dialog-box.md +++ b/windows/plan/websiteurl-dialog-box.md @@ -2,8 +2,9 @@ title: WebsiteURL Dialog Box (Windows 10) description: In Application Compatibility Manager (ACM), the websiteURL dialog box shows information about the selected website. ms.assetid: 0dad26e1-4bba-4fef-b160-3fa1f4325da8 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/welcome-to-act.md b/windows/plan/welcome-to-act.md index fdbbc6ad7d..c6755be21e 100644 --- a/windows/plan/welcome-to-act.md +++ b/windows/plan/welcome-to-act.md @@ -2,8 +2,9 @@ title: Welcome to ACT (Windows 10) description: The Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. ms.assetid: 3963db88-83d2-4b9a-872e-31c275d1a321 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/whats-new-in-act-60.md b/windows/plan/whats-new-in-act-60.md index c765ca62eb..b516ef3eae 100644 --- a/windows/plan/whats-new-in-act-60.md +++ b/windows/plan/whats-new-in-act-60.md @@ -2,8 +2,9 @@ title: What's New in ACT 6.1 (Windows 10) description: Two major updates have been released since ACT 6.1. ms.assetid: f12e137d-0b55-4f7d-88e0-149302655d9b -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/windows-10-compatibility.md b/windows/plan/windows-10-compatibility.md index 7823fc3961..7466117367 100644 --- a/windows/plan/windows-10-compatibility.md +++ b/windows/plan/windows-10-compatibility.md @@ -2,9 +2,10 @@ title: Windows 10 compatibility (Windows 10) description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. ms.assetid: 829BE5B5-330A-4702-807A-8908B4FC94E8 -keywords: ["deploy", "upgrade", "update", "appcompat"] -ms.prod: W10 +keywords: deploy, upgrade, update, appcompat +ms.prod: w10 ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/windows-10-deployment-considerations.md b/windows/plan/windows-10-deployment-considerations.md index 51d122fa2b..cefe2e8c90 100644 --- a/windows/plan/windows-10-deployment-considerations.md +++ b/windows/plan/windows-10-deployment-considerations.md @@ -2,8 +2,8 @@ title: Windows 10 deployment considerations (Windows 10) description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. ms.assetid: A8DD6B37-1E11-4CD6-B588-92C2404219FE -keywords: ["deploy", "upgrade", "update", "in-place"] -ms.prod: W10 +keywords: deploy, upgrade, update, in-place +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library author: mtniehaus diff --git a/windows/plan/windows-10-guidance-for-education-environments.md b/windows/plan/windows-10-guidance-for-education-environments.md index c40e7da07e..599ac55e24 100644 --- a/windows/plan/windows-10-guidance-for-education-environments.md +++ b/windows/plan/windows-10-guidance-for-education-environments.md @@ -2,10 +2,10 @@ title: Guidance for education environments (Windows 10) description: Find resources to help you plan your deployment of Windows 10 to desktops, laptops, tablets, and other devices in educational institutions. ms.assetid: 225C9D6F-9329-4DDF-B447-6CE7804E314E -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library -ms.pagetype: security +ms.pagetype: edu, security author: craigash --- diff --git a/windows/plan/windows-10-infrastructure-requirements.md b/windows/plan/windows-10-infrastructure-requirements.md index bfa40b1eca..f8a5b10095 100644 --- a/windows/plan/windows-10-infrastructure-requirements.md +++ b/windows/plan/windows-10-infrastructure-requirements.md @@ -2,8 +2,8 @@ title: Windows 10 infrastructure requirements (Windows 10) description: There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64 -keywords: ["deploy", "upgrade", "update", "hardware"] -ms.prod: W10 +keywords: deploy, upgrade, update, hardware +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library author: mtniehaus diff --git a/windows/plan/windows-10-servicing-options.md b/windows/plan/windows-10-servicing-options.md index 0cf0cd63eb..2e67c97c04 100644 --- a/windows/plan/windows-10-servicing-options.md +++ b/windows/plan/windows-10-servicing-options.md @@ -2,9 +2,10 @@ title: Windows 10 servicing options (Windows 10) description: Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process. ms.assetid: 6EF0792C-B587-497D-8489-4A7F5848D92A -keywords: ["deploy", "upgrade", "update", "servicing"] -ms.prod: W10 +keywords: deploy, upgrade, update, servicing +ms.prod: w10 ms.mktglfcycl: plan +ms.pagetype: servicing ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/windows-to-go-frequently-asked-questions.md b/windows/plan/windows-to-go-frequently-asked-questions.md index 0eaa4178e6..a9f0dfee6c 100644 --- a/windows/plan/windows-to-go-frequently-asked-questions.md +++ b/windows/plan/windows-to-go-frequently-asked-questions.md @@ -2,9 +2,10 @@ title: Windows To Go frequently asked questions (Windows 10) description: Windows To Go frequently asked questions ms.assetid: bfdfb824-4a19-4401-b369-22c5e6ca9d6e -keywords: ["FAQ, mobile, device, USB"] -ms.prod: W10 +keywords: FAQ, mobile, device, USB +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: mobility ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/windows-to-go-overview.md b/windows/plan/windows-to-go-overview.md index c473ab949b..f00dfb55ea 100644 --- a/windows/plan/windows-to-go-overview.md +++ b/windows/plan/windows-to-go-overview.md @@ -2,9 +2,10 @@ title: Windows To Go feature overview (Windows 10) description: Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. ms.assetid: 9df82b03-acba-442c-801d-56db241f8d42 -keywords: ["workspace, mobile, installation, image, USB, device, image"] +keywords: workspace, mobile, installation, image, USB, device, image, edu ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: mobility, edu ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/windows-update-for-business.md b/windows/plan/windows-update-for-business.md index 7371c01825..67c4200203 100644 --- a/windows/plan/windows-update-for-business.md +++ b/windows/plan/windows-update-for-business.md @@ -2,7 +2,7 @@ title: Windows Update for Business (Windows 10) description: Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems. ms.assetid: DF61F8C9-A8A6-4E83-973C-8ABE090DB8C6 -keywords: [update, upgrade, deployment, WSUS +keywords: update, upgrade, deployment, WSUS ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library