deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into edu-may

Browse Source
This commit is contained in:
jdeckerMS 2016-05-24 07:12:51 -07:00
commit 9f8f16eaba
155 changed files with 1781 additions and 1357 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
View File

@ -25,7 +25,7 @@ Using the GP configuration package ensures your endpoints will be correctly conf
> **Note**  To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. The endpoints must be running Windows 10 Insider Preview Build 14332 or later.
1. Open the GP configuration package .zip file (*WindowsATPOnboardingPackage_GroupPolicy.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Client onboarding** on the **Navigation pane**.
@ -52,13 +52,13 @@ For additional settings, see the [Additional configuration settings section](add
## Configure with System Center Configuration Manager
1. Open the SCCM configuration package .zip file (*WindowsATPOnboardingPackage_ConfigurationManager.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Client onboarding** on the **Navigation pane**.
b. Select **System Center Configuration Manager**, click **Download package**, and save the .zip file.
2. Copy the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*.
3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
@ -76,12 +76,12 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You
a. Click **Client onboarding** on the **Navigation pane**.
b. Select **Manually on-board local machine**, click **Download package** and save the .zip file.
b. Select **Local Script**, click **Download package** and save the .zip file.
2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*.
2. Open an elevated command-line prompt on the endpoint and run the script:
3. Open an elevated command-line prompt on the endpoint and run the script:
a. Click **Start** and type **cmd**.
@ -89,9 +89,9 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You
![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
3. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`*
4. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`*
4. Press the **Enter** key or click **OK**.
5. Press the **Enter** key or click **OK**.
See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry.

87
windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
View File

@ -2,86 +2,91 @@
title: DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax (Windows 10)
description: Describes the best practices, location, values, and security considerations for the DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting.
ms.assetid: 0fe3521a-5252-44df-8a47-8d92cf936e7c
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting.
## Reference
This policy setting allows you to define additional computer-wide controls that govern access to all Distributed Component Object Model (DCOM)based applications on a device. These controls restrict call, activation, or launch requests on the device. A simple way to think about these access controls is as an additional access check that is performed against a device-wide access control list (ACL) on each call, activation, or launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to access any COM-based server. This policy setting controls access permissions to cover call rights.
These device-wide ACLs provide a way to override weak security settings that are specified by an application through the CoInitializeSecurity function or application-specific security settings. They provide a minimum security standard that must be passed, regardless of the settings of the specific server.
These ACLs also provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers on the device.
This policy setting allows you to specify an ACL in two different ways. You can type the security descriptor in SDDL, or you can grant or deny Local Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you are running.
### Possible values
- *User-defined input* of the SDDL representation of the groups and privileges
When you specify the users or groups that are to be given permissions, the security descriptor field is populated with the Security Descriptor Definition Language representation of those groups and privileges. Users and groups can be given explicit Allow or Deny privileges for local access and remote access.
- Blank
This represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it as Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Blank</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Blank</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Blank</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value
| - | - |
| Default Domain Policy | Blank |
| Default Domain Controller Policy | Blank |
| Stand-Alone Server Default Settings | Blank |
| DC Effective Default Settings | Not defined |
| Member Server Effective Default Settings | Not defined |
| Client Computer Effective Default Settings | Not defined |
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
### Group Policy
The registry settings that are created as a result of enabling the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting take precedence over the previous registry settings when this policy setting was configured. The Remote Procedure Call (RPC) service checks the new registry keys in the Policies section for the computer restrictions, and these registry entries take precedence over the existing registry keys under OLE. This means that previously existing registry settings are no longer effective, and if you make changes to the existing settings, device access permissions for users are not changed. Use care in configuring the list of users and groups.
If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This will restore control of the DCOM application to the administrator and users. To do this, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click **Edit Security**. Specify the users or groups you want to include and the computer access permissions for those users or groups. This defines the setting and sets the appropriate SDDL value.
If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This will restore control of the DCOM application to the administrator and users. To do this, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click
**Edit Security**. Specify the users or groups you want to include and the computer access permissions for those users or groups. This defines the setting and sets the appropriate SDDL value.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
Many COM applications include some security-specific code (for example, to call CoInitializeSecurity), but they use weak settings that allow unauthenticated access to the process. Administrators cannot override these settings to force stronger security in earlier versions of Windows without modifying the application. An attacker could attempt to exploit weak security in an individual application by attacking it through COM calls.
Also, the COM infrastructure includes the Remote Procedure Call Services (RPCSS), a system service that runs during and after computer startup. This service manages activation of COM objects and the running object table and provides helper services to DCOM remoting. It exposes RPC interfaces that can be called remotely. Because some COM-based servers allow unauthenticated remote access, these interfaces can be called by anyone, including unauthenticated users. As a result, RPCSS can be attacked by malicious users who use remote, unauthenticated computers.
### Countermeasure
To protect individual COM-based applications or services, set the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting to an appropriate device-wide ACL.
### Potential impact
Windows implements default COM ACLs when they are installed. Modifying these ACLs from the default may cause some applications or components that communicate by using DCOM to fail. If you implement a COM-based server and you override the default security settings, confirm that the application-specific call permissions that ACL assigns are the correct permissions for appropriate users. If it does not, you must change your application-specific permission ACL to provide appropriate users with activation rights so that applications and Windows components that use DCOM do not fail.
## Related topics
[Security Options](security-options.md)
- [Security Options](security-options.md)
 
 

90
windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
View File

@ -2,86 +2,90 @@
title: DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax (Windows 10)
description: Describes the best practices, location, values, and security considerations for the DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax security policy setting.
ms.assetid: 4b95d45f-dd62-4c34-ba32-43954528dabe
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** security policy setting.
## Reference
This policy setting is similar to the [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) setting in that it allows you to define additional computer-wide controls that govern access to all DCOMbased applications on a device. However, the ACLs that are specified in this policy setting control local and remote COM launch requests (not access requests) on the device. A simple way to think about this access control is as an additional access check that is performed against a device-wide ACL on each launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to launch any COM-based server. The DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting differs in that it provides a minimum access check that is applied to attempts to access an already launched COM-based server.
These device-wide ACLs provide a way to override weak security settings that are specified by an application through CoInitializeSecurity or application-specific security settings. They provide a minimum security standard that must be passed, regardless of the settings of the specific COM-based server. These ACLs provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers.
The **DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax** setting allows you to specify an ACL in two ways. You can type the security descriptor in SDDL, or you can grant or deny Local Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you are running.
The **DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax** setting allows you to specify an ACL in two ways. You can type the security descriptor in SDDL, or you can grant or deny Local
Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you are running.
### Possible values
- Blank
This represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it to Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK.
- *User-defined input* of the SDDL representation of the groups and privileges
When you specify the users or groups that are to be given permission, the security descriptor field is populated with the Security Descriptor Definition Language representation of those groups and privileges. Users and groups can be given explicit Allow or Deny privileges on both local access and remote access.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Blank</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Blank</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Blank</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Blank |
| Default Domain Controller Policy | Blank|
| Stand-Alone Server Default Settings |Blank |
| DC Effective Default Settings | Not defined|
| Member Server Effective Default Settings | Not defined |
| Client Computer Effective Default Settings | Not defined|
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
### Group Policy
The registry settings that are created as a result of this policy take precedence over the previous registry settings in this area. The Remote Procedure Call (RPC) service (RpcSs) checks the new registry keys in the Policies section for the computer restrictions; these entries take precedence over the existing registry keys under OLE.
If you are denied access to activate and launch DCOM applications due to the changes made to DCOM in the Windows operating system, this policy setting can be used to control the DCOM activation and launch to the device.
You can specify which users and groups can launch and activate DCOM applications on the device locally and remotely by using the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting. This restores control of the DCOM application to the administrator and specified users. To do this, open the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click **Edit Security**. Specify the groups that you want to include and the device launch permissions for those groups. This defines the setting and sets the appropriate SDDL value.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
Many COM applications include some security-specific code (for example, to call CoInitializeSecurity), but they use weak settings that allow unauthenticated access to the process. You cannot override these settings to force stronger security in earlier versions of Windows without modifying the application. An attacker could attempt to exploit weak security in an individual application by attacking it through COM calls.
Also, the COM infrastructure includes the Remote Procedure Call Service (RPCSS), a system service that runs during computer startup and always runs after that. This service manages activation of COM objects and the running object table and provides helper services to DCOM remoting. It exposes RPC interfaces that can be called remotely. Because some COM-based servers allow unauthenticated remote component activation, these interfaces can be called by anyone, including unauthenticated users. As a result, RPCSS can be attacked by malicious users using remote, unauthenticated computers.
### Countermeasure
To protect individual COM-based applications or services, set this policy setting to an appropriate computer-wide ACL.
### Potential impact
Windows implements default COM ACLs when they are installed. Modifying these ACLs from the default may cause some applications or components that communicate by using DCOM to fail. If you implement a COM-based server and you override the default security settings, confirm that the application-specific launch permissions ACL assigns include activation permissions to appropriate users. If it does not, you must change your application-specific launch permission ACL to provide appropriate users with activation rights so that applications and Windows components that use DCOM do not fail.
## Related topics
[Security Options](security-options.md)
 
 
- [Security Options](security-options.md)

91
windows/keep-secure/debug-programs.md
View File

@ -2,88 +2,91 @@
title: Debug programs (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Debug programs security policy setting.
ms.assetid: 594d9f2c-8ffc-444b-9522-75615ec87786
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Debug programs
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Debug programs** security policy setting.
## Reference
This policy setting determines which users can attach to or open any process, even those they do not own. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating-system components.
Constant: SeDebugPrivilege
### Possible values
- User-defined list of accounts
- Not defined
### Best practices
- Assign this user right only to trusted users to reduce security vulnerabilities.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
### Default values
By default, members of the Administrators group have this right.
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Administrators</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Administrators</p></td>
</tr>
<tr class="even">
<td align="left"><p>Domain Controller Effective Default Settings</p></td>
<td align="left"><p>Administrators</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Administrators</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Administrators</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined|
| Default Domain Controller Policy | Administrators |
| Stand-Alone Server Default Settings | Administrators |
| Domain Controller Effective Default Settings | Administrators |
| Member Server Effective Default Settings | Administrators |
| Client Computer Effective Default Settings | Administrators |
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
A restart of the device is not required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
### Group Policy
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
The **Debug programs** user right can be exploited to capture sensitive device information from system memory or to access and modify kernel or application structures. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert malware. By default, the **Debug programs** user right is assigned only to administrators, which helps mitigate risk from this vulnerability.
The **Debug programs** user right can be exploited to capture sensitive device information from system memory or to access and modify kernel or application structures. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert malware.
By default, the **Debug programs** user right is assigned only to administrators, which helps mitigate risk from this vulnerability.
### Countermeasure
Remove the accounts of all users and groups that do not require the **Debug programs** user right.
### Potential impact
If you revoke this user right, no one can debug programs. However, typical circumstances rarely require this capability on production devices. If an issue arises that requires an application to be debugged on a production server, you can move the server to a different organizational unit (OU) temporarily and assign the **Debug programs** user right to a separate Group Policy for that OU.
If you revoke this user right, no one can debug programs. However, typical circumstances rarely require this capability on production devices. If an issue arises that requires an application to be debugged on a production server, you can move the server to a different organizational unit (OU)
temporarily and assign the **Debug programs** user right to a separate Group Policy for that OU.
## Related topics
[User Rights Assignment](user-rights-assignment.md)
 
 
- [User Rights Assignment](user-rights-assignment.md)

21
windows/keep-secure/delete-an-applocker-rule.md
View File

@ -2,26 +2,33 @@
title: Delete an AppLocker rule (Windows 10)
description: This topic for IT professionals describes the steps to delete an AppLocker rule.
ms.assetid: 382b4be3-0df9-4308-89b2-dcf9df351eb5
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Delete an AppLocker rule
**Applies to**
- Windows 10
This topic for IT professionals describes the steps to delete an AppLocker rule.
As older apps are retired and new apps are deployed in your organization, it will be necessary to modify the application control policies. If an app becomes unsupported by the IT department or is no longer allowed due to the organization's security policy, then deleting the rule or rules associated with that app will prevent the app from running.
For info about testing an AppLocker policy to see what rules affect which files or applications, see [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer
AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
**To delete a rule in an AppLocker policy**
1. Open the AppLocker console.
2. Click the appropriate rule collection for which you want to delete the rule.
3. In the details pane, right-click the rule to delete, click **Delete**, and then click **Yes**.
**Note**  
When using Group Policy, for the rule deletion to take effect on computers within the domain, the GPO must be distributed or refreshed.
>**Note:**  When using Group Policy, for the rule deletion to take effect on computers within the domain, the GPO must be distributed or refreshed.
When this procedure is performed on the local device, the AppLocker policy takes effect immediately.
 
 
 

89
windows/keep-secure/deny-access-to-this-computer-from-the-network.md
View File

@ -2,94 +2,99 @@
title: Deny access to this computer from the network (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Deny access to this computer from the network security policy setting.
ms.assetid: 935e9f89-951b-4163-b186-fc325682bb0b
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Deny access to this computer from the network
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Deny access to this computer from the network** security policy setting.
## Reference
This security setting determines which users are prevented from accessing a device over the network.
Constant: SeDenyNetworkLogonRight
### Possible values
- User-defined list of accounts
- Guest
### Best practices
- Because all Active Directory Domain Services programs use a network logon for access, use caution when you assign this user right on domain controllers.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
### Default values
By default, this setting is Guest on domain controllers and on stand-alone servers.
The following table lists the actual and effective default policy values. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Guest</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Guest</p></td>
</tr>
<tr class="even">
<td align="left"><p>Domain Controller Effective Default Settings</p></td>
<td align="left"><p>Guest</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Guest</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Guest</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined |
| Default Domain Controller Policy | Guest |
| Stand-Alone Server Default Settings | Guest |
| Domain Controller Effective Default Settings | Guest |
| Member Server Effective Default Settings | Guest |
| Client Computer Effective Default Settings | Guest |
 
## Policy management
This section describes features and tools available to help you manage this policy.
A restart of the device is not required for this policy setting to be effective.
This policy setting supersedes the **Access this computer from the network** policy setting if a user account is subject to both policies.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
### Group Policy
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
Users who can log on to the device over the network can enumerate lists of account names, group names, and shared resources. Users with permission to access shared folders and files can connect over the network and possibly view or modify data.
### Countermeasure
Assign the **Deny access to this computer from the network** user right to the following accounts:
- Anonymous logon
- Built-in local Administrator account
- Local Guest account
- All service accounts
An important exception to this list is any service accounts that are used to start services that must connect to the device over the network. For example, lets say you have configured a shared folder for web servers to access, and you present content within that folder through a website. You may need to allow the account that runs IIS to log on to the server with the shared folder from the network. This user right is particularly effective when you must configure servers and workstations on which sensitive information is handled because of regulatory compliance concerns.
### Potential impact
If you configure the **Deny access to this computer from the network** user right for other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should verify that delegated tasks are not negatively affected.
## Related topics
[User Rights Assignment](user-rights-assignment.md)
 
 
- [User Rights Assignment](user-rights-assignment.md)

94
windows/keep-secure/deny-log-on-as-a-batch-job.md
View File

@ -2,92 +2,98 @@
title: Deny log on as a batch job (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a batch job security policy setting.
ms.assetid: 0ac36ebd-5e28-4b6a-9b4e-8924c6ecf44b
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Deny log on as a batch job
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Deny log on as a batch job** security policy setting.
## Reference
This policy setting determines which accounts are prevented from logging on by using a batch-queue tool to schedule and start jobs automatically in the future. The ability to log on by using a batch-queue tool is needed for any account that is used to start scheduled jobs by means of the Task Scheduler.
This policy setting determines which accounts are prevented from logging on by using a batch-queue tool to schedule and start jobs automatically in the future. The ability to log on by using a batch-queue tool is needed for any account that is used to start scheduled jobs by means of the Task
Scheduler.
Constant: SeDenyBatchLogonRight
### Possible values
- User-defined list of accounts
- Not defined
### Best practices
1. When you assign this user right, thoroughly test that the effect is what you intended.
2. Within a domain, modify this setting on the applicable Group Policy Object (GPO).
3. **Deny log on as a batch job** prevents administrators or operators from using their personal accounts to schedule tasks, which helps with business continuity when that person transitions to other positions or responsibilities.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
### Default values
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Domain Controller Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined|
| Default Domain Controller Policy | Not defined |
| Stand-Alone Server Default Settings | Not defined |
| Domain Controller Effective Default Settings | Not defined |
| Member Server Effective Default Settings | Not defined |
| Client Computer Effective Default Settings | Not defined |
 
## Policy management
This section describes features and tools available to help you manage this policy.
A restart of the device is not required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
This policy setting might conflict with and negate the **Log on as a batch job** setting.
### Group Policy
On a domain-joined device, including the domain controller, this policy can be overwritten by a domain policy, which will prevent you from modifying the local policy setting.
For example, if you are trying to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account is not present in the **Deny log on as a batch job** User Rights Assignment and also correctly configured in the **Log on as a batch job** setting.
For example, if you are trying to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account is not present in the **Deny log on as a batch job**
User Rights Assignment and also correctly configured in the **Log on as a batch job** setting.
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
Accounts that have the **Deny log on as a batch job** user right could be used to schedule jobs that could consume excessive computer resources and cause a denial-of-service condition.
### Countermeasure
Assign the **Deny log on as a batch job** user right to the local Guest account.
### Potential impact
If you assign the **Deny log on as a batch job** user right to other accounts, you could deny the ability to perform required job activities to users who are assigned specific administrative roles. You should confirm that delegated tasks are not affected adversely.
## Related topics
[User Rights Assignment](user-rights-assignment.md)
 
 
- [User Rights Assignment](user-rights-assignment.md)

90
windows/keep-secure/deny-log-on-as-a-service.md
View File

@ -2,91 +2,95 @@
title: Deny log on as a service (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a service security policy setting.
ms.assetid: f1114964-df86-4278-9b11-e35c66949794
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Deny log on as a service
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Deny log on as a service** security policy setting.
## Reference
This policy setting determines which users are prevented from logging on to the service applications on a device.
A service is an application type that runs in the system background without a user interface. It provides core operating system features, such as web serving, event logging, file serving, printing, cryptography, and error reporting.
Constant: SeDenyServiceLogonRight
### Possible values
- User-defined list of accounts
- Not defined
### Best practices
1. When you assign this user right, thoroughly test that the effect is what you intended.
2. Within a domain, modify this setting on the applicable Group Policy Object (GPO).
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
### Default values
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Domain Controller Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined|
| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Not defined |
| Domain Controller Effective Default Settings | Not defined |
| Member Server Effective Default Settings | Not defined |
| Client Computer Effective Default Settings | Not defined |
 
## Policy management
This section describes features and tools available to help you manage this policy.
A restart of the computer is not required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
### Group Policy
On a domain-joined device, including the domain controller, this policy can be overwritten by a domain policy, which will prevent you from modifying the local policy setting.
This policy setting might conflict with and negate the **Log on as a service** setting.
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
Accounts that can log on to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is somewhat reduced by the fact that only users with administrative rights can install and configure services, and an attacker who has already attained that level of access could configure the service to run by using the System account.
Accounts that can log on to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is somewhat reduced by the fact that only users with administrative rights can install and configure
services, and an attacker who has already attained that level of access could configure the service to run by using the System account.
### Countermeasure
We recommend that you not assign the **Deny log on as a service** user right to any accounts. This is the default configuration. Organizations that are extremely concerned about security might assign this user right to groups and accounts when they are certain that they will never need to log on to a service application.
### Potential impact
If you assign the **Deny log on as a service** user right to specific accounts, services may not start and a denial-of-service condition could result.
## Related topics
[User Rights Assignment](user-rights-assignment.md)
 
 
- [User Rights Assignment](user-rights-assignment.md)

86
windows/keep-secure/deny-log-on-locally.md
View File

@ -2,90 +2,92 @@
title: Deny log on locally (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on locally security policy setting.
ms.assetid: 00150e88-ec9c-43e1-a70d-33bfe10434db
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Deny log on locally
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Deny log on locally** security policy setting.
## Reference
This policy setting determines which users are prevented from logging on directly at the device's console.
Constant: SeDenyInteractiveLogonRight
### Possible values
- User-defined list of accounts
- Not defined
### Best practices
1. Assign the **Deny log on locally** user right to the local guest account to restrict access by potentially unauthorized users.
2. Test your modifications to this policy setting in conjunction with the **Allow log on locally** policy setting to determine if the user account is subject to both policies.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
### Default values
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Domain Controller Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined |
| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Not defined|
| Domain Controller Effective Default Settings | Not defined|
| Member Server Effective Default Settings | Not defined|
| Client Computer Effective Default Settings | Not defined|
 
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
A restart of the device is not required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
If you apply this policy setting to the Everyone group, no one will be able to log on locally.
### Group Policy
This policy setting supersedes the **Allow log on locally** policy setting if a user account is subject to both policies.
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
Any account with the ability to log on locally could be used to log on at the console of the device. If this user right is not restricted to legitimate users who must log on to the console of the device, unauthorized users might download and run malicious software that elevates their user rights.
### Countermeasure
Assign the **Deny log on locally** user right to the local Guest account. If you have installed optional components such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components.
### Potential impact
If you assign the **Deny log on locally** user right to additional accounts, you could limit the abilities of users who are assigned to specific roles in your environment. However, this user right should explicitly be assigned to the ASPNET account on device that are configured with the Web Server role. You should confirm that delegated activities are not adversely affected.
## Related topics
[User Rights Assignment](user-rights-assignment.md)
 
 
- [User Rights Assignment](user-rights-assignment.md)

86
windows/keep-secure/deny-log-on-through-remote-desktop-services.md
View File

@ -2,89 +2,91 @@
title: Deny log on through Remote Desktop Services (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on through Remote Desktop Services security policy setting.
ms.assetid: 84bbb807-287c-4acc-a094-cf0ffdcbca67
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Deny log on through Remote Desktop Services
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Deny log on through Remote Desktop Services** security policy setting.
## Reference
This policy setting determines which users are prevented from logging on to the device through a Remote Desktop connection through Remote Desktop Services. It is possible for a user to establish a Remote Desktop connection to a particular server, but not be able to log on to the console of that server.
Constant: SeDenyRemoteInteractiveLogonRight
### Possible values
- User-defined list of accounts
- Not defined
### Best practices
- To control who can open a Remote Desktop connection and log on to the device, add the user account to or remove user accounts from the Remote Desktop Users group.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
### Default values
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Domain Controller Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined |
| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Not defined|
| Domain Controller Effective Default Settings | Not defined|
| Member Server Effective Default Settings | Not defined|
| Client Computer Effective Default Settings | Not defined|
 
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
A restart of the computer is not required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
The **Remote System** property controls settings for Remote Desktop Services (**Allow or prevent remote connections to the computer**) and for Remote Assistance (**Allow Remote Assistance connections to this computer**).
### Group Policy
This policy setting supersedes the [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md) policy setting if a user account is subject to both policies.
Group Policy settings are applied in the following order. They overwrite settings on the local device at the next Group Policy update.
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. Organizational unit policy settings
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
Any account with the right to log on through Remote Desktop Services could be used to log on to the remote console of the device. If this user right is not restricted to legitimate users who need to log on to the console of the computer, malicious users might download and run software that elevates their user rights.
### Countermeasure
Assign the **Deny log on through Remote Desktop Services** user right to the built-in local guest account and all service accounts. If you have installed optional components, such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components.
### Potential impact
If you assign the **Deny log on through Remote Desktop Services** user right to other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Accounts that have this user right cannot connect to the device through Remote Desktop Services or Remote Assistance. You should confirm that delegated tasks are not negatively affected.
## Related topics
[User Rights Assignment](user-rights-assignment.md)
 
 
- [User Rights Assignment](user-rights-assignment.md)

24
windows/keep-secure/deploy-the-applocker-policy-into-production.md
View File

@ -2,31 +2,45 @@
title: Deploy the AppLocker policy into production (Windows 10)
description: This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
ms.assetid: ebbb1907-92dc-499e-8cee-8e637483c9ae
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Deploy the AppLocker policy into production
**Applies to**
- Windows 10
This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
After successfully testing and modifying the AppLocker policy for each Group Policy Object (GPO), you are ready to deploy the enforcement settings into production. For most organizations, this means switching the AppLocker enforcement setting from **Audit only** to **Enforce rules**. However, it is important to follow the deployment plan that you created earlier. For more info, see the [AppLocker Design Guide](applocker-policies-design-guide.md). Depending on the needs of different business groups in your organization, you might deploy different enforcement settings for linked GPOs.
### Understand your design decisions
Before you deploy an AppLocker policy, you should determine:
- For each business group, which applications will be controlled and in what manner. For more info, see [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
- How to handle requests for application access. For info about what to consider when developing your support policies, see [Plan for AppLocker policy management](plan-for-applocker-policy-management.md).
- How to manage events, including forwarding events. For info about event management in AppLocker, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
- Your GPO structure, including how to include policies generated by Software Restriction Policies and AppLocker policies. For more info, see [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md).
For info about how AppLocker deployment is dependent on design decisions, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md).
### AppLocker deployment methods
If you have configured a reference device, you can create and update your AppLocker policies on this device, test the policies, and then export the policies to the appropriate GPO for distribution. Another method is to create the policies and set the enforcement setting on **Audit only**, then observe the events that are generated.
If you have configured a reference device, you can create and update your AppLocker policies on this device, test the policies, and then export the policies to the appropriate GPO for distribution. Another method is to create the policies and set the enforcement setting on **Audit only**, then
observe the events that are generated.
- [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
This topic describes the steps to use an AppLocker reference computer to prepare application control policies for deployment by using Group Policy or other means.
- [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md)
This topic describes the steps to deploy the AppLocker policy by changing the enforcement setting to **Audit only** or to **Enforce rules**.
## See also
[AppLocker deployment guide](applocker-policies-deployment-guide.md)
 
 
- [AppLocker deployment guide](applocker-policies-deployment-guide.md)

46
windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md
View File

@ -2,51 +2,33 @@
title: Determine the Group Policy structure and rule enforcement (Windows 10)
description: This overview topic describes the process to follow when you are planning to deploy AppLocker rules.
ms.assetid: f435fcbe-c7ac-4ef0-9702-729aab64163f
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Determine the Group Policy structure and rule enforcement
**Applies to**
- Windows 10
This overview topic describes the process to follow when you are planning to deploy AppLocker rules.
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)</p></td>
<td align="left"><p>This topic describes the AppLocker enforcement settings for rule collections.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)</p></td>
<td align="left"><p>This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md)</p></td>
<td align="left"><p>This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.</p></td>
</tr>
</tbody>
</table>
| Topic | Description |
| - | - |
| [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) | This topic describes the AppLocker enforcement settings for rule collections. |
| [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) | This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.|
| [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md) | This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. |
 
When you are determining how many Group Policy Objects (GPOs) to create when you apply an AppLocker policy in your organization, you should consider the following:
- Whether you are creating new GPOs or using existing GPOs
- Whether you are implementing Software Restriction Policies (SRP) policies and AppLocker policies in the same GPO
- GPO naming conventions
- GPO size limits
**Note**  
There is no default limit on the number of AppLocker rules that you can create. However, in Windows Server 2008 R2, GPOs have a 2 MB size limit for performance. In subsequent versions, that limit is raised to 100 MB.
 
 
 
>**Note:**  There is no default limit on the number of AppLocker rules that you can create. However, in Windows Server 2008 R2, GPOs have a 2 MB size limit for performance. In subsequent versions, that limit is raised to 100 MB.

15
windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
View File

@ -2,24 +2,35 @@
title: Determine which apps are digitally signed on a reference device (Windows 10)
description: This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
ms.assetid: 24609a6b-fdcb-4083-b234-73e23ff8bcb8
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Determine which apps are digitally signed on a reference device
**Applies to**
- Windows 10
This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
The Windows PowerShell cmdlet **Get-AppLockerFileInformation** can be used to determine which apps installed on your reference devices are digitally signed. Perform the following steps on each reference computer that you used to define the AppLocker policy. The device does not need to be joined to the domain.
Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
**To determine which apps are digitally signed on a reference device**
1. Run **Get-AppLockerFileInformation** with the appropriate parameters.
The **Get-AppLockerFileInformation** cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information.
2. Analyze the publisher's name and digital signature status from the output of the command.
For command parameters, syntax, and examples, see [Get-AppLockerFileInformation](http://technet.microsoft.com/library/ee460961.aspx).
## Related topics
[Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
- [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
 
 

11
windows/keep-secure/determine-your-application-control-objectives.md
View File

@ -2,19 +2,26 @@
title: Determine your application control objectives (Windows 10)
description: This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
ms.assetid: 0e84003e-6095-46fb-8c4e-2065869bb53b
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Determine your application control objectives
**Applies to**
- Windows 10
This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
AppLocker is very effective for organizations with app restriction requirements whose environments have a simple topography and the application control policy goals are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the PCs that they manage for a relatively small number of apps.
There are management and maintenance costs associated with a list of allowed apps. In addition, the purpose of application control policies is to allow or prevent employees from using apps that might actually be productivity tools. Keeping employees or users productive while implementing the policies can cost time and effort. Lastly, creating user support processes and network support processes to keep the organization productive are also concerns.
Use the following table to develop your own objectives and determine which application control feature best addresses those objectives.
<table>
<colgroup>
<col width="33%" />
@ -149,5 +156,3 @@ Use the following table to develop your own objectives and determine which appli
</table>
 
For more general info, see [AppLocker](applocker-overview.md).
 
 

82
windows/keep-secure/devices-allow-undock-without-having-to-log-on.md
View File

@ -2,84 +2,78 @@
title: Devices Allow undock without having to log on (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Devices Allow undock without having to log on security policy setting.
ms.assetid: 1d403f5d-ad41-4bb4-9f4a-0779c1c14b8c
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Devices: Allow undock without having to log on
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **Devices: Allow undock without having to log on** security policy setting.
## Reference
This policy setting enables or disables the ability of a user to remove a portable device from a docking station without logging on. If you enable this policy setting, users can press a docked portable device's physical eject button to safely undock the device. If you disable this policy setting, the user must log on to receive permission to undock the device. Only users who have the **Remove Computer from Docking Station** privilege can obtain this permission.
**Note**  
Disabling this policy setting only reduces theft risk for portable devices that cannot be mechanically undocked. Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality.
>**Note:**  Disabling this policy setting only reduces theft risk for portable devices that cannot be mechanically undocked. Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality.
 
Enabling this policy setting means that anyone with physical access to a device that has been placed in its docking station can remove the computer and possibly tamper with it. For devices that do not have docking stations, this policy setting has no impact. However, for users with a mobile computer that is normally docked while they are in the office, this policy setting will help lower the risk of equipment theft or a malicious user gaining physical access to these devices
### Possible values
- Enabled
- Disabled
- Not defined
### Best practices
It is advisable to disable the **Devices: Allow undock without having to log on** policy setting. Users who have docked their devices will have to log on to the local console before they can undock their systems.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined|
| Default Domain Controller Policy | Not defined |
| Stand-Alone Server Default Settings | Enabled|
| DC Effective Default Settings | Enabled|
| Member Server Effective Default Settings | Enabled|
| Client Computer Effective Default Settings| Enabled|
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
If this policy setting is enabled, anyone with physical access to portable computers in docking stations could remove them and possibly tamper with them.
### Countermeasure
Disable the **Devices: Allow undock without having to log on** setting.
### Potential impact
Users who have docked their device must log on to the local console before they can undock their computers. For devices that do not have docking stations, this policy setting has no impact.
## Related topics
[Security Options](security-options.md)
 
 
- [Security Options](security-options.md)

83
windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md
View File

@ -2,82 +2,79 @@
title: Devices Allowed to format and eject removable media (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Devices Allowed to format and eject removable media security policy setting.
ms.assetid: d1b42425-7244-4ab1-9d46-d68de823459c
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Devices: Allowed to format and eject removable media
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **Devices: Allowed to format and eject removable media** security policy setting.
## Reference
This policy setting determines who is allowed to format and eject removable media.
Users can move removable disks to a different device where they have administrative user rights and then take ownership of any file, assign themselves full control, and view or modify any file. The advantage of configuring this policy setting is diminished by the fact that most removable storage devices will eject media with the press of a button.
### Possible values
- Administrators
- Administrators and Power Users
- Administrators and Interactive Users (not applicable to Windows Server 2008 R2 or Windows 7 and later)
- Not defined
### Best practices
- It is advisable to set **Allowed to format and eject removable media** to **Administrators**. Only administrators will be able to eject NTFS-formatted removable media.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Administrators</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Administrators</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Administrators</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy| Not defined|
| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Administrators|
| DC Effective Default Settings | Administrators|
| Member Server Effective Default Settings | Administrators|
| Client Computer Effective Default Settings | Not defined|
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
Users could move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices eject media when a mechanical button is pressed diminishes the advantage of this policy setting.
Users could move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices eject media when a mechanical button
is pressed diminishes the advantage of this policy setting.
### Countermeasure
Configure the **Devices: Allowed to format and eject removable media** setting to **Administrators**.
### Potential impact
Only administrators can format and eject removable media. If users are in the habit of using removable media for file transfers and storage, they must be informed of the change in policy.
## Related topics
[Security Options](security-options.md)
 
 
- [Security Options](security-options.md)

84
windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md
View File

@ -2,82 +2,80 @@
title: Devices Prevent users from installing printer drivers (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Devices Prevent users from installing printer drivers security policy setting.
ms.assetid: ab70a122-f7f9-47e0-ad8c-541f30a27ec3
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Devices: Prevent users from installing printer drivers
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **Devices: Prevent users from installing printer drivers** security policy setting.
## Reference
For a device to print to a network printer, the driver for that network printer must be installed locally. The **Devices: Prevent users from installing printer drivers** policy setting determines who can install a printer driver as part of adding a network printer. When you set the value to **Enabled**, only Administrators and Power Users can install a printer driver as part of adding a network printer. Setting the value to **Disabled** allows any user to install a printer driver as part of adding a network printer. This setting prevents unprivileged users from downloading and installing an untrusted printer driver.
This setting has no impact if you have configured a trusted path for downloading drivers. When using trusted paths, the print subsystem attempts to use the trusted path to download the driver. If the trusted path download succeeds, the driver is installed on behalf of any user. If the trusted path download fails, the driver is not installed and the network printer is not added.
Although it might be appropriate in some organizations to allow users to install printer drivers on their own workstations, this is not suitable for servers. Installing a printer driver on a server can cause the system to become less stable. Only administrators should have this user right on servers. A malicious user might deliberately try to damage the system by installing inappropriate printer drivers.
### Possible values
- Enabled
- Disabled
- Not defined
### Best practices
- It is advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting does not affect a user's ability to add a local printer.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
</tbody>
</table>
Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined|
| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Enabled|
| DC Effective Default Settings | Enabled|
| Member Server Effective Default Settings | Enabled|
| Client Computer Effective Default Settings | Disabled|
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only administrators, not users, to do so on servers because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver.
It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only administrators, not users, to do so on servers because printer driver installation on a server may unintentionally cause the computer to become less
stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver.
### Countermeasure
Enable the **Devices: Prevent users from installing printer drivers** setting.
### Potential impact
Only members of the Administrator, Power Users, or Server Operator groups can install printers on the servers. If this policy setting is enabled but the driver for a network printer already exists on the local computer, users can still add the network printer.
## Related topics
[Security Options](security-options.md)
 
 
- [Security Options](security-options.md)

83
windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
View File

@ -2,82 +2,79 @@
title: Devices Restrict CD-ROM access to locally logged-on user only (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Devices Restrict CD-ROM access to locally logged-on user only security policy setting.
ms.assetid: 8b8f44bb-84ce-4f18-af30-ab89910e234d
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Devices: Restrict CD-ROM access to locally logged-on user only
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **Devices: Restrict CD-ROM access to locally logged-on user only** security policy setting.
## Reference
This policy setting determines whether a CD is accessible to local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is allowed to access removable CDs. If this policy setting is enabled and no one is logged on interactively, the CD can be accessed over the network.
The security benefit of enabling this policy setting is small because it only prevents network users from accessing the drive when someone is logged on to the local console of the system at the same time. Additionally, CD drives are not automatically made available as network shared drives; you must deliberately choose to share the drive. This is important when administrators are installing software or copying data from a CD-ROM, and they do not want network users to be able to execute the applications or view the data.
If this policy setting is enabled, users who connect to the server over the network will not be able to use any CD drives that are installed on the server when anyone is logged on to the local console of the server. Enabling this policy setting is not suitable for a system that serves as a CD jukebox for network users.
### Possible values
- Enabled
- Disabled
- Not defined
### Best practices
- Best practices are dependent on your security and user accessibility requirements for CD drives.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined |
| Default Domain Controller Policy | Not defined |
| Stand-Alone Server Default Settings | Disabled |
| DC Effective Default Settings | Disabled |
| Member Server Effective Default Settings | Disabled |
| Client Computer Effective Default Settings | Disabled |
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives are not automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server.
A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives are not automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run
applications from removable media on the server.
### Countermeasure
Enable the **Devices: Restrict CD-ROM drive access to locally logged-on user only** setting.
### Potential impact
Users who connect to the server over the network cannot use any CD drives that are installed on the server when anyone is logged on to the local console of the server. System tools that require access to the CD drive will fail. For example, the Volume Shadow Copy service attempts to access all CD and floppy disk drives that are present on the computer when it initializes, and if the service cannot access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail. This policy setting would not be suitable for a computer that serves as a CD jukebox for network users.
## Related topics
[Security Options](security-options.md)
 
 
- [Security Options](security-options.md)

81
windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
View File

@ -2,82 +2,79 @@
title: Devices Restrict floppy access to locally logged-on user only (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Devices Restrict floppy access to locally logged-on user only security policy setting.
ms.assetid: 92997910-da95-4c03-ae6f-832915423898
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Devices: Restrict floppy access to locally logged-on user only
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **Devices: Restrict floppy access to locally logged-on user only** security policy setting.
## Reference
This policy setting determines whether removable floppy disks are accessible to local and remote users simultaneously. Enabling this policy setting allows only the interactively logged-on user to access removable floppy disks. If this policy setting is enabled and no one is logged on interactively, the floppy disk can be accessed over the network.
The security benefit of enabling this policy setting is small because it only prevents network users from accessing the floppy disk drive when someone is logged on to the local console of the system at the same time. Additionally, floppy disk drives are not automatically made available as network shared drives; you must deliberately choose to share the drive. This becomes important when you are installing software or copying data from a floppy disk and they do not want network users to be able to execute the applications or view the data.
If this policy setting is enabled, users who connect to the server over the network will not be able to use any floppy disk drives that are installed on the server when anyone is logged on to the local console of the server.
### Possible values
- Enabled
- Disabled
- Not defined
### Best practices
- Best practices are dependent on your security and user accessibility requirements for CD drives.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined|
| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Disabled|
| DC Effective Default Settings | Disabled|
| Member Server Effective Default Settings | Disabled|
| Client Computer Effective Default Settings | Disabled|
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
A remote user could potentially access a mounted floppy disk that contains sensitive information. This risk is small because floppy disk drives are not automatically shared; administrators must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server.
### Countermeasure
Enable the **Devices: Restrict floppy access to locally logged-on user only** setting.
### Potential impact
Users who connect to the server over the network cannot use any floppy disk drives that are installed on the device when anyone is logged on to the local console of the server. System tools that require access to floppy disk drives fail. For example, the Volume Shadow Copy service attempts to access all CD-ROM and floppy disk drives that are present on the computer when it initializes, and if the service cannot access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail.
## Related topics
[Security Options](security-options.md)
 
 
- [Security Options](security-options.md)

9
windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
View File

@ -8,13 +8,20 @@ ms.mktglfcycl: deploy
ms.sitesec: library
author: brianlic-msft
---
# Display a custom URL message when users try to run a blocked app
**Applies to**
- Windows 10
This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.
Using Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you do not display a custom message when an apps is blocked, the default access denied message is displayed.
To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
**To display a custom URL message when users try to run a blocked app**
1. On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC).
2. Navigate to the Group Policy Object (GPO) that you want to edit.
3. Right-click the GPO, and then click **Edit**.
@ -22,5 +29,3 @@ To complete this procedure, you must have the **Edit Setting** permission to ed
5. In the details pane, double-click **Set a support web page link**.
6. Click **Enabled**, and then type the URL of the custom Web page in the **Support Web page URL** box.
7. Click **OK** to apply the setting.
 
 

64
windows/keep-secure/dll-rules-in-applocker.md
View File

@ -2,64 +2,40 @@
title: DLL rules in AppLocker (Windows 10)
description: This topic describes the file formats and available default rules for the DLL rule collection.
ms.assetid: a083fd08-c07e-4534-b0e7-1e15d932ce8f
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# DLL rules in AppLocker
**Applies to**
- Windows 10
This topic describes the file formats and available default rules for the DLL rule collection.
AppLocker defines DLL rules to include only the following file formats:
- .dll
- .ocx
The following table lists the default rules that are available for the DLL rule collection.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Purpose</th>
<th align="left">Name</th>
<th align="left">User</th>
<th align="left">Rule condition type</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Allows members of the local Administrators group to run all DLLs</p></td>
<td align="left"><p>(Default Rule) All DLLs</p></td>
<td align="left"><p>BUILTIN\Administrators</p></td>
<td align="left"><p>Path: *</p></td>
</tr>
<tr class="even">
<td align="left"><p>Allow all users to run DLLs in the Windows folder</p></td>
<td align="left"><p>(Default Rule) Microsoft Windows DLLs</p></td>
<td align="left"><p>Everyone</p></td>
<td align="left"><p>Path: %windir%\*</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Allow all users to run DLLs in the Program Files folder</p></td>
<td align="left"><p>(Default Rule) All DLLs located in the Program Files folder</p></td>
<td align="left"><p>Everyone</p></td>
<td align="left"><p>Path: %programfiles%\*</p></td>
</tr>
</tbody>
</table>
| Purpose | Name | User | Rule condition type |
| - | - | - | - |
| Allows members of the local Administrators group to run all DLLs | (Default Rule) All DLLs|
| BUILTIN\Administrators | Path: *|
| Allow all users to run DLLs in the Windows folder| (Default Rule) Microsoft Windows DLLs |
| Everyone | Path: %windir%\*|
| Allow all users to run DLLs in the Program Files folder | (Default Rule) All DLLs located in the Program Files folder|
| Everyone | Path: %programfiles%\*|
 
**Important**  
If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps
>**Important:**  If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps
 
**Caution**  
When DLL rules are used, AppLocker must check each DLL that an app loads. Therefore, users may experience a reduction in performance if DLL rules are used.
>**Caution:**  When DLL rules are used, AppLocker must check each DLL that an app loads. Therefore, users may experience a reduction in performance if DLL rules are used.
 
## Related topics
[Understanding AppLocker default rules](understanding-applocker-default-rules.md)
 
 
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)

11
windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md
View File

@ -2,23 +2,31 @@
title: Document the Group Policy structure and AppLocker rule enforcement (Windows 10)
description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: brianlic-msft
ms.pagetype: security
---
# Document the Group Policy structure and AppLocker rule enforcement
**Applies to**
- Windows 10
This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
## Record your findings
To complete this AppLocker planning document, you should first complete the following steps:
1. [Determine your application control objectives](determine-your-application-control-objectives.md)
2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
3. [Select the types of rules to create](select-types-of-rules-to-create.md)
4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
After you determine how to structure your Group Policy Objects (GPOs) so that you can apply AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they are linked to. If you decided to create custom rules to allow system files to run, note the high-level rule configuration in the **Use default rule or define new rule condition** column.
The following table includes the sample data that was collected when you determined your enforcement settings and the GPO structure for your AppLocker policies.
<table>
<colgroup>
@ -111,6 +119,7 @@ The following table includes the sample data that was collected when you determi
</table>
 
## Next steps
After you have determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain:
- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
- [Create your AppLocker planning document](create-your-applocker-planning-document.md)

24
windows/keep-secure/document-your-application-control-management-processes.md
View File

@ -2,31 +2,46 @@
title: Document your application control management processes (Windows 10)
description: This planning topic describes the AppLocker policy maintenance information to record for your design document.
ms.assetid: 6397f789-0e36-4933-9f86-f3f6489cf1fb
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Document your application control management processes
**Applies to**
- Windows 10
This planning topic describes the AppLocker policy maintenance information to record for your design document.
## Record your findings
To complete this AppLocker planning document, you should first complete the following steps:
1. [Determine your application control objectives](determine-your-application-control-objectives.md)
2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
3. [Select the types of rules to create](select-types-of-rules-to-create.md)
4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
5. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
The three key areas to determine for AppLocker policy management are:
1. Support policy
Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel know recommended troubleshooting steps and escalation points for your policy.
2. Event processing
Document whether events will be collected in a central location, how that store will be archived, and whether the events will be processed for analysis.
3. Policy maintenance
Detail how rules will be added to the policy, in which Group Policy Object (GPO) the rules should be defined, and how to modify rules when apps are retired, updated, or added.
The following table contains the added sample data that was collected when determining how to maintain and manage AppLocker policies.
<table style="width:100%;">
<colgroup>
<col width="11%" />
@ -125,9 +140,13 @@ The following table contains the added sample data that was collected when deter
</table>
 
The following two tables illustrate examples of documenting considerations to maintain and manage AppLocker policies.
**Event processing policy**
One discovery method for app usage is to set the AppLocker enforcement mode to **Audit only**. This will write events to the AppLocker logs, which can be managed and analyzed like other Windows logs. After apps have been identified, you can begin to develop policies regarding the processing and access to AppLocker events.
The following table is an example of what to consider and record.
<table>
<colgroup>
<col width="20%" />
@ -210,7 +229,6 @@ The following table is an example of what to consider and record.
</table>
 
## Next steps
After you have determined your application control management strategy for each of the business group's applications, the following task remains:
- [Create your AppLocker planning document](create-your-applocker-planning-document.md)
 
 

26
windows/keep-secure/document-your-application-list.md
View File

@ -2,21 +2,30 @@
title: Document your app list (Windows 10)
description: This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies.
ms.assetid: b155284b-f75d-4405-aecf-b74221622dc0
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Document your app list
**Applies to**
- Windows 10
This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies.
## Record your findings
**Apps**
Record the name of the app, whether it is signed as indicated by the publisher's name, and whether it is a mission critical, business productivity, optional, or personal app. Later, as you manage your rules, AppLocker displays this information in the format shown in the following example: *MICROSOFT OFFICE INFOPATH signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US*.
**Installation path**
Record the installation path of the apps. For example, Microsoft Office 2016 installs files to *%programfiles%\\Microsoft Office\\Office16\\*, which is *C:\\Program Files\\Microsoft Office\\Office16\\* on most devices.
The following table provides an example of how to list applications for each business group at the early stage of designing your application control policies. Eventually, as more planning information is added to the list, the information can be used to build AppLocker rules.
<table>
<colgroup>
@ -81,29 +90,36 @@ The following table provides an example of how to list applications for each bus
</tbody>
</table>
 
**Note**  
AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.
>**Note:**  AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.
 
**Event processing**
As you create your list of apps, you need to consider how to manage the events that are generated by user access, or you need to deny running those apps to make your users as productive as possible. The following list is an example of what to consider and what to record:
- Will event forwarding be implemented for AppLocker events?
- What is the location of the AppLocker event collection?
- Should an event archival policy be implemented?
- Will the events be analyzed and how often?
- Should a security policy be in place for event collection?
**Policy maintenance**
As you create your list of apps, you need to consider how to manage and maintain the policies that you will eventually create. The following list is an example of what to consider and what to record:
- How will rules be updated for emergency app access and permanent access?
- How will apps be removed?
- How many older versions of the same app will be maintained?
- How will new apps be introduced?
## Next steps
After you have created the list of applications, the next step is to identify the rule collections, which will become the application control policies. This information can be added to the table under the following columns:
- Use default rule or define new rule condition
- Allow or deny
- GPO name
To identify the rule collections, see the following topics:
- [Select the types of rules to create](select-types-of-rules-to-create.md)
- [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
 
 

16
windows/keep-secure/document-your-applocker-rules.md
View File

@ -2,25 +2,35 @@
title: Document your AppLocker rules (Windows 10)
description: This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded.
ms.assetid: 91a198ce-104a-45ff-b49b-487fb40cd2dd
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Document your AppLocker rules
**Applies to**
- Windows 10
This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded.
## Record your findings
To complete this AppLocker planning document, you should first complete the following steps:
1. [Determine your application control objectives](determine-your-application-control-objectives.md)
2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
3. [Select the types of rules to create](select-types-of-rules-to-create.md)
Document the following items for each business group or organizational unit:
- Whether your organization will use the built-in default AppLocker rules to allow system files to run.
- The types of rule conditions that you will use to create rules, stated in order of preference.
The following table details sample data for documenting rule type and rule condition findings. In addition, you should now consider whether to allow an app to run or deny permission for it to run. For info about these settings, see [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md).
<table style="width:100%;">
<colgroup>
<col width="14%" />
@ -101,9 +111,9 @@ The following table details sample data for documenting rule type and rule condi
</table>
 
## Next steps
For each rule, determine whether to use the allow or deny option. Then, three tasks remain:
- [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
- [Create your AppLocker planning document](create-your-applocker-planning-document.md)
 
 

86
windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md
View File

@ -2,87 +2,85 @@
title: Domain controller Allow server operators to schedule tasks (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain controller Allow server operators to schedule tasks security policy setting.
ms.assetid: 198b12a4-8a5d-48e8-a752-2073b8a2cb0d
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Domain controller: Allow server operators to schedule tasks
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **Domain controller: Allow server operators to schedule tasks** security policy setting.
## Reference
This policy setting determines whether server operators can use the**at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators by means of the **at** command run in the context of the account that runs the Task Scheduler service. By default, that is the Local System account.
**Note**  
This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool.
>**Note:**  This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool.
 
Enabling this policy setting means jobs that are created by server operators through the **at** command will be executed in the context of the account that is running that service—by default, that is the Local System account. This means that server operators can perform tasks that the Local System account is able to do, but server operators would normally not be able to do, such as add their account to the local Administrators group.
The impact of enabling this policy setting should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by using the Task Scheduler Wizard, but those jobs will run in the context of the account that the user authenticates with when setting up the job.
### Possible values
- Enabled
- Disabled
- Not defined
### Best practices
- Best practices for this policy are dependent on your security and operational requirements for task scheduling.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined|
| Default Domain Controller Policy | Not defined |
| Stand-Alone Server Default Settings | Not defined|
| DC Effective Default Settings | Not defined|
| Member Server Effective Default Settings | Not defined|
| Client Computer Effective Default Settings | Not defined|
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
### Command-line tools
The **at** command schedules commands and programs to run on a computer at a specified time and date. The Schedule service must be running to use the **at** command.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
Tasks that run under the context of the Local System account can affect resources that are at a higher privilege level than the user account that scheduled the task.
### Countermeasure
Disable the **Domain controller: Allow server operators to schedule tasks** setting.
### Potential impact
The impact should be small for most organizations. Users (including those in the Server Operators group) can still create jobs by means of the Task Scheduler snap-in. However, those jobs run in the context of the account that the user authenticates with when setting up the job.
## Related topics
[Security Options](security-options.md)
 
 
- [Security Options](security-options.md)

85
windows/keep-secure/domain-controller-ldap-server-signing-requirements.md
View File

@ -2,86 +2,83 @@
title: Domain controller LDAP server signing requirements (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server signing requirements security policy setting.
ms.assetid: fe122179-7571-465b-98d0-b8ce0f224390
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Domain controller: LDAP server signing requirements
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server signing requirements** security policy setting.
## Reference
This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing.
Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, this means that a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower the risk of a malicious user accomplishing this in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks extremely difficult.
This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL.
If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected.
**Caution**  
If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server.
>**Caution:**  If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server.
 
### Possible values
- None. Data signatures are not required to bind with the server. If the client computer requests data signing, the server supports it.
- Require signature. The LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Sockets Layer (TLS/SSL) is in use.
- Not defined.
### Best practices
- It is advisable to set **Domain controller: LDAP server signing requirements** to **Require signature**. Clients that do not support LDAP signing will be unable to execute LDAP queries against the domain controllers.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>None</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>None</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>None</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined|
| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Not defined|
| DC Effective Default Settings | None|
| Member Server Effective Default Settings | None|
| Client Computer Effective Default Settings | None|
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Where LDAP servers are concerned, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks extremely difficult.
### Countermeasure
Configure the **Domain controller: LDAP server signing requirements** setting to **Require signature**.
### Potential impact
Client device that do not support LDAP signing cannot run LDAP queries against the domain controllers.
## Related topics
[Security Options](security-options.md)
 
 
- [Security Options](security-options.md)

84
windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md
View File

@ -2,83 +2,83 @@
title: Domain controller Refuse machine account password changes (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain controller Refuse machine account password changes security policy setting.
ms.assetid: 5a7fa2e2-e1a8-4833-90f7-aa83e3b456a9
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Domain controller: Refuse machine account password changes
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **Domain controller: Refuse machine account password changes** security policy setting.
## Reference
This policy setting enables or disables blocking a domain controller from accepting password change requests for machine accounts. By default, devices joined to the domain change their machine account passwords every 30 days. If enabled, the domain controller will refuse machine account password change requests.
### Possible values
- Enabled
When enabled, this setting does not allow a domain controller to accept any changes to a machine account's password.
- Disabled
When disabled, this setting allows a domain controller to accept any changes to a machine account's password.
- Not defined
Same as Disabled.
### Best practices
- Enabling this policy setting on all domain controllers in a domain prevents domain members from changing their machine account passwords. This, in turn, leaves those passwords susceptible to attack. Make sure that this conforms to your overall security policy for the domain.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Not applicable</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined|
| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Not defined|
| DC Effective Default Settings | Disabled|
| Member Server Effective Default Settings | Disabled|
| Client Computer Effective Default Settings | Not applicable|
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
If you enable this policy setting on all domain controllers in a domain, domain members cannot change their machine account passwords, and those passwords are more susceptible to attack.
### Countermeasure
Disable the **Domain controller: Refuse machine account password changes** setting.
### Potential impact
None. This is the default configuration.
## Related topics
[Security Options](security-options.md)
 
 
- [Security Options](security-options.md)

105
windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
View File

@ -2,103 +2,114 @@
title: Domain member Digitally encrypt or sign secure channel data (always) (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt or sign secure channel data (always) security policy setting.
ms.assetid: 4480c7cb-adca-4f29-b4b8-06eb68d272bf
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Domain member: Digitally encrypt or sign secure channel data (always)
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt or sign secure channel data (always)** security policy setting.
## Reference
This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. Logon information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. Logon information that is
transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic:
- Domain member: Digitally encrypt or sign secure channel data (always)
- [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
- [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data.
To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a device running Windows othat has joined a domain to have access to the user account database in its domain and in any trusted domains.
To enable the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of signing or encrypting all secure-channel data.
Enabling the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting automatically enables the [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) policy setting.
When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass-through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
### Possible values
- Enabled
The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure
channel traffic.
- Disabled
The encryption and signing of all secure channel traffic is negotiated with the domain controller, in which case the level of signing and encryption depends on the version of the domain controller and the settings of the following policies:
1. [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
2. [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
- Not defined
### Best practices
- Set **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled**.
- Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**.
- Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**.
**Note**  
You can enable the policy settings [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) on all devices in the domain that support these policy settings without affecting earlier-version clients and applications.
>**Note:**  You can enable the policy settings [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) on all devices in the domain that support these policy settings without affecting earlier-version clients and applications.
 
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined|
| Default Domain Controller Policy | Enabled |
| Stand-Alone Server Default Settings | Enabled|
| DC Effective Default Settings | Enabled|
| Member Server Effective Default Settings | Enabled|
| Client Computer Effective Default Settings | Enabled|
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
### Group Policy
Distribution of this policy through Group Policy overrides the Local Security Policy setting.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and
sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
### Countermeasure
Select one of the following settings as appropriate for your environment to configure the computers in your domain to encrypt or sign secure channel data.
- **Domain member: Digitally encrypt or sign secure channel data (always)**
- [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
- [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
### Potential impact
Digital encryption and signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller.
## Related topics
[Security Options](security-options.md)
 
 
- [Security Options](security-options.md)

98
windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
View File

@ -2,99 +2,107 @@
title: Domain member Digitally encrypt secure channel data (when possible) (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt secure channel data (when possible) security policy setting.
ms.assetid: 73e6023e-0af3-4531-8238-82f0f0e4965b
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Domain member: Digitally encrypt secure channel data (when possible)
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt secure channel data (when possible)** security policy setting.
## Reference
This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Logon information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Logon information that is transmitted over
the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
In addition to this policy setting, the following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic:
- [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
- [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data.
To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains.
Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting.
When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
### Possible values
- Enabled
The domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information that is transmitted over the secure channel will be encrypted.
- Disabled
The domain member will not attempt to negotiate secure channel encryption.
**Note**  
If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten.
>**Note:**  If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten.
 
- Not defined
### Best practices
- Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled**.
- Set **Domain member: Digitally encrypt secure channel data (when possible)** to **Enabled**.
- Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined|
| Default Domain Controller Policy | Enabled|
| Stand-Alone Server Default Settings | Enabled|
| DC Effective Default Settings | Enabled|
| Member Server Effective Default Settings| Enabled|
| Client Computer Effective Default Settings | Enabled|
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
### Group Policy
Distribution of this policy through Group Policy does not override the Local Security Policy setting.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
### Countermeasure
Select one of the following settings as appropriate for your environment to configure the computers in your domain to encrypt or sign secure channel data:
- [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
- **Domain member: Digitally encrypt secure channel data (when possible)**
- [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
### Potential impact
Digital signing of the secure channel is a good idea because it protects domain credentials as they are sent to the domain controller.
## Related topics
[Security Options](security-options.md)
 
 
- [Security Options](security-options.md)

95
windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md
View File

@ -2,100 +2,105 @@
title: Domain member Digitally sign secure channel data (when possible) (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Digitally sign secure channel data (when possible) security policy setting.
ms.assetid: a643e491-4f45-40ea-b12c-4dbe47e54f34
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Domain member: Digitally sign secure channel data (when possible)
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **Domain member: Digitally sign secure channel data (when possible)** security policy setting.
## Reference
This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Logon information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Logon information that is transmitted over the
secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic:
- [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
- [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
- Domain member: Digitally sign secure channel data (when possible)
Setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data.
To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate computer accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains.
Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting.
When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
### Possible values
- Enabled
The domain member will request signing of all secure channel traffic. If the domain controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.
- Disabled
Signing will not be negotiated unless the policy [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled.
- Not defined
### Best practices
- Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled**.
- Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**.
- Set **Domain member: Digitally sign secure channel data (when possible)** to **Enabled**.
**Note**  
You can enable the other two policy settings, Domain member: [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and **Domain member: Digitally sign secure channel data (when possible)**, on all devices joined to the domain that support these policy settings without affecting earlier-version clients and applications.
>**Note:**  You can enable the other two policy settings, Domain member: [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and **Domain member: Digitally sign secure channel data (when possible)**, on all devices joined to the domain that support these policy settings without affecting earlier-version clients and applications.
 
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined|
| Default Domain Controller Policy | Enabled |
| Stand-Alone Server Default Settings | Enabled|
| DC Effective Default Settings | Enabled|
| Member Server Effective Default Settings| Enabled|
| Client Computer Effective Default Settings | Enabled|
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
### Group Policy
Distribution of this policy through Group Policy does not override the Local Security Policy setting.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
### Countermeasure
Because these policies are closely related and useful depending on your environment, select one of the following settings as appropriate to configure the devices in your domain to encrypt or sign secure channel data when possible.
- [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
- [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
- **Domain member: Digitally sign secure channel data (when possible)**
### Potential impact
Digital signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller.
## Related topics
[Security Options](security-options.md)
 
 
- [Security Options](security-options.md)

83
windows/keep-secure/domain-member-disable-machine-account-password-changes.md
View File

@ -2,82 +2,79 @@
title: Domain member Disable machine account password changes (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Disable machine account password changes security policy setting.
ms.assetid: 1f660300-a07a-4243-a09f-140aa1ab8867
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Domain member: Disable machine account password changes
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **Domain member: Disable machine account password changes** security policy setting.
## Reference
The **Domain member: Disable machine account password changes** policy setting determines whether a domain member periodically changes its machine account password. Setting its value to **Enabled** prevents the domain member from changing the machine account password. Setting it to **Disabled** allows the domain member to change the machine account password as specified by the value of the [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md) policy setting, which is every 30 days by default.
By default, devices that belong to a domain are automatically required to change the passwords for their accounts every 30 days. Devices that are no longer able to automatically change their machine password are at risk of a malicious user determining the password for the system's domain account.
Verify that the **Domain member: Disable machine account password changes** option is set to **Disabled**.
### Possible values
- Enabled
- Disabled
### Best practices
1. Do not enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions.
2. Do not use this policy setting in an attempt to support dual-boot scenarios that use the same machine account. If you want to dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to make it easier for organizations that stockpile pre-built computers that are put into production months later; those devices do not have to be rejoined to the domain.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Disabled |
| Default Domain Controller Policy | Disabled|
| Stand-Alone Server Default Settings | Disabled|
| DC Effective Default Settings | Disabled|
| Member Server Effective Default Settings | Disabled|
| Client Computer Effective Default Settings | Disabled|
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices that cannot automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account.
By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices
that cannot automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account.
### Countermeasure
Verify that the **Domain member: Disable machine account password changes** setting is configured to **Disabled**.
### Potential impact
None. This is the default configuration.
## Related topics
[Security Options](security-options.md)
 
 
- [Security Options](security-options.md)

82
windows/keep-secure/domain-member-maximum-machine-account-password-age.md
View File

@ -2,81 +2,77 @@
title: Domain member Maximum machine account password age (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Maximum machine account password age security policy setting.
ms.assetid: 0ec6f7c1-4d82-4339-94c0-debb2d1ac109
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Domain member: Maximum machine account password age
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **Domain member: Maximum machine account password age** security policy setting.
## Reference
The **Domain member: Maximum machine account password age** policy setting determines the maximum allowable age for a machine account password.
In Active Directorybased domains, each device has an account and password, just like every user. By default, the domain members automatically change their domain password every 30 days. Increasing this interval significantly, or setting it to **0** so that the device no longer change their passwords, gives a malicious user more time to undertake a brute-force password-guessing attack against one of the machine accounts.
### Possible values
- User-defined number of days between 0 and 999
- Not defined.
### Best practices
1. It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days.
2. Some organizations pre-build devices and then store them for later use or ship them to remote locations. If the machine's account has expired, it will no longer be able to authenticate with the domain. Devices that cannot authenticate with the domain must be removed from the domain and rejoined to it. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and configure the value for this policy setting to a larger number of days.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>30 days</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>30 days</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>30 days</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>30 days</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined |
| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | 30 days|
| DC Effective Default Settings | 30 days|
| Member Server Effective Default Settings|30 days|
| Client Computer Effective Default Settings | 30 days|
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
In Active Directorybased domains, each device has an account and password, just as every user does. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their passwords, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts.
In Active Directorybased domains, each device has an account and password, just as every user does. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their
passwords, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts.
### Countermeasure
Configure the **Domain member: Maximum machine account password age** setting to 30 days.
### Potential impact
None. This is the default configuration.
## Related topics
[Security Options](security-options.md)
 
 
- [Security Options](security-options.md)

91
windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md
View File

@ -2,88 +2,95 @@
title: Domain member Require strong (Windows 2000 or later) session key (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Require strong (Windows 2000 or later) session key security policy setting.
ms.assetid: 5ab8993c-5086-4f09-bc88-1b27454526bd
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Domain member: Require strong (Windows 2000 or later) session key
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **Domain member: Require strong (Windows 2000 or later) session key** security policy setting.
## Reference
The **Domain member: Require strong (Windows 2000 or later) session key** policy setting determines whether a secure channel can be established with a domain controller that is not capable of encrypting secure channel traffic with a strong, 128-bit session key. Enabling this policy setting prevents establishing a secure channel with any domain controller that cannot encrypt secure channel data with a strong key. Disabling this policy setting allows 64-bit session keys.
Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from eavesdropping and session-hijacking network attacks. Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the name of the sender, or it can be redirected.
### Possible values
- Enabled
When enabled on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of encrypting secure channel data with a strong, 128-bit key. This means that all such domain controllers must be running at least Windows 2000 Server.
- Disabled
Allows 64-bit session keys to be used.
- Not defined.
### Best practices
- It is advisable to set **Domain member: Require strong (Windows 2000 or later) session key** to Enabled. Enabling this policy setting ensures that all outgoing secure channel traffic will require a strong encryption key. Disabling this policy setting requires that key strength be negotiated. Only enable this option if the domain controllers in all trusted domains support strong keys. By default, this value is disabled.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
</tbody>
</table>
| Server type or GPO
| Default value
| - | - |
| Default Domain Policy | Not defined |
| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Disabled|
| DC Effective Default Settings | Disabled|
| Member Server Effective Default Settings | Disabled|
| Client Computer Effective Default Settings | Disabled|
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
### Group Policy
Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.
You will you be able to join devices that do not support this policy setting to domains where the domain controllers have this policy setting enabled.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
Session keys that are used to establish secure channel communications between domain controllers and member computers are much stronger starting with Windows 2000.
Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdrop. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)
### Countermeasure
Enable the **Domain member: Require strong (Windows 2000 or later) session key** setting.
If you enable this policy setting, all outgoing secure channel traffic requires a strong encryption key. If you disable this policy setting, the key strength is negotiated. You should enable this policy setting only if the domain controllers in all trusted domains support strong keys. By default, this policy setting is disabled.
### Potential impact
Devices that do not support this policy setting cannot join domains in which the domain controllers have this policy setting enabled.
## Related topics
[Security Options](security-options.md)
 
 
- [Security Options](security-options.md)

35
windows/keep-secure/manage-tpm-lockout.md
View File

@ -2,48 +2,73 @@
title: Manage TPM lockout (Windows 10)
description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
ms.assetid: bf27adbe-404c-4691-a644-29ec722a3f7b
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Manage TPM lockout
**Applies to**
- Windows 10
This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
## <a href="" id="bkmk-lockout1"></a>About TPM lockout
The TPM will lock itself to prevent tampering or malicious attacks. TPM lockout often lasts for a variable amount of time or until the computer is turned off. While the TPM is in lockout mode, it generally returns an error message when it receives commands that require an authorization value. One exception is that the TPM always allows the owner at least one attempt to reset the TPM lockout when it is in lockout mode.
TPM ownership is commonly taken the first time BitLocker Drive Encryption is turned on for the computer. In this case, the TPM owner authorization password is saved with the BitLocker recovery key. When the BitLocker recovery key is saved to a file, BitLocker also saves a TPM owner password file (.tpm) with the TPM owner password hash value. When the BitLocker recovery key is printed, the TPM owner password is printed at the same time. You can also save your TPM owner password hash value to Active Directory Domain Services (AD DS) if your organization's Group Policy settings are configured to do so.
In some cases, encryption keys are protected by a TPM by requiring a valid authorization value to access the key. A common example is configuring BitLocker Drive Encryption to use the TPM plus PIN key protector. In this scenario, the user must type the correct PIN during the boot process to access the volume encryption key protected by the TPM. To prevent malicious users or software from discovering authorization values, TPMs implement protection logic. The protection logic is designed to slow or stop responses from the TPM if it detects that an entity might be trying to guess authorization values.
The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM manufacturers implement different protection mechanisms and behavior. The general guidance is for the TPM chip to take exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. This can prevent them from using the TPM for a period of time.
If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owners authorization.
## Reset the TPM lockout by using the TPM MMC
The following procedure explains the steps to reset the TPM lockout by using the TPM MMC.
**To reset the TPM lockout**
1. Open the TPM MMC (tpm.msc).
2. In the **Action** pane, click **Reset TPM Lockout** to start the Reset TPM Lockout Wizard.
3. Choose one of the following methods to enter the TPM owner password:
- If you saved your TPM owner password to a .tpm file, click **I have the owner password file**, and then type the path to the file, or click **Browse** to navigate to the file location.
- If you want to manually enter your TPM owner password, click **I want to enter the owner password**, and then type the password in the text box provided.
**Note**  
If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it.
>**Note:**  If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it.
 
## Use Group Policy to manage TPM lockout settings
The TPM Group Policy settings in the following list are located at:
**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
- [Standard User Lockout Duration](trusted-platform-module-services-group-policy-settings.md#bkmk-individual)
This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for TPM commands that require authorization. An authorization failure occurs each time a user sends a command to the TPM and receives an error message that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, the user is prevented from sending commands to the TPM that require authorization.
- [Standard User Individual Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-suld)
This policy setting allows you to manage the maximum number of authorization failures for the TPM for each user. This value is the maximum number of authorization failures that each user can have before the user is not allowed to send commands to the TPM that require authorization. If the number of authorization failures equals the duration that is set for the policy setting, the user is prevented from sending commands to the TPM that require authorization.
- [Standard User Total Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#bkmk-total)
This policy setting allows you to manage the maximum number of authorization failures for the TPM for all standard users. If the total number of authorization failures for all users equals the duration that is set for the policy, all users are prevented from sending commands to the TPM that require authorization.
For information about mitigating dictionary attacks that use the lockout settings, see [TPM fundamentals](tpm-fundamentals.md#bkmk-howtpmmitigates).
## <a href="" id="bkmk-tpmcmdlets"></a>Use the TPM cmdlets
If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets**
For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
## Additional resources
For more info about TPM, see [TPM technology overview](trusted-platform-module-overview.md#bkmk-additionalresources).
 
 

53
windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md Normal file
View File

@ -0,0 +1,53 @@
---
title: Run a scan from the command line in Windows Defender in Windows 10 (Windows 10)
description: IT professionals can run a scan using the command line in Windows Defender in Windows 10.
keywords: scan, command line, mpcmdrun, defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: mjcaparas
---
# Run a Windows Defender scan from the command line
**Applies to:**
- Windows 10
IT professionals can use a command-line utility to run a Windows Defender scan.
The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_
This utility can be handy when you want to automate the use of Windows Defender.
**To run a full system scan from the command line**
1. Click **Start**, type **cmd**, and press **Enter**.
2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**:
```
C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 2
```
The full scan will start. When the scan completes, you'll see a message indicating that the scan is finished.
The utility also provides other commands that you can run:
```
MpCmdRun.exe [command] [-options]
```
Command | Description
:---|:---
\- ? / -h | Displays all available options for the tool
\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious softare
\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing
\-GetFiles | Collects support information
\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
\-AddDynamicSignature [-Path] | Loads a dyanmic signature
\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
\-EnableIntegrityServices | Enables integrity services
\-SubmitSamples | Submit all sample requests

2
windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -38,7 +38,7 @@ If the endpoints aren't reporting correctly, you might need to check that the Wi
**Check the onboarding state in Registry**:
1. Click **Start**, type **Run**, and press **Enter**
1. Click **Start**, type **Run**, and press **Enter**.
2. From the **Run** dialog box, type **regedit** and press **Enter**.

2
windows/manage/TOC.md
View File

@ -4,6 +4,7 @@
## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
## [Manage corporate devices](manage-corporate-devices.md)
### [New policies for Windows 10](new-policies-for-windows-10.md)
### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
### [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
### [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md)
@ -25,7 +26,6 @@
#### [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
#### [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
### [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)
## [Configure devices without MDM](configure-devices-without-mdm.md)
## [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md)

5
windows/manage/group-policies-for-enterprise-and-education-editions.md
View File

@ -16,4 +16,7 @@ In Windows 10, version 1511, the following Group Policies apply only to Windows
| Policy name | Policy path | Comments |
| - | - | - |
| Turn off the Store application | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/en-us/kb/3135657).
| Turn off the Store application | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/en-us/kb/3135657). |
| Start layout | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) |
| Force a specific default lock screen image | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |

5
windows/manage/lock-down-windows-10.md
View File

@ -67,10 +67,7 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p
<td align="left"><p>[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)</p></td>
<td align="left"><p>There are two methods for resetting a Windows 10 Mobile device: factory reset and &quot;wipe and persist&quot; reset.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)</p></td>
<td align="left"><p>New</p></td>
</tr>
</tbody>
</table>

2
windows/manage/manage-corporate-devices.md
View File

@ -117,6 +117,8 @@ Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager &
[New policies for Windows 10](new-policies-for-windows-10.md)
[Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
[Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md)
[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)

224
windows/manage/windows-10-mobile-and-mdm.md
View File

@ -2,48 +2,74 @@
title: Windows 10 Mobile and mobile device management (Windows 10)
description: This guide provides an overview of the mobile device and app management technologies in the Windows 10 Mobile operating system.
ms.assetid: 6CAA1004-CB65-4FEC-9B84-61AAD2125E5E
ms.pagetype: mobile; devices
keywords: ["telemetry", "BYOD", "MDM"]
keywords: telemetry, BYOD, MDM
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile; devices
author: AMeeus
---
# Windows 10 Mobile and mobile device management
**Applies to**
- Windows 10 Mobile
This guide provides an overview of the mobile device and app management technologies in the Windows 10 Mobile operating system. It describes how mobile device management (MDM) systems use the built-in device management client to deploy, configure, maintain, and support phones and small tablets running Windows 10 Mobile.
Bring Your Own Device (BYOD—that is, personal devices) and corporate devices are key scenarios that Windows 10 Mobile MDM capabilities support. The operating system offers a flexible approach to registering devices with directory services and MDM systems, and IT organizations can provision comprehensive device-configuration profiles based on their companys need to control and secure mobile business data.
Windows 10 Mobile not only delivers more comprehensive, restrictive configuration settings than Windows Phone 8.1 did but also provides capabilities to deploy and manage apps built on the Universal Windows Platform (UWP). Companies can distribute apps directly from Windows Store or by using their MDM system. They can control and distribute custom line-of-business (LOB) apps the same way.
## Overview
Organizations users increasingly depend on their mobile devices, but phones and tablets bring new and unfamiliar challenges for IT departments. IT must be able to deploy and manage mobile devices and apps quickly to support the business while balancing the growing need to protect corporate data because of evolving laws, regulations, and cybercrime. IT must ensure that the apps and data on those mobile devices are safe, especially on personal devices. Windows 10 Mobile helps organizations address these challenges by providing a robust, flexible, built-in MDM client. IT departments can use the MDM system of their choice to manage this client.
### <a href="" id="built-in-mdm-client--"></a>Built-in MDM client
The built-in MDM client is common to all editions of the Windows 10 operating system, including desktop, mobile, and Internet of Things (IoT). The client provides a single interface through which you can manage any device that runs Windows 10. The client has two important roles: device enrollment in an MDM system and device management.
- **Device enrollment.** Users can enroll in the MDM system. On Windows 10, a user can register a device with Microsoft Azure Active Directory (Azure AD) and enroll in an MDM system at the same time so that the system can manage the device, the apps running on it, and the confidential data it holds. Enrollment establishes the management authority for the device. Only one management authority (or MDM enrollment) is possible at a time, which helps prevent unauthorized access to devices and ensures their stability and reliability.
- **Device management.** The MDM client allows the MDM system to configure policy settings; deploy apps and updates; and perform other management tasks, such as remotely wiping the device. The MDM system sends configuration requests and collects inventory through the MDM client. The client uses [configuration service providers (CSPs)](http://go.microsoft.com/fwlink/p/?LinkId=734049) to configure and inventory settings. A CSP is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. (The security architecture of Windows 10 Mobile prevents direct access to registry settings and operating system files. For more information, see the [Windows 10 Mobile security guide](../keep-secure/windows-10-mobile-security-guide.md).)
The MDM client is an integral part of Windows 10 Mobile. As a result, there is no need for an additional, custom MDM app to enroll the device or to allow an MDM system to manage it. All MDM systems have equal access to Windows 10 Mobile MDM application programming interfaces (APIs), so you can choose Microsoft Intune or a third-party MDM product to manage Windows 10 Mobile devices. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=734050).
### <a href="" id="mobile-edition"></a>Windows 10 Mobile editions
Every device that runs Windows 10 Mobile includes all the enterprise mobile device security and management capabilities the MDM client provides. Microsoft also offers an Enterprise edition of Windows 10 Mobile, which includes three additional capabilities. To enable these capabilities, you can provision a license file without reinstalling the operating system:
- **Ability to postpone software updates.**Windows 10 Mobile gets software updates directly from Windows Update, and you cannot curate updates prior to deployment. Windows 10 Mobile Enterprise, however, allows you to curate and validate updates prior to deploying them.
- **No limit on the number of self-signed LOB apps that you can deploy to a single device.** To use an MDM system to deploy LOB apps directly to devices, you must cryptographically sign the software packages with a code signing certificate that your organizations certificate authority (CA) generates. You can deploy a maximum of 20 self-signed LOB apps to a Windows 10 Mobile device, more than 20 if your organizations devices run Windows 10 Mobile Enterprise.
- **Set telemetry to security level.** The telemetry security level configures the operating system to gather only the telemetry information required to keep devices secured.
**Note**  
Your organization can opt to purchase a code signing certificate from Verisign to sign LOB apps or use [Windows Store for Business](windows-store-for-business.md) to obtain apps. With either method, you can distribute more than 20 apps to a single device without activating Windows 10 Mobile Enterprise on that device by using your MDM system.
>**Note:**  Your organization can opt to purchase a code signing certificate from Verisign to sign LOB apps or use [Windows Store for Business](windows-store-for-business.md) to obtain apps. With either method, you can distribute more than 20 apps to a single device without activating Windows 10 Mobile Enterprise on that device by using your MDM system.
 
To activate Windows 10 Mobile Enterprise on any Windows 10 Mobile device, use your companys MDM system or a provisioning package to inject a license onto the device. You can download a Windows 10 Mobile Enterprise license from the Business Support Portal.
### <a href="" id="lifecycle-management--"></a>Lifecycle management
Windows 10 Mobile supports end-to-end lifecycle device management to give companies control of their devices, data, and apps. Comprehensive MDM systems use the built-in MDM client to manage devices throughout their lifecycle, as Figure 1 illustrates. The remainder of this guide describes the operating systems mobile device and app management capabilities through each phase of the lifecycle, showing how MDM systems use specific features.
![figure 1](images/win10-mobile-mdm-fig1.png)
Figure 1. Device management lifecycle
## <a href="" id="device-deployment--"></a>Device deployment
Device deployment includes the initial registration and configuration of the device, including its enrollment with an MDM system. Sometimes, companies preinstall apps. The major factors in how you deploy devices and which controls you put in place are device ownership and how the user will use the device. This guide covers two scenarios:
1. Companies allow users to personalize their devices because the users own the devices or because company policy doesnt require tight controls (defined as *personal devices* in this guide).
2. Companies dont allow users to personalize their devices or they limit personalization, usually because the organization owns the devices and security considerations are high (defined as *corporate devices* in this guide).
Often, employees can choose devices from a list of supported models, or companies provide devices that they preconfigure, or bootstrap, with a baseline configuration.
Microsoft recommends Azure AD Join and MDM enrollment and management for corporate devices and Azure AD Registration and MDM enrollment and management for personal devices.
### <a href="" id="deployment-scenarios--"></a>Deployment scenarios
Most organizations support both personal and corporate device scenarios. The infrastructure for these scenarios is similar, but the deployment process and configuration policies differ. Table 1 describes characteristics of the personal and corporate device scenarios. Activation of a device with an organizational identity is unique to Windows 10 Mobile.
Table 1. Characteristics of personal and corporate device scenarios
<table>
<colgroup>
<col width="33%" />
@ -75,10 +101,14 @@ Table 1. Characteristics of personal and corporate device scenarios
</table>
 
### <a href="" id="identity-management--"></a>Identity management
People can use only one account to activate a device, so its imperative that your organization control which account you enable first. The account you choose will determine who controls the device and influence your management capabilities. The following list describes the impact that users identities have on management (Table 2 summarizes these considerations):
- **Personal identity.** In this scenario, employees use their Microsoft account to activate the device. Then, they use their Azure AD account (organizational identity) to register the device in Azure AD and enroll it with the companys MDM solution. You can apply policies to help protect and contain corporate apps and data on the devices, designed to prevent intellectual property leaks, but users keep full control over personal activities, such as downloading and installing apps and games.
- **Organizational identity.** In this scenario, employees use their Azure AD account to register the device to Azure AD and automatically enroll it with the organizations MDM solution. In this case, companies can block personal use of devices. Using organizational Identities to initialize devices gives organizations complete control over devices and allows them to prevent personalization.
Table 2. Personal vs. organizational identity
<table>
<colgroup>
<col width="33%" />
@ -127,33 +157,45 @@ Table 2. Personal vs. organizational identity
</table>
 
### <a href="" id="infrastructure-requirements--"></a>Infrastructure requirements
For both device scenarios, the essential infrastructure and tools required to deploy and manage Windows 10 Mobile devices include an Azure AD subscription and an MDM system.
Azure AD is a cloud-based directory service that provides identity and access management. You can integrate it with existing on-premises directories to create a hybrid solution. Azure AD has three editions: Free, Basic, and Premium (see [Azure Active Directory editions](http://go.microsoft.com/fwlink/p/?LinkId=723980)). All editions support Azure AD device registration, but the Premium edition is required to enable MDM auto-enrollment and conditional access based on device state. Organizations that use Microsoft Office 365 or Intune are already using Azure AD.
**Note**  
Most industry-leading MDM vendors already support integration with Azure AD or are working on integration. You can find the MDM vendors that support Azure AD in [Azure Marketplace](http://go.microsoft.com/fwlink/p/?LinkId=723981).
>**Note:**  Most industry-leading MDM vendors already support integration with Azure AD or are working on integration. You can find the MDM vendors that support Azure AD in [Azure Marketplace](http://go.microsoft.com/fwlink/p/?LinkId=723981).
 
Users can enroll Windows 10 Mobile devices in third-party MDM systems without using an Azure AD organizational account. (By default, Intune uses Azure AD and includes a license). If your organization doesnt use Azure AD, you must use a personal identity to activate devices and enable common scenarios, such as downloading apps from Windows Store.
Multiple MDM systems that support Windows 10 Mobile are available. Most support personal and corporate device deployment scenarios. Microsoft offers [Intune](http://go.microsoft.com/fwlink/p/?LinkId=723983), which is part of the [Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=723984) and a cloud-based MDM system that manages devices off premises. Like Office 365, Intune uses Azure AD for identity management, so employees use the same credentials to enroll devices in Intune or sign in to Office 365. Intune supports devices that run other operating systems, as well, such as iOS and Android, to provide a complete MDM solution.
You can also integrate Intune with System Center Configuration Manager to gain a single console in which to manage all devices—in the cloud and on premises. For more information, see [Manage Mobile Devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=734051). For guidance on choosing between a stand-alone Intune installation and Intune integrated with Configuration Manager, see [Choose between Intune by itself or integrating Intune with System Center Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=723985).
In addition to Intune, other MDM providers support Windows 10 Mobile. Currently, the following MDM systems claim to support Windows 10 and Windows 10 Mobile: [AirWatch](http://go.microsoft.com/fwlink/p/?LinkId=723986), [Citrix](http://go.microsoft.com/fwlink/p/?LinkId=723987), [Lightspeed Systems](http://go.microsoft.com/fwlink/p/?LinkId=723988), [Matrix42](http://go.microsoft.com/fwlink/p/?LinkId=723989), [MobileIron](http://go.microsoft.com/fwlink/p/?LinkId=723990), [SAP](http://go.microsoft.com/fwlink/p/?LinkId=723991), [SOTI](http://go.microsoft.com/fwlink/p/?LinkId=723992), and [Symantec](http://go.microsoft.com/fwlink/p/?LinkId=723993).
All MDM vendors have equal access to the [Windows 10 MDM APIs](http://go.microsoft.com/fwlink/p/?LinkId=734050). The extent to which they implement these APIs depends on the vendor. Contact your preferred MDM vendor to determine its level of support.
**Note**  
Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Office 365.
>**Note:**  Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Office 365.
In addition, Microsoft recently added MDM capabilities powered by Intune to Office 365. MDM for Office 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android. MDM for Office 365 offers a subset of the management capabilities found in Intune, including the ability to remotely wipe a device, block a device from accessing Exchange Server email, and configure device policies (for example, passcode requirements). For more information about MDM for Office 365 capabilities, see [Overview of Mobile Device Management for Office 365](http://go.microsoft.com/fwlink/p/?LinkId=734052).
 
### <a href="" id="provisioning--"></a>Provisioning
Provisioning is new to Windows 10 and uses the MDM client in Windows 10 Mobile. You can create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10.
To assist users with MDM system enrollment, use a provisioning package. To do so, use the [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911) to create a provisioning package, and then install that package on the device.
Users can perform self-service MDM enrollment based on the following deployment scenarios:
- **Corporate device.** During the out-of-the-box experience (OOBE), you can instruct the user to select **This device is owned by my organization** and join the device to Azure AD and the MDM system.
- **Personal device.** The user activates the device with a Microsoft account, but you can instruct him or her to register the device with Azure AD and enroll in Intune. To do so in Windows 10 Mobile, the user clicks, **Settings**, clicks **Accounts**, and then clicks **Work access**.
To automate MDM enrollment, use provisioning packages as follows:
- **Corporate device.** You can create a provisioning package and apply it to a corporate device before delivery to the user, or instruct the user to apply the package during OOBE. After application of the provisioning package, the OOBE process automatically chooses the enterprise path and requires the user to register the device with Azure AD and enroll it in the MDM system.
- **Personal device.** You can create a provisioning package and make it available to users who want to enroll their personal device in the enterprise. The user enrolls the device in the corporate MDM for further configuration by applying the provisioning package. To do so in Windows 10 Mobile, the user clicks **Settings**, clicks **Accounts**, and then clicks **Provisioning**).
Distribute provisioning packages to devices by publishing them in an easily accessible location (e.g., an email attachment or a web page). You can cryptographically sign or encrypt provisioning packages and require that the user enter a password to apply them.
See [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkId=734054) for more information on creating provisioning packages.
## Device configuration
The following sections describe the device configuration capabilities of the built-in Windows 10 Mobile MDM client. This client exposes the capabilities to any MDM system compatible with Windows 10. Configurable settings include:
- [Email accounts](#email)
- [Account restrictions](#restrictions)
- [Device lock restrictions](#device-lock)
@ -165,13 +207,17 @@ The following sections describe the device configuration capabilities of the bui
- [Access point name (APN) profiles](#apn)
- [Data leak prevention](#data)
- [Storage management](#storage)
**Note**  
Although all the MDM settings this section describes are available in Windows 10 Mobile, not all MDM systems may show them in their user interface. In addition, naming may vary among MDM systems. Consult your MDM systems documentation for more information.
>**Note:**  Although all the MDM settings this section describes are available in Windows 10 Mobile, not all MDM systems may show them in their user interface. In addition, naming may vary among MDM systems. Consult your MDM systems documentation for more information.
 
### <a href="" id="email"></a>Email accounts
You can use your corporate MDM system to manage corporate email accounts. Define email account profiles in the MDM system, and then deploy them to devices. You would usually deploy these settings immediately after enrollment, regardless of scenario.
This capability extends to email systems that use EAS. Table 3 lists settings that you can configure in EAS email profiles.
Table 3. Windows 10 Mobile settings for EAS email profiles
| Setting | Description |
|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Email Address | The email address associated with the EAS account |
@ -191,7 +237,9 @@ Table 3. Windows 10 Mobile settings for EAS email profiles
| Content Types | The content type that is synchronized (e.g., email, contacts, calendar, task items) |
 
Table 4 lists settings that you can configure in other email profiles.
Table 4. Windows 10 Mobile settings for other email profiles
| Setting | Description |
|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|
| User logon name | The user logon name for the email account |
@ -224,21 +272,26 @@ Table 4. Windows 10 Mobile settings for other email profiles
| Incoming and outgoing servers require SSL | A group of properties that specify whether the incoming and outgoing email servers use SSL |
 
### <a href="" id="restrictions"></a>Account restrictions
On a corporate device registered with Azure AD and enrolled in the MDM system, you can control whether users can use a Microsoft account or add other consumer email accounts. Table 5 lists the settings that you can use to manage accounts on Windows 10 Mobile devices.
Table 5. Windows 10 Mobile account management settings
| Setting | Description |
|-------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| - | -|
| Allow Microsoft Account | Specifies whether users are allowed to add a Microsoft account to the device after MDM enrollment and use this account for connection authentication and services, such as purchasing apps in Windows Store, or cloud-based consumer services, such as Xbox or Groove. If a device was activated with a Microsoft account, the MDM system would not be able to block that account from being used. |
| Allow Adding Non Microsoft Accounts | Specifies whether users are allowed to add email accounts other than Microsoft accounts after MDM enrollment. If **Allow Microsoft Account** is applied, user can also not use a Microsoft account. |
| Allow “Your Account” | Specifies whether users are able to change account configuration in the **Your Email and Accounts** panel in Settings.|
 
### <a href="" id="device-lock"></a>Device lock restrictions
Its common sense to lock a device when it is not in use. Microsoft recommends that you secure Windows 10 Mobile devices and implement a device lock policy. A device password or PIN lock is a best practice for securing apps and data on devices. [Windows Hello](http://go.microsoft.com/fwlink/p/?LinkId=723994) is the name given to the new biometric sign-in option that allows users to use their face, iris, or fingerprints to unlock their compatible device, all of which Windows 10 supports.
**Note**  
In addition to the device lock restrictions discussed in this section, Windows 10 supports Microsoft Passport for Work, which lets you access apps and services without a password.
>**Note:**  In addition to the device lock restrictions discussed in this section, Windows 10 supports Microsoft Passport for Work, which lets you access apps and services without a password.
 
Table 6 lists the MDM settings in Windows 10 Mobile that you can use to configure device lock restrictions.
Table 6. Windows 10 Mobile device lock restrictions
<table>
<colgroup>
<col width="50%" />
@ -314,9 +367,10 @@ Table 6. Windows 10 Mobile device lock restrictions
</table>
 
### <a href="" id="hardware"></a>Hardware restrictions
Windows 10 Mobile devices use state-of-the-art technology that includes popular hardware features such as cameras, global positioning system (GPS) sensors, microphones, speakers, near-field communication (NFC) radios, storage card slots, USB interfaces, Bluetooth interfaces, cellular radios, and Wi-Fi. You can also use hardware restrictions to control the availability of these features. Table 7 lists the MDM settings that Windows 10 Mobile supports to configure hardware restrictions.
**Note**  
Some of these hardware restrictions provide connectivity and assist in data protection. Enterprise data protection is currently being tested in select customer evaluation programs.
>**Note:**  Some of these hardware restrictions provide connectivity and assist in data protection. Enterprise data protection is currently being tested in select customer evaluation programs.
 
Table 7. Windows 10 Mobile hardware restrictions
| Setting | Description |
@ -338,8 +392,11 @@ Table 7. Windows 10 Mobile hardware restrictions
| Allow Location | Whether the device can use the GPS sensor or other methods to determine location so applications can use location information |
 
### <a href="" id="certificate"></a>Certificate management
Managing certificates can be difficult for users, but certificates are pervasive for a variety of uses, including, account authentication, Wi-Fi authentication, VPN encryption, and SSL encryption of web content. Although users could manage certificates on devices manually, its a best practice to use your MDM system to manage those certificates for their entire life cycle, from enrollment through renewal to revocation. You can use the Simple Certificate Enrollment Protocol (SCEP) and Personal Information Exchange (PFX) certificates files to install certificates on Windows 10 Mobile. Certificate management through SCEP and MDM systems is fully transparent to users and requires no user intervention, so it helps improve user productivity and reduce support calls. Your MDM system can automatically deploy these certificates to the devices certificate stores after you enroll the device. Table 8 lists the SCEP settings that the MDM client in Windows 10 Mobile provides.
Table 8. Windows 10 Mobile SCEP certificate enrollment settings
| Setting | Description |
|------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Certificate enrollment server URLs | The certificate enrollment servers (to specify multiple server URLs, separate the URLs with semicolons \[;\]) |
@ -361,7 +418,9 @@ Table 8. Windows 10 Mobile SCEP certificate enrollment settings
| Thumbprint | The current certificate thumbprint, if certificate enrollment succeeds |
 
In addition to SCEP certificate management, Windows 10 Mobile supports deployment of PFX certificates. Table 9 lists the Windows 10 Mobile PFX certificate deployment settings.
Table 9. Windows 10 Mobile PFX certificate deployment settings
| Setting | Description |
|-----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Private key storage | Where to store the private key (in other words, the TPM, a software KSP, or the Microsoft Passport KSP) |
@ -373,8 +432,9 @@ Table 9. Windows 10 Mobile PFX certificate deployment settings
| Thumbprint | The thumbprint of the installed PFX certificate |
 
Use the **Allow Manual Root Certificate Installation** setting to prevent users from manually installing root and intermediate CA certificates intentionally or accidently.
**Note**  
To diagnose certificate-related issues on Windows 10 Mobile devices, use the free [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=723996) in Windows Store. This Windows 10 Mobile app can help you:
>**Note:**  To diagnose certificate-related issues on Windows 10 Mobile devices, use the free [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=723996) in Windows Store. This Windows 10 Mobile app can help you:
- View a summary of all personal certificates.
- View the details of individual certificates.
- View the certificates used for VPN, Wi-Fi, and email authentication.
@ -383,9 +443,13 @@ To diagnose certificate-related issues on Windows 10 Mobile devices, use the fr
- View the certificate keys stored in the device TPM.
 
### <a href="" id="wifi"></a>Wi-Fi
People use Wi-Fi on their mobile devices as much as or more than cellular data. Most corporate Wi-Fi networks require certificates and other complex information to restrict and secure user access. This advanced Wi-Fi information is difficult for typical users to configure, but you can use your MDM system to fully configure Wi-Fi settings without user intervention.
Table 10 lists the Windows 10 Mobile Wi-Fi connection profile settings. Use the information in this table to help you create Wi-Fi connection profiles in your MDM system.
Table 10. Windows 10 Mobile Wi-Fi connection profile settings
<table>
<colgroup>
<col width="50%" />
@ -456,7 +520,9 @@ Table 10. Windows 10 Mobile Wi-Fi connection profile settings
</table>
 
Table 11 lists the Windows 10 Mobile settings for managing Wi-Fi connectivity.
Table 11. Windows 10 Mobile Wi-Fi connectivity settings
| Setting | Configuration |
|--------------------------------------------|----------------------------------------------------------------------------|
| Allow Auto Connect To Wi-Fi Sense Hotspots | Whether the device will automatically detect and connect to Wi-Fi networks |
@ -465,12 +531,15 @@ Table 11. Windows 10 Mobile Wi-Fi connectivity settings
| WLAN Scan Mode | How actively the device scans for Wi-Fi networks |
 
### Proxy
Apps running on Windows 10 Mobile (for example, Microsoft Edge) can use proxy connections to access Internet content, but Wi-Fi connections on the corporate intranet most typically use proxy connections, instead. You can define multiple proxies in Windows 10 Mobile.
**Note**  
Windows 10 Mobile also supports proxy auto-configuration (PAC) files, which can automatically configure proxy settings. The Web Proxy Auto-Discovery Protocol (WPAD) lets apps use Dynamic Host Configuration Protocol and Domain Name System (DNS) lookups to locate the PAC file.
>**Note:**  Windows 10 Mobile also supports proxy auto-configuration (PAC) files, which can automatically configure proxy settings. The Web Proxy Auto-Discovery Protocol (WPAD) lets apps use Dynamic Host Configuration Protocol and Domain Name System (DNS) lookups to locate the PAC file.
 
Table 12 lists the Windows 10 Mobile settings for proxy connections.
Table 12. Windows 10 Mobile proxy connection settings
<table>
<colgroup>
<col width="50%" />
@ -538,14 +607,21 @@ Table 12. Windows 10 Mobile proxy connection settings
</table>
 
### VPN
In addition to Wi-Fi, users often use a VPN to securely access apps and resources on their companys intranet behind a firewall. Windows 10 Mobile supports several VPN vendors in addition to native Microsoft VPNs (such as Point to Point Tunneling Protocol \[PPTP\], Layer 2 Tunneling Protocol \[L2TP\], and Internet Key Exchange Protocol version 2 \[IKEv2\]), including:
In addition to Wi-Fi, users often use a VPN to securely access apps and resources on their companys intranet behind a firewall. Windows 10 Mobile supports several VPN vendors in addition to native Microsoft VPNs (such as Point to Point Tunneling Protocol \[PPTP\], Layer 2 Tunneling Protocol \
[L2TP\], and Internet Key Exchange Protocol version 2 \[IKEv2\]), including:
- IKEv2
- IP security
- SSL VPN connections (which require a downloadable plug-in from the VPN server vendor)
You can configure Windows 10 Mobile to use auto-triggered VPN connections, as well. You define a VPN connection for each app that requires intranet connectivity. When users switch between apps, the operating system automatically establishes the VPN connection for that app. In the event the device drops the VPN connection, Windows 10 Mobile automatically reconnects to the VPN without user intervention.
With always-on VPN, Windows 10 Mobile can automatically start a VPN connection when a user signs-in, as well. The VPN stays connected until the user manually disconnects it.
MDM support for VPN connections in Windows 10 Mobile includes provisioning and updating VPN connection profiles and associating VPN connections with apps. You can create and provision VPN connection profiles, and then deploy them to managed devices that run Windows 10 Mobile. Table 13 lists the Windows 10 Mobile fields for VPN connection profiles.
Table 13. Windows 10 Mobile VPN connection profile settings
<table>
<colgroup>
<col width="50%" />
@ -680,7 +756,9 @@ Table 13. Windows 10 Mobile VPN connection profile settings
</table>
 
Table 14 lists the Windows 10 Mobile settings for managing VPN connections. These settings help you manage VPNs over cellular data connections, which in turn help reduce costs associated with roaming or data plan charges.
Table 14. Windows 10 Mobile VPN management settings
| Setting | Description |
|--------------------------------------|---------------------------------------------------------------------------------|
| Allow VPN | Whether users can change VPN settings |
@ -688,10 +766,15 @@ Table 14. Windows 10 Mobile VPN management settings
| Allow VPN Over Cellular when Roaming | Whether users can establish VPN connections over cellular networks when roaming |
 
### <a href="" id="apn"></a>APN profiles
An APN defines network paths for cellular data connectivity. Typically, you define just one APN for a device in collaboration with a mobile operator, but you can define multiple APNs if your company uses multiple mobile operators.
An APN provides a private connection to the corporate network that is unavailable to other companies on the mobile operator network. Corporations in Europe and the Asia-Pacific use APNs, but they are not common in the United States.
You can define and deploy APN profiles in MDM systems that configure cellular data connectivity for Windows 10 Mobile. Devices running Windows 10 Mobile can have only one APN profile. Table 15 lists the MDM settings that Windows 10 Mobile supports for APN profiles.
Table 15. Windows 10 Mobile APN profile settings
<table>
<colgroup>
<col width="50%" />
@ -753,8 +836,12 @@ Table 15. Windows 10 Mobile APN profile settings
</table>
 
### <a href="" id="data"></a>Data leak protection
Some user experiences can risk corporate data stored on corporate devices. For example, allowing users to copy and paste information out of the organizations LOB app can put data at risk. To mitigate the risk, you can restrict the Windows 10 Mobile user experience to help protect corporate data and prevent data leaks. For example, you can prevent settings synchronization, copy-and-paste operations, and screen captures. Table 16 lists the MDM settings in Windows 10 Mobile that you can use to help prevent data leaks.
Some user experiences can risk corporate data stored on corporate devices. For example, allowing users to copy and paste information out of the organizations LOB app can put data at risk. To mitigate the risk, you can restrict the Windows 10 Mobile user experience to help protect corporate data
and prevent data leaks. For example, you can prevent settings synchronization, copy-and-paste operations, and screen captures. Table 16 lists the MDM settings in Windows 10 Mobile that you can use to help prevent data leaks.
Table 16. Windows 10 Mobile data leak protection settings
| Setting | Description |
|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Allow copy and paste | Whether users can copy and paste content |
@ -769,13 +856,19 @@ Table 16. Windows 10 Mobile data leak protection settings
| Allow voice recording | Whether users are allowed to perform voice recordings. |
 
### <a href="" id="storage"></a>Storage management
Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage by using the device encryption in Windows 10 Mobile. This encryption helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device.
A feature in Windows 10 Mobile is the ability to install apps on a secure digital (SD) card. The operating system stores apps on a partition specifically designated for that purpose. This feature is always on, so you dont need to set a policy explicitly to enable it.
The SD card is uniquely paired with a device. No other devices can see the apps or data on the encrypted partition, but they can access the data stored on the unencrypted partition of the SD card, such as music or photos.
You can disable the **Allow Storage Card** setting to prevent users from using SD cards altogether, but the primary advantage of the SD card app partitionencryption feature is that organizations can give users the flexibility to use an SD card while still protecting the confidential apps and data on it.
If you dont encrypt storage, you can help protect your corporate apps and data by using the **Restrict app data to the system volume** and **Restrict apps to the system volume** settings. They help ensure that users cannot copy your apps and data to SD cards.
Table 17 lists the MDM storage-management settings that Windows 10 Mobile provides.
Table 17. Windows 10 Mobile storage management settings
<table>
<colgroup>
<col width="50%" />
@ -826,33 +919,52 @@ Table 17. Windows 10 Mobile storage management settings
</table>
 
## <a href="" id="--app-management"></a> App management
Apps help improve user productivity on mobile devices. New to Windows 10 is the ability for organizations purchase apps from Windows Store for their employees and deploy those apps from Windows Store or an MDM system. App management is becoming a key capability of MDM systems, helping reduce the effort required to perform common app-related tasks, such as distributing apps, and protecting data through app policies. This section describes the app management features in Windows 10 Mobile and includes the following topics:
- [Universal Windows Platform (UWP)](#uwp)
- [Sourcing the right app](#sourcing)
- [Windows Store for Business](#store)
- [Mobile application management (MAM) policies](#mam)
- [Microsoft Edge](#edge)
### <a href="" id="uwp"></a>Universal Windows Platform
Windows 10 introduces UWP, converging the application platform for all devices running some edition of Windows 10. UWP apps run without modification on all editions of Windows 10, and Windows Store now has apps that you can license and purchased for all your Windows 10 devices. Windows Phone 8.1 and Windows 8.1 apps still run on Windows 10 devices, but the MAM improvements in Windows 10 work only with UWP apps. See the [Guide to Universal Windows Platform (UWP) apps](http://go.microsoft.com/fwlink/p/?LinkId=734056) for additional information.
### <a href="" id="sourcing"></a>Sourcing the right app
The first step in app management is to obtain the apps your users need, and you can now acquire apps from Windows Store. Developers can also create apps specific to an organization, known as *line-of-business (LOB) apps* (the developers of these apps are *LOB publishers*). An LOB developer (internal or external) can now publish these apps to Windows Store at your request, or you can obtain the app packages offline and distribute them through your MDM system.
To install Windows Store or LOB apps, use the Windows Store cloud service or your MDM system to distribute the app packages. Your MDM system can deploy apps online by redirecting the user to a licensed app in Windows Store or offline by distributing a package that you downloaded from Windows Store (also called *sideloading*) on Windows 10 Mobile devices. You can fully automate the app deployment process so that no user intervention is required.
IT administrators can obtain apps through Store for Business. Most apps can be distributed online, meaning that the user must be logged in to the device with an Azure AD account and have Internet access at the time of installation. To distribute an app offline, the developer must opt in. If the app developer doesnt allow download of the app from Windows Store, then you must obtain the files directly from the developer or use the online method. See [Windows Store for Business](windows-store-for-business.md) for additional information about apps obtained through Store for Business.
Windows Store apps are automatically trusted. For custom LOB apps developed internally or by a trusted software vendor, ensure that the device trusts the app signing certificate. There are two ways to establish this trust: use a signing certificate from a trusted source, or generate your own signing certificate and add your chain of trust to the trusted certificates on the device. You can install up to 20 self-signed apps on a Windows 10 Mobile device. When you purchase a signing certificate from a public CA, you can install more than 20 apps on a device, although you can install more than 20 self-signed apps per device with [Windows 10 Mobile Enterprise](#mobile-edition).
Users can install apps from Windows Store that the organization purchases through the Store app on their device. If you allow your users to log in with a Microsoft account, the Store app on the device provides a unified method for installing personal and corporate apps.
### <a href="" id="store"></a>Store for Business
[Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910) is a web portal that IT pros and purchasers use to find, acquire, manage, and distribute apps to Windows 10 devices. This online portal gives Azure AD authenticated managers access to Store for Business functionality and settings. Store managers can create a private section of Windows Store in which organizations can manage apps specific and private to them. Store for Business allows organizations to make apps available to their users and purchase app licenses for them. They can also integrate their Store for Business subscriptions with their MDM systems, so the MDM system can deploy apps from their free Store for Business subscription.
The process for using Store for Business is as follows:
1. Create a Store for Business subscription for your organization.
2. In the Store for Business portal, acquire apps from Windows Store (only free apps are available at this time).
3. In Store for Business, distribute apps to users, and manage the app licenses for the apps acquired in the previous step.
4. Integrate your MDM system with your organizations Store for Business subscription.
5. Use your MDM system to deploy the apps.
For more information about Store for Business, see [Windows Store for Business](windows-store-for-business.md).
### <a href="" id="mam"></a>Mobile application management (MAM) policies
With MDM, you can manage Device Guard on Windows 10 Mobile and create an allow (whitelist) or deny (blacklist) list of apps. This capability extends to built-in apps, as well, such as phone, text messaging, email, and calendar. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes.
You can also control users access to Windows Store and whether the Store service updates apps automatically. You can manage all these capabilities through your MDM system. Table 18 lists the Windows 10 Mobile app management settings.
Table 18. Windows 10 Mobile app management settings
| Setting | Description |
|------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Allow All Trusted Apps | Whether users can sideload apps on the device |
@ -868,9 +980,13 @@ Table 18. Windows 10 Mobile app management settings
| Start screen layout | An XML blob used to configure the Start screen (See [Start layout for Windows 10 Mobile editions](http://go.microsoft.com/fwlink/p/?LinkId=734057) for more information.) |
 
One potential security issue is that users can register as Windows 10 Mobile app developers and turn on developer features on their device, potentially installing apps from unknown sources and opening the device to malware threats. To prevent users from turning on developer features on their devices, set the **Disable development unlock (side loading)** policy, which you can configure through your MDM system.
### <a href="" id="edge"></a>Microsoft Edge
MDM systems give you the ability to manage Microsoft Edge on mobile devices. Table 19 lists the Microsoft Edge settings for Windows 10 Mobile.
Table 19. Microsoft Edge settings for Windows 10 Mobile
| Setting | Description |
|-------------------------------------------------|-------------------------------------------------------------------------------------------------------|
| Allow Active Scripting | Whether active scripting is allowed |
@ -886,16 +1002,24 @@ Table 19. Microsoft Edge settings for Windows 10 Mobile
| Prevent Smart Screen Prompt Override For Files | Whether users can override the SmartScreen Filter warnings about downloading unverified files |
 
## Device operations
In this section, you learn how MDM settings in Windows 10 Mobile enable the following scenarios:
- [Device update](#device-update)
- [Device compliance monitoring](#device-comp)
- [Device inventory](#data-inv)
- [Remote assistance](#remote-assist)
- [Cloud services](#cloud-serv)
### Device update
To help protect mobile devices and their data, you must keep those devices updated. Windows Update automatically installs updates and upgrades when they become available.
The device update features described in this section are available only in [Windows 10 Mobile Enterprise](#mobile-edition). You can use your MDM system to postpone system upgrades when you activate an Enterprise license on managed Windows 10 Mobile devices and control how updates and upgrades are applied. For example, you can disable updates altogether, defer updates and upgrades, and schedule the day and time to install updates, as you would with Windows Server Update Services (WSUS) on Windows 10 desktops running the [Current Branch for Business](introduction-to-windows-10-servicing.md). Table 20 lists the Windows 10 Mobile Enterprise settings that you can use to configure updates and upgrades.
The device update features described in this section are available only in [Windows 10 Mobile Enterprise](#mobile-edition). You can use your MDM system to postpone system upgrades when you activate an Enterprise license on managed Windows 10 Mobile devices and control how updates and upgrades are applied. For example, you can disable updates altogether, defer updates and upgrades, and schedule the day and time to install updates, as you would with Windows Server Update Services (WSUS) on Windows 10 desktops running the [Current Branch for Business](introduction-to-windows-10-servicing.md).
Table 20 lists the Windows 10 Mobile Enterprise settings that you can use to configure updates and upgrades.
Table 20. Windows 10 Mobile Enterprise update management settings
<table>
<colgroup>
<col width="50%" />
@ -968,7 +1092,9 @@ Table 20. Windows 10 Mobile Enterprise update management settings
</table>
 
In addition to configuring how Windows 10 Mobile Enterprise obtains updates, you can manage individual Windows 10 Mobile updates. Table 21 provides information about approved updates to help you control the rollout of new updates to Windows 10 Mobile Enterprise devices.
Table 21. Windows 10 Mobile Enterprise approved update information
<table>
<colgroup>
<col width="50%" />
@ -1025,25 +1151,36 @@ Table 21. Windows 10 Mobile Enterprise approved update information
</tbody>
</table>
 
### <a href="" id="device-comp"></a>Device compliance monitoring
You can use your MDM system to monitor compliance. Windows 10 Mobile provides audit information to track issues or perform remedial actions. This information helps you ensure that devices are configured to comply with organizational standards.
You can also assess the health of devices that run Windows 10 Mobile and take enterprise policy actions. The process that the health attestation feature in Windows 10 Mobile uses is as follows:
1. The health attestation client collects data used to verify device health.
2. The client forwards the data to the Health Attestation Service (HAS).
3. The HAS generates a Health Attestation Certificate.
4. The client forwards the Health Attestation Certificate and related information to the MDM system for verification.
For more information about health attestation in Windows 10 Mobile, see the [Windows 10 Mobile security guide](../keep-secure/windows-10-mobile-security-guide.md).
Depending on the results of the health state validation, an MDM system can take one of the following actions:
- Allow the device to access resources.
- Allow the device to access resources but identify the device for further investigation.
- Prevent the device from accessing resources.
Table 21 lists data points that the HAS collects and evaluates from devices that run Windows 10 Mobile to determine the action to perform. For most of these data points, the MDM system can take one of the following actions:
- Disallow all access.
- Disallow access to high-business-impact assets.
- Allow conditional access based on other data points that are present at evaluation time—for example, other attributes on the health certificate or a devices past activities and trust history.
- Take one of the previous actions, and also place the device on a watch list to monitor it more closely for potential risks.
- Take corrective action, such as informing IT administrators to contact the owner and investigate the issue.
Table 21. Windows 10 Mobile HAS data points
| Data point | Description |
|----------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Attestation Identity Key (AIK) present | Indicates that an AIK is present (in other words, the device can be trusted more than a device without an AIK). |
@ -1062,11 +1199,15 @@ Table 21. Windows 10 Mobile HAS data points
| Boot cycle whitelist | The view of the host platform between boot cycles as defined by the manufacturer compared to a published whitelist. A device that complies with the whitelist is more trustworthy (secure) than a device that is noncompliant. |
 
### <a href="" id="data-inv"></a>Device inventory
Device inventory helps organizations better manage devices because it provides in-depth information about those devices. MDM systems collect inventory information remotely, and you can use the systems reporting capabilities to analyze device resources and information. With this information, you can determine the current hardware and software resources of the device (for example, installed updates).
Table 22 lists examples of the Windows 10 Mobile software and hardware information that a device inventory provides. In addition to this information, the MDM system can read any of the configuration settings described in this guide.
Table 22. Windows 10 Mobile software and hardware inventory examples
| Setting | Description |
|----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| - | - |
| Installed enterprise apps | List of the enterprise apps installed on the device |
| Device name | The device name configured for the device |
| Firmware version | Version of firmware installed on the device |
@ -1079,21 +1220,25 @@ Table 22. Windows 10 Mobile software and hardware inventory examples
| Device language | Language in use on the device |
| Phone number | Phone number assigned to the device |
| Roaming status | Indicates whether the device has a roaming cellular connection |
| International mobile equipment identity (IMEI) and international mobile subscriber identity (IMSI) | Unique identifiers for the cellular connection for the phone; Global System for Mobile Communications networks identify valid devices by using the IMEI, and all cellular networks use the IMSI to identify the device and user |
| Wi-Fi IP address | IPv4 and IPv6 addresses currently assigned to the Wi-Fi adapter in the device |
| International mobile equipment identity (IMEI) and international mobile subscriber identity (IMSI) | Unique identifiers for the cellular connection for the phone; Global System for Mobile Communications networks identify valid devices by using the IMEI, and all cellular networks use the IMSI to identify the device and user | | IPv4 and IPv6 addresses currently assigned to the Wi-Fi adapter in the device |
| Wi-Fi media access control (MAC) address | MAC address assigned to the Wi-Fi adapter in the device |
| Wi-Fi DNS suffix and subnet mask | DNS suffix and IP subnet mask assigned to the Wi-Fi adapter in the device |
| Secure Boot state | Indicates whether Secure Boot is enabled |
| Enterprise encryption policy compliance | Indicates whether the device is encrypted |
 
### <a href="" id="remote-assist"></a>Remote assistance
The remote assistance features in Windows 10 Mobile help resolve issues that users might encounter even when the help desk does not have physical access to the device. These features include:
- **Remote lock.** Support personnel can remotely lock a device. This ability can help when a user loses his or her mobile device and can retrieve it but not immediately (for example, leaving the device at a customer site).
- **Remote PIN reset.** Support personnel can remotely reset the PIN, which helps when users forget their PIN and are unable to access their device. No corporate or user data is lost, and users are able to gain access to their devices quickly.
- **Remote ring.** Support personnel can remotely make devices ring. This ability can help users locate misplaced devices and, in conjunction with the Remote Lock feature, help ensure that unauthorized users are unable to access the device if they find it.
- **Remote find.** Support personnel can remotely locate a device on a map, which helps identify the geographic location of the device. To configure Windows 10 Mobile remote find, use the settings in Table 23. The remote find feature returns the most current latitude, longitude, and altitude of the device.
These remote management features help organizations reduce the IT effort required to manage devices. They also help users quickly regain use of their device should they misplace it or forget the device password.
Table 23. Windows 10 Mobile remote find settings
| Setting | Description |
|---------------------------|---------------------------------------------------------------------------------------------------------------------------------|
| Desired location accuracy | The desired accuracy as a radius value in meters; has a value between 1 and 1,000 meters |
@ -1101,37 +1246,49 @@ Table 23. Windows 10 Mobile remote find settings
| Remote find timeout | The number of seconds devices should wait for a remote find to finish; has a value between 0 and 1,800 seconds |
 
### <a href="" id="cloud-serv"></a>Cloud services
On mobile devices that run Windows 10 Mobile, users can easily connect to apps and data. As a result, they frequently connect to cloud services that provide user notifications and collect telemetry (usage data). Windows 10 Mobile enables organizations to manage how devices consume these cloud services.
**Manage push notifications**
The Windows Push Notification Services enable software developers to send toast, tile, badge, and raw updates from their cloud services. It provides a mechanism to deliver updates to users in a power-efficient and dependable way.
Push notifications can affect battery life, however, so the battery saver in Windows 10 Mobile limits background activity on the devices to extend battery life. Users can configure battery saver to turn on automatically when the battery drops below a set threshold. When battery saver is on, Windows 10 Mobile disables the receipt of push notifications to save energy.
There is an exception to this behavior, however. In Windows 10 Mobile, the **Always allowed** battery saver settings (found in the Settings app) allow apps to receive push notifications even when battery saver is on. Users can manually configure this list, or you can use the MDM system to configure it—that is, you can use the battery saver settings URI scheme in Windows 10 Mobile (**ms-settings:batterysaver-settings**) to configure these settings.
For more information about push notifications, see [Windows Push Notification Services (WNS) overview](http://go.microsoft.com/fwlink/p/?LinkId=734060).
**Manage telemetry**
As people use Windows 10 Mobile, it can collect performance and usage telemetry that helps Microsoft identify and troubleshoot problems as well as improve its products and services. Microsoft recommends that you select **Full** for this setting.
Microsoft employees, contractors, vendors, and partners might have access to relevant portions of the information that Windows 10 Mobile collects, but they are permitted to use the information only to repair or improve Microsoft products and services or third-party software and hardware designed for use with Microsoft products and services.
You can control the level of data that MDM systems collect. Table 24 lists the data levels that Windows 10 Mobile collects and provides a brief description of each. To configure devices, specify one of these levels in the **Allow Telemetry** setting.
Table 24. Windows 10 Mobile data collection levels
| Level of data | Description |
|---------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|- | - |
| Security | Collects only the information required to keep Windows 10 Mobile enterprise-grade secure, including information about telemetry client settings, the Malicious Software Removal Tool, and Windows Defender. This level is available only on Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core. For Windows 10 Mobile, this setting disables Windows 10 Mobile telemetry. |
| Basic | Provides only the data vital to the operation of Windows 10 Mobile. This data level helps keep Windows 10 Mobile and apps running properly by letting Microsoft know the devices capabilities, whats installed, and whether Windows is operating correctly. This option also turns on basic error reporting back to Microsoft. By selecting this option, you allow Microsoft to provide updates through Windows Update, including malicious software protection through the Malicious Software Removal Tool. |
| Enhanced | Includes all Basic data plus data about how users use Windows 10 Mobile, such as how frequently or how long they use certain features or apps and which apps they use most often. This option also lets operating system collect enhanced diagnostic information, such as the memory state of a device when a system or app crash occurs, and measure reliability of devices, the operating system, and apps. |
| Full | Includes all Basic and Enhanced data and also turns on advanced diagnostic features that collect additional data from devices, such as system files or memory snapshots, which may unintentionally include parts of documents user are working on when a problem occurred. This information helps Microsoft further troubleshoot and fix problems. If an error report contains personal data, Microsoft does not use that information to identify, contact, or target advertising to users. |
 
## Device retirement
Device retirement (unenrollment) is the last phase of the device life cycle. Historically, mobile device retirement has been a complex and difficult process for organizations. When the organization no longer needs devices, it must remove (wipe) corporate data from them. BYOD scenarios make retirement even more complex because users expect their personal apps and data to remain untouched. Therefore, organizations must remove their data without affecting users data.
You can remotely remove all corporate data from devices that run Windows 10 Mobile without affecting existing user data (partial or enterprise wipe). The help desk or the devices users can initiate device retirement. When retirement is complete, Windows 10 Mobile returns the devices to a consumer state, as they were before enrollment. The following list summarizes the corporate data removed from a device when its retired:
- Email accounts
- Enterprise-issued certificates
- Network profiles
- Enterprise-deployed apps
- Any data associated with the enterprise-deployed apps
**Note**  
All these features are in addition to the devices software and hardware factory reset features, which users can use to restore devices to their factory configuration.
>**Note:**  All these features are in addition to the devices software and hardware factory reset features, which users can use to restore devices to their factory configuration.
 
To specify whether users can delete the workplace account in Control Panel and unenroll from the MDM system, enable the **Allow Manual MDM Unenrollment** setting. Table 25 lists additional Windows 10 remote wipe settings that you can use the MDM system to configure.
Table 25. Windows 10 Mobile remote wipe settings
| Setting | Description |
|-------------------------------|----------------------------------------------------------------------------------------------------------------------|
| Wipe | Specifies that a remote wipe of the device should be performed |
@ -1139,9 +1296,8 @@ Table 25. Windows 10 Mobile remote wipe settings
| Allow user to reset phone | Whether users are allowed to use Control Panel or hardware key combinations to return the device to factory defaults |
 
## Related topics
[Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=734050)
[Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=723984)
[Overview of Mobile Device Management for Office 365](http://go.microsoft.com/fwlink/p/?LinkId=734052)
[Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910)
 
 
- [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=734050)
- [Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=723984)
- [Overview of Mobile Device Management for Office 365](http://go.microsoft.com/fwlink/p/?LinkId=734052)
- [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910)

5
windows/plan/act-community-ratings-and-process.md
View File

@ -2,9 +2,10 @@
title: ACT Community Ratings and Process (Windows 10)
description: The Application Compatibility Toolkit (ACT) Community uses the Microsoft® Compatibility Exchange to share compatibility ratings between all registered ACT Community members.
ms.assetid: be6c8c71-785b-4adf-a375-64ca7d24e26c
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: appcompat
author: TrudyHa
---

5
windows/plan/act-database-configuration.md
View File

@ -2,8 +2,9 @@
title: ACT Database Configuration (Windows 10)
description: The Application Compatibility Toolkit (ACT) uses a Microsoft® SQL Server® database for storing and sharing compatibility issue data.
ms.assetid: 032bbfe0-86fa-48ff-b638-b9d6a908c45e
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/act-database-migration.md
View File

@ -2,8 +2,9 @@
title: ACT Database Migration (Windows 10)
description: The schema for an ACT database can change when ACT is updated or when a new version of ACT is released.
ms.assetid: b13369b4-1fb7-4889-b0b8-6d0ab61aac3d
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/act-deployment-options.md
View File

@ -2,8 +2,9 @@
title: ACT Deployment Options (Windows 10)
description: While planning your deployment of the Application Compatibility Toolkit (ACT), consider which computers you want running the various tools, packages, and services for ACT.
ms.assetid: 90d56dd8-8d57-44e8-bf7a-29aabede45ba
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/act-glossary.md
View File

@ -2,8 +2,9 @@
title: ACT Glossary (Windows 10)
description: The following table lists terms and definitions used by the Application Compatibility Toolkit (ACT).
ms.assetid: 984d1cce-c1ac-4aa8-839a-a23e15da6f32
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/act-lps-share-permissions.md
View File

@ -2,8 +2,9 @@
title: ACT LPS Share Permissions (Windows 10)
description: To upload log files to the ACT Log Processing Service (LPS) share, certain permissions must be set at the share level and folder level.
ms.assetid: 51f6ddf7-f424-4abe-a0e0-71fe616f9e84
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/act-operatingsystem-application-report.md
View File

@ -2,8 +2,9 @@
title: OperatingSystem - Application Report (Windows 10)
description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
ms.assetid: 9721485b-6092-4974-8cfe-c84472237a57
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/act-operatingsystem-computer-report.md
View File

@ -2,8 +2,9 @@
title: OperatingSystem - Computer Report (Windows 10)
ms.assetid: ed0a56fc-9f2a-4df0-8cef-3a09d6616de8
description:
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/act-operatingsystem-device-report.md
View File

@ -2,8 +2,9 @@
title: OperatingSystem - Device Report (Windows 10)
ms.assetid: 8b5a936f-a92e-46a7-ac44-6edace262355
description:
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/act-product-and-documentation-resources.md
View File

@ -2,8 +2,9 @@
title: ACT Product and Documentation Resources (Windows 10)
description: The following sections provide links to resources and reference material for the Application Compatibility Toolkit (ACT).
ms.assetid: c7954b5a-164d-4548-af58-cd3a1de5cc43
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/act-settings-dialog-box-preferences-tab.md
View File

@ -2,8 +2,9 @@
title: Settings Dialog Box - Preferences Tab (Windows 10)
description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings.
ms.assetid: deae2100-4110-4d72-b5ee-7c167f80bfa4
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/act-settings-dialog-box-settings-tab.md
View File

@ -2,8 +2,9 @@
title: Settings Dialog Box - Settings Tab (Windows 10)
description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings.
ms.assetid: aeec1647-cf91-4f8b-9f6d-dbf4b898d901
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/act-technical-reference.md
View File

@ -2,8 +2,9 @@
title: Application Compatibility Toolkit (ACT) Technical Reference (Windows 10)
description: The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system.
ms.assetid: d90d38b2-2718-4481-90eb-4480719627ba
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/act-toolbar-icons-in-acm.md
View File

@ -2,8 +2,9 @@
title: Toolbar Icons in ACM (Windows 10)
description: The following table shows icons that appear on toolbars and navigational elements in Application Compatibility Manager (ACM).
ms.assetid: 44872da1-c7ad-41b9-8323-d3c3f49b2706
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/act-tools-packages-and-services.md
View File

@ -2,8 +2,9 @@
title: ACT Tools, Packages, and Services (Windows 10)
description: The Application Compatibility Toolkit is included with the Windows ADK. Download the Windows ADK.
ms.assetid: f5a16548-7d7b-4be9-835e-c06158dd0b89
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/act-user-interface-reference.md
View File

@ -2,8 +2,9 @@
title: ACT User Interface Reference (Windows 10)
description: This section contains information about the user interface for Application Compatibility Manager (ACM), which is a tool in the Application Compatibility Toolkit (ACT).
ms.assetid: 303d3dd7-2cc1-4f5f-b032-b7e288b04893
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/activating-and-closing-windows-in-acm.md
View File

@ -2,8 +2,9 @@
title: Activating and Closing Windows in ACM (Windows 10)
description: The Windows dialog box shows the windows that are open in Application Compatibility Manager (ACM).
ms.assetid: 747bf356-d861-4ce7-933e-fa4ecfac7be5
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/adding-or-editing-a-solution.md
View File

@ -2,8 +2,9 @@
title: Adding or Editing a Solution (Windows 10)
description: If you find your own solutions to compatibility issues, you can enter the solutions in Application Compatibility Manager (ACM). You can use the Microsoft Compatibility Exchange to upload solutions to Microsoft Corporation.
ms.assetid: 86cb8804-d577-4af6-b96f-5e0409784a23
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/adding-or-editing-an-issue.md
View File

@ -2,8 +2,9 @@
title: Adding or Editing an Issue (Windows 10)
description: In Application Compatibility Manager (ACM), you can enter information about the compatibility issues that you discover.
ms.assetid: 8a9fff79-9f88-4ce2-a4e6-b9382f28143d
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/analyzing-your-compatibility-data.md
View File

@ -2,8 +2,9 @@
title: Analyzing Your Compatibility Data (Windows 10)
description: This section provides information about viewing and working with your compatibility data in Application Compatibility Manager (ACM).
ms.assetid: b98f3d74-fe22-41a2-afe8-2eb2799933a1
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/application-dialog-box.md
View File

@ -2,8 +2,9 @@
title: Application Dialog Box (Windows 10)
description: In Application Compatibility Manager (ACM), the Application dialog box shows information about the selected application.
ms.assetid: a43e85a6-3cd4-4235-bc4d-01e4d097db7e
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/applying-filters-to-data-in-the-sua-tool.md
View File

@ -2,8 +2,9 @@
title: Applying Filters to Data in the SUA Tool (Windows 10)
description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply filters to the issues that the tool has found so that you can view only the information that interests you.
ms.assetid: 48c39919-3501-405d-bcf5-d2784cbb011f
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/available-data-types-and-operators-in-compatibility-administrator.md
View File

@ -2,8 +2,9 @@
title: Available Data Types and Operators in Compatibility Administrator (Windows 10)
description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
ms.assetid: 67d9c03e-ab9d-4fda-8a55-8c5b90266d3b
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/best-practice-recommendations-for-windows-to-go.md
View File

@ -2,9 +2,10 @@
title: Best practice recommendations for Windows To Go (Windows 10)
description: Best practice recommendations for Windows To Go
ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86
keywords: ["best practices, USB, device, boot"]
keywords: best practices, USB, device, boot
ms.prod: w10
ms.mktglfcycl: deploy
ms.mktglfcycl: plan
pagetype: mobility
ms.sitesec: library
author: mtniehaus
---

5
windows/plan/categorizing-your-compatibility-data.md
View File

@ -2,8 +2,9 @@
title: Categorizing Your Compatibility Data (Windows 10)
ms.assetid: 6420f012-316f-4ef0-bfbb-14baaa664e6e
description:
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

4
windows/plan/change-history-for-plan-for-windows-10-deployment.md
View File

@ -2,8 +2,8 @@
title: Change history for Plan for Windows 10 deployment (Windows 10)
description: This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for Windows 10 and Windows 10 Mobile.
ms.assetid: 70D9F4F8-F2A4-4FB4-9459-5B2BE7BCAC66
ms.prod: W10
ms.mktglfcycl: deploy
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
author: TrudyHa
---

2
windows/plan/chromebook-migration-guide.md
View File

@ -3,7 +3,7 @@ title: Chromebook migration guide (Windows 10)
description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment.
ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA
keywords: migrate, automate, device
ms.prod: W10
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu; devices

5
windows/plan/common-compatibility-issues.md
View File

@ -2,8 +2,9 @@
title: Common Compatibility Issues (Windows 10)
ms.assetid: f5ad621d-bda2-45b5-ae85-bc92970f602f
description:
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/compatibility-administrator-users-guide.md
View File

@ -2,8 +2,9 @@
title: Compatibility Administrator User's Guide (Windows 10)
ms.assetid: 0ce05f66-9009-4739-a789-60f3ce380e76
description:
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/compatibility-fix-database-management-strategies-and-deployment.md
View File

@ -2,8 +2,9 @@
title: Compatibility Fix Database Management Strategies and Deployment (Windows 10)
ms.assetid: fdfbf02f-c4c4-4739-a400-782204fd3c6c
description:
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
View File

@ -2,8 +2,9 @@
title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista (Windows 10)
description: You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions.
ms.assetid: cd51c824-557f-462a-83bb-54b0771b7dff
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/compatibility-monitor-users-guide.md
View File

@ -2,8 +2,9 @@
title: Compatibility Monitor User's Guide (Windows 10)
description: Compatibility Monitor is a tool in the runtime analysis package that you can use to monitor applications for compatibility issues. You can also use the Compatibility Monitor tool to submit compatibility feedback.
ms.assetid: 67d6eff0-1576-44bd-99b4-a3ffa5e205ac
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/computer-dialog-box.md
View File

@ -2,8 +2,9 @@
title: Computer Dialog Box (Windows 10)
description: In Application Compatibility Manager (ACM), the Computer dialog box shows information about the selected computer.
ms.assetid: f89cbb28-adcd-41cd-9a54-402bc4aaffd9
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/configuring-act.md
View File

@ -2,8 +2,9 @@
title: Configuring ACT (Windows 10)
description: This section provides information about setting up the Application Compatibility Toolkit (ACT) in your organization.
ms.assetid: aacbe35e-ea40-47ac-bebf-ed2660c8fd86
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
View File

@ -2,8 +2,9 @@
title: Creating a Custom Compatibility Fix in Compatibility Administrator (Windows 10)
description: The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application.
ms.assetid: e4f2853a-0e46-49c5-afd7-0ed12f1fe0c2
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
View File

@ -2,8 +2,9 @@
title: Creating a Custom Compatibility Mode in Compatibility Administrator (Windows 10)
description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues.
ms.assetid: 661a1c0d-267f-4a79-8445-62a9a98d09b0
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/creating-a-runtime-analysis-package.md
View File

@ -2,8 +2,9 @@
title: Creating a Runtime-Analysis Package (Windows 10)
description: In Application Compatibility Manager (ACM), you can create runtime-analysis packages, which you can then deploy to computers for compatibility testing in your test environment.
ms.assetid: 3c703ebe-46b3-4dcd-b355-b28344bc159b
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md
View File

@ -2,8 +2,9 @@
title: Creating an AppHelp Message in Compatibility Administrator (Windows 10)
description: The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.
ms.assetid: 5c6e89f5-1942-4aa4-8439-ccf0ecd02848
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md
View File

@ -2,8 +2,9 @@
title: Creating an Enterprise Environment for Compatibility Testing (Windows 10)
description: The goal of the test environment is to model the operating system that you want to deploy and assess compatibility before deploying the operating system to your production environment.
ms.assetid: cbf6d8b6-7ebc-4faa-bbbd-e02653ed4adb
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/creating-an-inventory-collector-package.md
View File

@ -2,8 +2,9 @@
title: Creating an Inventory-Collector Package (Windows 10)
description: You can use Application Compatibility Manager (ACM) to create an inventory-collector package.
ms.assetid: 61d041d6-e308-47b3-921b-709d72926d6d
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/creating-and-editing-issues-and-solutions.md
View File

@ -2,8 +2,9 @@
title: Creating and Editing Issues and Solutions (Windows 10)
description: This section provides step-by-step instructions for adding and editing application compatibility issues and solutions. Your issue and solution data can be uploaded to Microsoft through the Microsoft® Compatibility Exchange.
ms.assetid: b64fe4e0-24bd-4bbd-9645-80ae5644e774
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/customizing-your-report-views.md
View File

@ -2,8 +2,9 @@
title: Customizing Your Report Views (Windows 10)
description: You can customize how you view your report data in Application Compatibility Manager (ACM).
ms.assetid: ba8da888-6749-43b4-8efb-4f26c7954721
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md
View File

@ -2,8 +2,9 @@
title: Data Sent Through the Microsoft Compatibility Exchange (Windows 10)
description: The Microsoft Compatibility Exchange propagates data of various types between Microsoft Corporation, independent software vendors (ISVs) and the Application Compatibility Toolkit (ACT) Community.
ms.assetid: 3ec61e33-9db8-4367-99d5-e05c2f50e144
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md
View File

@ -2,8 +2,9 @@
title: Deciding Whether to Fix an Application or Deploy a Workaround (Windows 10)
description: You can fix a compatibility issue by changing the code for the application or by deploying a workaround.
ms.assetid: e495d0c8-bfba-4537-bccd-64c4b52206f1
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/deciding-which-applications-to-test.md
View File

@ -2,8 +2,9 @@
title: Deciding Which Applications to Test (Windows 10)
description: Before starting your compatibility testing on the version of Windows that you want to deploy, you can use the Application Compatibility Toolkit (ACT) to identify which applications should be the focus of your testing.
ms.assetid: d7c1c28f-b7b4-43ac-bf87-2910a2b603bf
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/deleting-a-data-collection-package.md
View File

@ -2,8 +2,9 @@
title: Deleting a Data-Collection Package (Windows 10)
description: In Application Compatibility Manager (ACM), you can delete any of your existing data-collection packages from the database.
ms.assetid: 1b397d7a-7216-4078-93d9-47c7becbf73e
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/deploying-a-runtime-analysis-package.md
View File

@ -2,8 +2,9 @@
title: Deploying a Runtime-Analysis Package (Windows 10)
description: When you deploy a runtime-analysis package, you are deploying it to your test environment for compatibility testing.
ms.assetid: 304bf0be-0e7c-4c5f-baac-bed7f8bef509
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

4
windows/plan/deploying-an-inventory-collector-package.md
View File

@ -2,8 +2,8 @@
title: Deploying an Inventory-Collector Package (Windows 10)
ms.assetid: 8726ff71-0d17-4449-bdb7-66957ae51c62
description:
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/deployment-considerations-for-windows-to-go.md
View File

@ -2,9 +2,10 @@
title: Deployment considerations for Windows To Go (Windows 10)
description: Deployment considerations for Windows To Go
ms.assetid: dcfc5d96-b96b-44cd-ab65-416b5611c65e
keywords: ["deploy, mobile, device, USB, boot, image, workspace, driver"]
keywords: deploy, mobile, device, USB, boot, image, workspace, driver
ms.prod: W10
ms.mktglfcycl: deploy
ms.mktglfcycl: plan
ms.pagetype: mobility
ms.sitesec: library
author: mtniehaus
---

5
windows/plan/device-dialog-box.md
View File

@ -2,8 +2,9 @@
title: Device Dialog Box (Windows 10)
description: In Application Compatibility Manager (ACM), the Device dialog box shows information about the selected device.
ms.assetid: 5bd7cfda-31ea-4967-8b64-6c0425092f4e
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
View File

@ -2,8 +2,9 @@
title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator (Windows 10)
description: You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.
ms.assetid: 6bd4a7c5-0ed9-4a35-948c-c438aa4d6cb6
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/example-filter-queries.md
View File

@ -2,8 +2,9 @@
title: Example Filter Queries (Windows 10)
description: You can filter your compatibility-issue data or reports by selecting specific restriction criteria.
ms.assetid: eae59380-56cc-4d57-bd2c-11a0e3c689c9
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/exporting-a-data-collection-package.md
View File

@ -2,8 +2,9 @@
title: Exporting a Data-Collection Package (Windows 10)
description: In Application Compatibility Manager (ACM), you can export a data-collection package as a Windows installer (.msi) file. You can then use the .msi file to install the data-collection package on the computers from which you want to gather data.
ms.assetid: 98fe19e4-9533-4ffc-a275-8b3776ee93ed
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/filtering-your-compatibility-data.md
View File

@ -2,8 +2,9 @@
title: Filtering Your Compatibility Data (Windows 10)
description: You can use Query Builder to filter your compatibility-issue data or reports by selecting specific restriction criteria.
ms.assetid: b64267b5-83c0-4b4d-a075-0975d3a359c8
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/fixing-applications-by-using-the-sua-tool.md
View File

@ -2,8 +2,9 @@
title: Fixing Applications by Using the SUA Tool (Windows 10)
description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
ms.assetid: 7f5947b1-977b-4d7e-bb52-fbe8e76f6b8b
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

5
windows/plan/fixing-compatibility-issues.md
View File

@ -2,8 +2,9 @@
title: Fixing Compatibility Issues (Windows 10)
description: This section provides step-by-step instructions and describes development tools that you can use to help fix your compatibility issues.
ms.assetid: 30ba8d14-a41a-41b3-9019-e8658d6974de
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---

4
windows/plan/identifying-computers-for-inventory-collection.md
View File

@ -2,8 +2,8 @@
title: Identifying Computers for Inventory Collection (Windows 10)
ms.assetid: f5bf2d89-fff2-4960-a153-dc1146b442fb
description:
ms.prod: W10
ms.mktglfcycl: operate
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
author: TrudyHa
---

4
windows/plan/index.md
View File

@ -2,8 +2,8 @@
title: Plan for Windows 10 deployment (Windows 10)
description: Windows 10 provides new deployment capabilities, scenarios, and tools by building on technologies introduced in Windows 7, and Windows 8.1, while at the same time introducing new Windows as a service concepts to keep the operating system up to date.
ms.assetid: 002F9B79-B50F-40C5-A7A5-0B4770E6EC15
keywords: ["deploy", "upgrade", "update", "configure"]
ms.prod: W10
keywords: deploy, upgrade, update, configure
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
author: TrudyHa

Some files were not shown because too many files have changed in this diff Show More