deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into seccon-framework

Browse Source
This commit is contained in:
Justin Hall 2019-04-10 09:40:09 -07:00
commit a28ba8450a
9 changed files with 64 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
devices/hololens/TOC.md
View File

@ -12,6 +12,6 @@
## [Configure HoloLens using a provisioning package](hololens-provisioning.md) ## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
## [Install apps on HoloLens](hololens-install-apps.md) ## [Install apps on HoloLens](hololens-install-apps.md)
## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md) ## [Restart, reset, or recover HoloLens 2](hololens-recovery.md)
## [How HoloLens stores data for spaces](hololens-spaces.md) ## [How HoloLens stores data for spaces](hololens-spaces.md)
## [Change history for Microsoft HoloLens documentation](change-history-hololens.md) ## [Change history for Microsoft HoloLens documentation](change-history-hololens.md)

2
devices/hololens/change-history-hololens.md
View File

@ -19,7 +19,7 @@ This topic lists new and updated topics in the [Microsoft HoloLens documentation
New or changed topic | Description New or changed topic | Description
--- | --- --- | ---
[Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md) | New [Restart, reset, or recover HoloLens 2](hololens-recovery.md) | New
## November 2018 ## November 2018

4
devices/hololens/hololens-recovery.md
View File

@ -1,5 +1,5 @@
--- ---
title: Restore HoloLens 2 using Advanced Recovery Companion title: Restart, reset, or recover HoloLens 2
description: How to use Advanced Recovery Companion to flash an image to HoloLens 2. description: How to use Advanced Recovery Companion to flash an image to HoloLens 2.
ms.prod: hololens ms.prod: hololens
ms.sitesec: library ms.sitesec: library
@ -9,7 +9,7 @@ ms.topic: article
ms.localizationpriority: medium ms.localizationpriority: medium
--- ---
# Restore HoloLens 2 using Advanced Recovery Companion # Restart, reset, or recover HoloLens 2
>[!TIP] >[!TIP]
>If you're having issues with HoloLens (the first device released), see [Restart, reset, or recover HoloLens](https://support.microsoft.com/help/13452/hololens-restart-reset-or-recover-hololens). Advanced Recovery Companion is only supported for HoloLens 2. >If you're having issues with HoloLens (the first device released), see [Restart, reset, or recover HoloLens](https://support.microsoft.com/help/13452/hololens-restart-reset-or-recover-hololens). Advanced Recovery Companion is only supported for HoloLens 2.

7
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -10,13 +10,18 @@ ms.localizationpriority: medium
author: jdeckerms author: jdeckerms
ms.author: jdecker ms.author: jdecker
ms.topic: article ms.topic: article
ms.date: 11/07/2018
--- ---
# Change history for Configure Windows 10 # Change history for Configure Windows 10
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
## April 2019
New or changed topic | Description
--- | ---
[Prepare a device for kiosk configuration](kiosk-prepare.md) | Added new recommendations for policies to manage updates.
## February 2019 ## February 2019
New or changed topic | Description New or changed topic | Description

11
windows/configuration/kiosk-prepare.md
View File

@ -8,7 +8,6 @@ ms.mktglfcycl: manage
ms.sitesec: library ms.sitesec: library
author: jdeckerms author: jdeckerms
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 01/09/2019
ms.topic: article ms.topic: article
--- ---
@ -31,12 +30,14 @@ ms.topic: article
## Configuration recommendations ## Configuration recommendations
For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk:
Recommendation | How to Recommendation | How to
--- | --- --- | ---
Hide update notifications<br>(New in Windows 10, version 1809) | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**<br>-or-<br>Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)<br>-or-<br>Add the following registry keys as DWORD (32-bit) type:</br>`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetUpdateNotificationLevel` with a value of `1`, and `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateNotificationLevel` with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings. Hide update notifications<br>(New in Windows 10, version 1809) | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**<br>-or-<br>Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)<br>-or-<br>Add the following registry keys as type DWORD (32-bit) in the path of **HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate**:<br>**\SetUpdateNotificationLevel** with a value of `1`, and **\UpdateNotificationLevel** with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings.
Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:</br></br>`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled` Enable and schedule automatic updates | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates**, and select `option 4 (Auto download and schedule the install)`<br>-or-<br>Use the MDM setting **Update/AllowAutoUpdate** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate), and select `option 3 (Auto install and restart at a specified time)`<br><br>**Note:** Installations can take from between 30 minutes and 2 hours, depending on the device, so you should schedule updates to occur when a block of 3-4 hours is available.<br><br>To schedule the automatic update, configure **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**.
Enable automatic restart at the scheduled time | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Always automatically restart at the scheduled time**
Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:</br></br>**HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled**
Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign. Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
Hide **Ease of access** feature on the sign-in screen. | See [how to disable the Ease of Access button in the registry.](https://docs.microsoft.com/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen) Hide **Ease of access** feature on the sign-in screen. | See [how to disable the Ease of Access button in the registry.](https://docs.microsoft.com/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen)
Disable the hardware power button. | Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. Disable the hardware power button. | Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
@ -67,7 +68,7 @@ In addition to the settings in the table, you may want to set up **automatic log
>[!NOTE]   >[!NOTE]  
>If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002). >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
   
2. Go to 2. Go to
**HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon** **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon**

2
windows/configuration/kiosk-single-app.md
View File

@ -42,6 +42,8 @@ Method | Description
>[!TIP] >[!TIP]
>You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile). >You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile).
>
>Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.

3
windows/configuration/lock-down-windows-10-to-specific-apps.md
View File

@ -39,7 +39,8 @@ New features and improvements | In update
You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision). You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision).
>[!TIP]
>Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
<span id="intune"/> <span id="intune"/>

2
windows/configuration/setup-digital-signage.md
View File

@ -25,6 +25,8 @@ For digital signage, simply select a digital sign player as your kiosk app. You
>[!TIP] >[!TIP]
>Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). >Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).
>
>Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 10, version 1803. Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 10, version 1803.

47
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.localizationpriority: medium ms.localizationpriority: medium
author: jsuther1974 author: jsuther1974
ms.date: 08/31/2018 ms.date: 04/09/2019
--- ---
# Microsoft recommended block rules # Microsoft recommended block rules
@ -76,7 +76,13 @@ These modules cannot be blocked by name or version, and therefore must be blocke
For October 2017, we are announcing an update to system.management.automation.dll in which we are revoking older versions by hash values, instead of version rules. For October 2017, we are announcing an update to system.management.automation.dll in which we are revoking older versions by hash values, instead of version rules.
Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet: Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. Beginning with the March 2019 quality update, each version of Windows requires blocking a specific version of the following files:
- msxml3.dll
- msxml6.dll
- jscript9.dll
Pick the correct version of each .dll for the Windows release you plan to support, and remove the other versions.
```xml ```xml
<?xml version="1.0" encoding="utf-8" ?> <?xml version="1.0" encoding="utf-8" ?>
@ -137,7 +143,35 @@ Microsoft recommends that you block the following Microsoft-signed applications
<Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/> <Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/>
<Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" /> <Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" /> <Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" /> <Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />
<! -- msxml3.dll pick correct version based on release you are supporting -->
<! -- msxml6.dll pick correct version based on release you are supporting -->
<! -- jscript9.dll pick correct version based on release you are supporting -->
<! -- RS1 Windows 1607
<Deny ID="ID_DENY_MSXML3" FriendlyName="msxml3.dll" FileName="msxml3.dll" MinimumFileVersion ="8.110.14393.2550"/>
<Deny ID="ID_DENY_MSXML6" FriendlyName="msxml6.dll" FileName="msxml6.dll" MinimumFileVersion ="6.30.14393.2550"/>
<Deny ID="ID_DENY_JSCRIPT9" FriendlyName="jscript9.dll" FileName="jscript9.dll" MinimumFileVersion ="11.0.14393.2607"/>
-->
<! -- RS2 Windows 1703
<Deny ID="ID_DENY_MSXML3" FriendlyName="msxml3.dll" FileName="msxml3.dll" MinimumFileVersion ="8.110.15063.1386"/>
<Deny ID="ID_DENY_MSXML6" FriendlyName="msxml6.dll" FileName="msxml6.dll" MinimumFileVersion ="6.30.15063.1386"/>
<Deny ID="ID_DENY_JSCRIPT9" FriendlyName="jscript9.dll" FileName="jscript9.dll" MinimumFileVersion ="11.0.15063.1445"/>
-->
<! -- RS3 Windows 1709
<Deny ID="ID_DENY_MSXML3" FriendlyName="msxml3.dll" FileName="msxml3.dll" MinimumFileVersion ="8.110.16299.725"/>
<Deny ID="ID_DENY_MSXML6" FriendlyName="msxml6.dll" FileName="msxml6.dll" MinimumFileVersion ="6.30.16299.725"/>
<Deny ID="ID_DENY_JSCRIPT9" FriendlyName="jscript9.dll" FileName="jscript9.dll" MinimumFileVersion ="11.0.16299.785"/>
-->
<! -- RS4 Windows 1803
<Deny ID="ID_DENY_MSXML3" FriendlyName="msxml3.dll" FileName="msxml3.dll" MinimumFileVersion ="8.110.17134.344"/>
<Deny ID="ID_DENY_MSXML6" FriendlyName="msxml6.dll" FileName="msxml6.dll" MinimumFileVersion ="6.30.17134.344"/>
<Deny ID="ID_DENY_JSCRIPT9" FriendlyName="jscript9.dll" FileName="jscript9.dll" MinimumFileVersion ="11.0.17134.406"/>
-->
<! -- RS5 Windows 1809
<Deny ID="ID_DENY_MSXML3" FriendlyName="msxml3.dll" FileName="msxml3.dll" MinimumFileVersion ="8.110.17763.54"/>
<Deny ID="ID_DENY_MSXML6" FriendlyName="msxml6.dll" FileName="msxml6.dll" MinimumFileVersion ="6.30.17763.54"/>
<Deny ID="ID_DENY_JSCRIPT9" FriendlyName="jscript9.dll" FileName="jscript9.dll" MinimumFileVersion ="11.0.17763.133"/>
-->
<Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="02BE82F63EE962BCD4B8303E60F806F6613759C6"/> <Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="02BE82F63EE962BCD4B8303E60F806F6613759C6"/>
<Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="13765D9A16CC46B2113766822627F026A68431DF"/> <Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="13765D9A16CC46B2113766822627F026A68431DF"/>
<Deny ID="ID_DENY_D_3" FriendlyName="Powershell 3" Hash="148972F670E18790D62D753E01ED8D22B351A57E45544D88ACE380FEDAF24A40"/> <Deny ID="ID_DENY_D_3" FriendlyName="Powershell 3" Hash="148972F670E18790D62D753E01ED8D22B351A57E45544D88ACE380FEDAF24A40"/>
@ -842,8 +876,11 @@ Microsoft recommends that you block the following Microsoft-signed applications
<FileRuleRef RuleID="ID_DENY_KILL"/> <FileRuleRef RuleID="ID_DENY_KILL"/>
<FileRuleRef RuleID="ID_DENY_WMIC"/> <FileRuleRef RuleID="ID_DENY_WMIC"/>
<FileRuleRef RuleID="ID_DENY_MWFC" /> <FileRuleRef RuleID="ID_DENY_MWFC" />
<FileRuleRef RuleID="ID_DENY_WFC" /> <FileRuleRef RuleID="ID_DENY_WFC" />
<FileRuleRef RuleID="ID_DENY_D_1"/> <FileRuleRef RuleID="ID_DENY_MSXML3" />
<FileRuleRef RuleID="ID_DENY_MSXML6" />
<FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
<FileRuleRef RuleID="ID_DENY_D_1"/>
<FileRuleRef RuleID="ID_DENY_D_2"/> <FileRuleRef RuleID="ID_DENY_D_2"/>
<FileRuleRef RuleID="ID_DENY_D_3"/> <FileRuleRef RuleID="ID_DENY_D_3"/>
<FileRuleRef RuleID="ID_DENY_D_4"/> <FileRuleRef RuleID="ID_DENY_D_4"/>