From 1e7c9a3ddc01731249a17f1079f3e8b13a613e7a Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:06:31 -0700 Subject: [PATCH 01/27] Added text back in --- ...ate-and-verify-an-efs-dra-certificate.1.md | 90 +++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md new file mode 100644 index 0000000000..03d72f1d40 --- /dev/null +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md @@ -0,0 +1,90 @@ + +--- +title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10) +description: Follow these steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +--- + +# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate +**Applies to:** + +- Windows 10 Insider Preview +- Windows 10 Mobile Preview + +[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. + +The recovery process included in this topic only works for desktop devices. EDP deletes the data on Windows 10 Mobile devices. + +>**Important**
+If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. + +**To manually create an EFS DRA certificate** + +1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. + +2. Run this command: + + `cipher /r:` + + Where *<EFSRA>* is the name of the .cer and .pfx files that you want to create. + +3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. + + The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. + + >**Important**
+ Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. + +4. Add your EFS DRA certificate to your EDP policy by using either Microsoft Intune or System Center Configuration Manager. + + >**Note**
+ To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. + +**To verify your data recovery certificate is correctly set up on an EDP client computer** + +1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. + +2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: + + `cipher /c ` + + Where *<filename>* is the name of the file you created in Step 1. + +3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. + +**To recover your data using the EFS DRA certificate in a test environment** + +1. Copy your EDP-encrypted file to a location where you have admin access. + +2. Install the EFSDRA.pfx file, using your password. + +3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: + + `cipher /d ` + + Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. + +**To recover your EDP-protected desktop data after unenrollment** + +1. Have your employee sign in to the unenrolled device, open a command prompt, and type: + + `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` + + Where *<”new_location”>* is a different location from where you store your recovery data. This location can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that you can reach while logged in as a data recovery agent. + +2. Sign in to a different device with administrator credentials that have access to your organization's Data Recovery Agent (DRA) certificate, and perform the file decryption and recovery by typing: + + `cipher.exe /D <“new_location”>` + +3. Sign in to the unenrolled device as the employee, and type: + + `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` + +4. Ask the employee to log back in to the device or to lock and unlock the device. + + The Windows Credential service automatically recovers the protected data from the `Recovery\Input` location. From 472827a8dd58583098ee0355bbe611e3daefc57c Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:10:34 -0700 Subject: [PATCH 02/27] Fixing topic issue --- ...ate-and-verify-an-efs-dra-certificate.1.md | 90 ------------------- 1 file changed, 90 deletions(-) delete mode 100644 windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md deleted file mode 100644 index 03d72f1d40..0000000000 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md +++ /dev/null @@ -1,90 +0,0 @@ - ---- -title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10) -description: Follow these steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ---- - -# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate -**Applies to:** - -- Windows 10 Insider Preview -- Windows 10 Mobile Preview - -[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. - -The recovery process included in this topic only works for desktop devices. EDP deletes the data on Windows 10 Mobile devices. - ->**Important**
-If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. - -**To manually create an EFS DRA certificate** - -1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. - -2. Run this command: - - `cipher /r:` - - Where *<EFSRA>* is the name of the .cer and .pfx files that you want to create. - -3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. - - The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. - - >**Important**
- Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. - -4. Add your EFS DRA certificate to your EDP policy by using either Microsoft Intune or System Center Configuration Manager. - - >**Note**
- To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. - -**To verify your data recovery certificate is correctly set up on an EDP client computer** - -1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. - -2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: - - `cipher /c ` - - Where *<filename>* is the name of the file you created in Step 1. - -3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. - -**To recover your data using the EFS DRA certificate in a test environment** - -1. Copy your EDP-encrypted file to a location where you have admin access. - -2. Install the EFSDRA.pfx file, using your password. - -3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: - - `cipher /d ` - - Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. - -**To recover your EDP-protected desktop data after unenrollment** - -1. Have your employee sign in to the unenrolled device, open a command prompt, and type: - - `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` - - Where *<”new_location”>* is a different location from where you store your recovery data. This location can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that you can reach while logged in as a data recovery agent. - -2. Sign in to a different device with administrator credentials that have access to your organization's Data Recovery Agent (DRA) certificate, and perform the file decryption and recovery by typing: - - `cipher.exe /D <“new_location”>` - -3. Sign in to the unenrolled device as the employee, and type: - - `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` - -4. Ask the employee to log back in to the device or to lock and unlock the device. - - The Windows Credential service automatically recovers the protected data from the `Recovery\Input` location. From 1c25b6c8ab4bce0b9a4222d0722be7d35e82a3e4 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:13:08 -0700 Subject: [PATCH 03/27] Fixing broken topics --- ...ange-history-for-keep-windows-10-secure.md | 1 + ...reate-and-verify-an-efs-dra-certificate.md | 89 +++++++++++++++++++ 2 files changed, 90 insertions(+) create mode 100644 windows/keep-secure/create-and-verify-an-efs-dra-certificate.md diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 4b25f1edc5..1fe970c712 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New | |[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New | |[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New | diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md new file mode 100644 index 0000000000..84de2b4519 --- /dev/null +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -0,0 +1,89 @@ +--- +title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10) +description: Follow these steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +--- + +# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate +**Applies to:** + +- Windows 10 Insider Preview +- Windows 10 Mobile Preview + +[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. + +The recovery process included in this topic only works for desktop devices. EDP deletes the data on Windows 10 Mobile devices. + +>**Important**
+If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. + +**To manually create an EFS DRA certificate** + +1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. + +2. Run this command: + + `cipher /r:` + + Where *<EFSRA>* is the name of the .cer and .pfx files that you want to create. + +3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. + + The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. + + >**Important**
+ Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. + +4. Add your EFS DRA certificate to your EDP policy by using either Microsoft Intune or System Center Configuration Manager. + + >**Note**
+ To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. + +**To verify your data recovery certificate is correctly set up on an EDP client computer** + +1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. + +2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: + + `cipher /c ` + + Where *<filename>* is the name of the file you created in Step 1. + +3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. + +**To recover your data using the EFS DRA certificate in a test environment** + +1. Copy your EDP-encrypted file to a location where you have admin access. + +2. Install the EFSDRA.pfx file, using your password. + +3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: + + `cipher /d ` + + Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. + +**To recover your EDP-protected desktop data after unenrollment** + +1. Have your employee sign in to the unenrolled device, open a command prompt, and type: + + `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` + + Where *<”new_location”>* is a different location from where you store your recovery data. This location can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that you can reach while logged in as a data recovery agent. + +2. Sign in to a different device with administrator credentials that have access to your organization's Data Recovery Agent (DRA) certificate, and perform the file decryption and recovery by typing: + + `cipher.exe /D <“new_location”>` + +3. Sign in to the unenrolled device as the employee, and type: + + `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` + +4. Ask the employee to log back in to the device or to lock and unlock the device. + + The Windows Credential service automatically recovers the protected data from the `Recovery\Input` location. From 7df7f72ddd510af164c35612f20beb5d8e8eb400 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:22:50 -0700 Subject: [PATCH 04/27] Added DRA topic to TOC --- windows/keep-secure/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index e2590ac099..027a9f1fa0 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -30,6 +30,7 @@ ##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) #### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) ### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) +#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) #### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) #### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) From 401cb6a038cd9ef26bd009665be9ebe35d38657c Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:32:56 -0700 Subject: [PATCH 05/27] Moved topic in TOC --- windows/keep-secure/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 027a9f1fa0..59d9b683d8 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -29,8 +29,8 @@ ##### [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) ##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) #### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) -### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) #### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] +### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) #### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) #### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) From 4fe90bda85afbb122143c490c251614cb2f8568e Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:36:20 -0700 Subject: [PATCH 06/27] Updated to include DRA topic --- windows/keep-secure/overview-create-edp-policy.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/overview-create-edp-policy.md b/windows/keep-secure/overview-create-edp-policy.md index 02e9e28ec7..abd098560f 100644 --- a/windows/keep-secure/overview-create-edp-policy.md +++ b/windows/keep-secure/overview-create-edp-policy.md @@ -24,6 +24,7 @@ Microsoft Intune and System Center Configuration Manager Technical Preview versi |------|------------| |[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Intune helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. | |[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. | +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |     From 6bc10261524a6452cd066afe5b69d4915154665a Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 08:13:40 -0700 Subject: [PATCH 07/27] changed description slightly --- windows/keep-secure/create-and-verify-an-efs-dra-certificate.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 84de2b4519..1d26215059 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -1,6 +1,6 @@ --- title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10) -description: Follow these steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. +description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library From dc9ef4ea5ac9d88a783743ffd38583999858f344 Mon Sep 17 00:00:00 2001 From: Nicola Dolci Date: Tue, 19 Jul 2016 19:03:47 -0700 Subject: [PATCH 08/27] Updated for production Updated to handle lang set, transformer options, metadata --- .localization-config | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/.localization-config b/.localization-config index c24369eb99..d363f9d920 100644 --- a/.localization-config +++ b/.localization-config @@ -1,8 +1,21 @@ -{ - "locales": [ "zh-cn" ], +{ + + "filters": [ + + { + "metadata": { + "localizationpriority": [ "high", "medium" ] + } + } +], + + "locales": [ "ja-jp", "de-de", "fr-fr", "zh-cn", "zh-tw", "ko-kr", "es-es", "it-it", "ru-ru", "pt-br" ], "files": ["!/*.md", "**/**/*.md", "**/*.md"], - "includeDependencies": true, - "autoPush": true, + "includeDependencies": true, + "autoPush": true, "xliffVersion": "2.0", - "useJavascriptMarkdownTransformer": true -} + "useJavascriptMarkdownTransformer": true, + "markdownTransformerOptions": { + "lockBackslashEscapeChars": false + } +} From 88dac127272220950247f6ec62dbee11b82f064f Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 20 Jul 2016 10:00:24 -0700 Subject: [PATCH 09/27] merge conflict --- windows/keep-secure/index.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md index f10f0d6cfe..3260fe7596 100644 --- a/windows/keep-secure/index.md +++ b/windows/keep-secure/index.md @@ -28,12 +28,9 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure. | [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. | | [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. | | [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. | -<<<<<<< HEAD | [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. | | [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). | -======= -| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. | ->>>>>>> refs/remotes/origin/master +   ## Related topics From 6f8c6384e7a6e4695aa7480730f1d508eb0a5b44 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 20 Jul 2016 10:32:35 -0700 Subject: [PATCH 10/27] add topic to index --- windows/manage/index.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/manage/index.md b/windows/manage/index.md index 28f9aa851f..4d01c0d616 100644 --- a/windows/manage/index.md +++ b/windows/manage/index.md @@ -37,6 +37,10 @@ Learn about managing and updating Windows 10.

You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions.

+

[Windows Spotlight on the lock screen](windows-spotlight.md)

+

Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.

+ +

[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)

Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes.

From 97c40f1136179bdbeab5460fcfa4517cfad045f3 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 20 Jul 2016 11:45:31 -0700 Subject: [PATCH 11/27] task# 6907269 --- windows/keep-secure/TOC.md | 3 --- ...g-a-device-guard-policy-for-signed-apps.md | 2 +- windows/keep-secure/credential-guard.md | 19 ++++++++++--------- ...vice-guard-certification-and-compliance.md | 2 +- ...o-run-on-device-guard-protected-devices.md | 2 +- .../whats-new-windows-10-version-1607.md | 5 ++++- 6 files changed, 17 insertions(+), 16 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index a0f4c9ecd3..eabba964c1 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -1,8 +1,5 @@ # [Keep Windows 10 secure](index.md) ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) -## [Device Guard certification and compliance](device-guard-certification-and-compliance.md) -### [Get apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md) -### [Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md) ## [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) ### [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) ### [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) diff --git a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md index fdf497e545..6d70cbad2b 100644 --- a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md +++ b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md @@ -1,5 +1,5 @@ --- title: Create a Device Guard code integrity policy based on a reference device (Windows 10) -redirect_url: device-guard-deployment-guide.md +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide --- diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 3974a748e2..ec7cb18cf2 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -144,9 +144,8 @@ First, you must add the virtualization-based security features. You can do this **Add the virtualization-based security features by using Programs and Features** 1. Open the Programs and Features control panel. 2. Click **Turn Windows feature on or off**. -3. Select the **Isolated User Mode** check box. -4. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. -5. Click **OK**. +3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. +4. Click **OK**. **Add the virtualization-based security features to an offline image by using DISM** 1. Open an elevated command prompt. @@ -154,12 +153,14 @@ First, you must add the virtualization-based security features. You can do this ``` syntax dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all ``` -3. Add Isolated User Mode by running the following command: - ``` syntax - dism /image: /Enable-Feature /FeatureName:IsolatedUserMode - ``` > **Note:**  You can also add these features to an online image by using either DISM or Configuration Manager. -  + + +In Windows 10, version 1607, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode: + +``` syntax +dism /image: /Enable-Feature /FeatureName:IsolatedUserMode +``` ### Turn on Credential Guard If you don't use Group Policy, you can enable Credential Guard by using the registry. @@ -203,7 +204,7 @@ If you have to remove Credential Guard on a PC, you need to do the following: 3. Accept the prompt to disable Credential Guard. 4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard. -> **Note: ** The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS +> **Note:** The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).   diff --git a/windows/keep-secure/device-guard-certification-and-compliance.md b/windows/keep-secure/device-guard-certification-and-compliance.md index 5e60c5e980..566a6df4da 100644 --- a/windows/keep-secure/device-guard-certification-and-compliance.md +++ b/windows/keep-secure/device-guard-certification-and-compliance.md @@ -1,4 +1,4 @@ --- title: Device Guard certification and compliance (Windows 10) -redirect_url: device-guard-deployment-guide.md +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide --- diff --git a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md index 542e85c56f..88a3f076b6 100644 --- a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md +++ b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md @@ -1,4 +1,4 @@ --- title: Get apps to run on Device Guard-protected devices (Windows 10) -redirect_url: device-guard-deployment-guide.md +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide --- diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index a92065f467..e93467c542 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -31,6 +31,10 @@ Windows ICD now includes simplified workflows for creating provisioning packages ## Security +### Credential Guard and Device Guard + +Isolated User Mode is now included with Hyper-V so you don't have to install it separately. + ### Windows Hello for Business When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. @@ -50,7 +54,6 @@ Additional changes for Windows Hello in Windows 10, version 1607: - New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607) - Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins. -   ## Management From d84da1c2ef7ae786fbdd905f0654a64a0f4849ce Mon Sep 17 00:00:00 2001 From: Nicola Dolci Date: Wed, 20 Jul 2016 11:54:47 -0700 Subject: [PATCH 12/27] Removing medium, just high for now --- .localization-config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.localization-config b/.localization-config index d363f9d920..148efa2f39 100644 --- a/.localization-config +++ b/.localization-config @@ -4,7 +4,7 @@ { "metadata": { - "localizationpriority": [ "high", "medium" ] + "localizationpriority": [ "high" ] } } ], From 649923b82f23a733167b223b21601fb5acb18f7f Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 20 Jul 2016 12:01:02 -0700 Subject: [PATCH 13/27] task# 7619482 --- windows/keep-secure/security-considerations-for-applocker.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/keep-secure/security-considerations-for-applocker.md b/windows/keep-secure/security-considerations-for-applocker.md index f7c0df0eab..0fc2aa0bc5 100644 --- a/windows/keep-secure/security-considerations-for-applocker.md +++ b/windows/keep-secure/security-considerations-for-applocker.md @@ -40,6 +40,8 @@ AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Window AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules. >**Note:**  Two flags that illustrate this condition are `SANDBOX_INERT`, which can be passed to `CreateRestrictedToken`, and `LOAD_IGNORE_CODE_AUTHZ_LEVEL`, which can be passed to `LoadLibraryEx`. Both of these flags signal AppLocker to circumvent the rules and allow a child .exe or .dll to be loaded. + +You can block the Windows Subsystem for Linux by blocking LxssManager.dll   ## Related topics From a9d909df346a2b406773fbc8e77d3540efd7c971 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 20 Jul 2016 12:06:09 -0700 Subject: [PATCH 14/27] tweaks --- .../manage/change-history-for-manage-and-update-windows-10.md | 3 +-- .../group-policies-for-enterprise-and-education-editions.md | 1 + windows/manage/lockdown-features-windows-10.md | 2 +- .../manage/windows-10-start-layout-options-and-policies.md | 4 +++- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index e2ae8bfc55..bef09aaf87 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -18,10 +18,9 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: - [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) -- [Diagnostics for devices managed by MDM](diagnostics-for-mdm-devices.md) - [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) -- [Guidelines for choosing an app for assigned access (kisok mode)](guidelines-for-assigned-access-app.md) +- [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) ## July 2016 diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md index 748d4c7b86..c08ee29373 100644 --- a/windows/manage/group-policies-for-enterprise-and-education-editions.md +++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md @@ -26,6 +26,7 @@ In Windows 10, version 1607, the following Group Policies apply only to Windows | **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) | | **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) | | **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/en-us/kb/3135657). | +| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](manage-cortana-in-enterprise.md) | diff --git a/windows/manage/lockdown-features-windows-10.md b/windows/manage/lockdown-features-windows-10.md index b0d0851d25..0c82b6da7c 100644 --- a/windows/manage/lockdown-features-windows-10.md +++ b/windows/manage/lockdown-features-windows-10.md @@ -14,7 +14,7 @@ author: jdeckerMS **Applies to** - Windows 10 -- Windows 10 Mobile + Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation. diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md index 3b744fbf9e..69c34458d1 100644 --- a/windows/manage/windows-10-start-layout-options-and-policies.md +++ b/windows/manage/windows-10-start-layout-options-and-policies.md @@ -16,10 +16,12 @@ author: jdeckerMS - Windows 10 -> **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/en-us/windows-10/getstarted-see-whats-on-the-menu) and topic-to-be-added-for-taskbars +> **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/en-us/windows-10/getstarted-see-whats-on-the-menu) Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Enterprise or Windows 10 Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. +> **Note:** Taskbar configuration is available starting in Windows 10, version 1607. + ## Start options ![start layout sections](images/startannotated.png) From fbf779b03cf5974156ff8de66892f4d744382c30 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 20 Jul 2016 12:24:31 -0700 Subject: [PATCH 15/27] task# 7619482 --- windows/keep-secure/security-considerations-for-applocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/security-considerations-for-applocker.md b/windows/keep-secure/security-considerations-for-applocker.md index 0fc2aa0bc5..c959f1bfd0 100644 --- a/windows/keep-secure/security-considerations-for-applocker.md +++ b/windows/keep-secure/security-considerations-for-applocker.md @@ -41,7 +41,7 @@ AppLocker rules either allow or prevent an application from launching. AppLocker >**Note:**  Two flags that illustrate this condition are `SANDBOX_INERT`, which can be passed to `CreateRestrictedToken`, and `LOAD_IGNORE_CODE_AUTHZ_LEVEL`, which can be passed to `LoadLibraryEx`. Both of these flags signal AppLocker to circumvent the rules and allow a child .exe or .dll to be loaded. -You can block the Windows Subsystem for Linux by blocking LxssManager.dll +You can block the Windows Subsystem for Linux by blocking LxssManager.dll.   ## Related topics From f17ae00769b95472428be2f86ceee37b259daa41 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 20 Jul 2016 13:40:45 -0700 Subject: [PATCH 16/27] task# 8121779 --- ...devices-to-the-membership-group-for-a-zone.md | 2 +- ...devices-to-the-membership-group-for-a-zone.md | 2 +- ...late-files-for-settings-used-in-this-guide.md | 2 +- .../assign-security-group-filters-to-the-gpo.md | 2 +- .../keep-secure/basic-firewall-policy-design.md | 2 +- windows/keep-secure/boundary-zone-gpos.md | 2 +- windows/keep-secure/boundary-zone.md | 4 ++-- ...cate-based-isolation-policy-design-example.md | 2 +- .../certificate-based-isolation-policy-design.md | 2 +- .../change-history-for-keep-windows-10-secure.md | 2 +- .../change-rules-from-request-to-require-mode.md | 2 +- ...cklist-configuring-basic-firewall-settings.md | 2 +- ...figuring-rules-for-an-isolated-server-zone.md | 2 +- ...rvers-in-a-standalone-isolated-server-zone.md | 2 +- ...st-configuring-rules-for-the-boundary-zone.md | 2 +- ...-configuring-rules-for-the-encryption-zone.md | 2 +- ...-configuring-rules-for-the-isolated-domain.md | 2 +- .../checklist-creating-group-policy-objects.md | 2 +- .../checklist-creating-inbound-firewall-rules.md | 2 +- ...checklist-creating-outbound-firewall-rules.md | 2 +- ...ients-of-a-standalone-isolated-server-zone.md | 2 +- ...mplementing-a-basic-firewall-policy-design.md | 4 ++-- ...-certificate-based-isolation-policy-design.md | 2 +- ...lementing-a-domain-isolation-policy-design.md | 2 +- ...-standalone-server-isolation-policy-design.md | 2 +- .../configure-authentication-methods.md | 2 +- ...figure-data-protection-quick-mode-settings.md | 2 +- ...licy-to-autoenroll-and-deploy-certificates.md | 2 +- .../configure-key-exchange-main-mode-settings.md | 2 +- .../configure-the-windows-firewall-log.md | 2 +- ...tation-authentication-certificate-template.md | 2 +- ...ss-notifications-when-a-program-is-blocked.md | 2 +- ...m-that-certificates-are-deployed-correctly.md | 2 +- .../copy-a-gpo-to-create-a-new-gpo.md | 4 ++-- ...create-a-group-account-in-active-directory.md | 2 +- .../keep-secure/create-a-group-policy-object.md | 2 +- ...eate-an-authentication-exemption-list-rule.md | 2 +- .../create-an-authentication-request-rule.md | 2 +- .../keep-secure/create-an-inbound-icmp-rule.md | 2 +- .../keep-secure/create-an-inbound-port-rule.md | 2 +- .../create-an-inbound-program-or-service-rule.md | 2 +- .../keep-secure/create-an-outbound-port-rule.md | 2 +- ...create-an-outbound-program-or-service-rule.md | 2 +- .../create-inbound-rules-to-support-rpc.md | 2 +- .../create-wmi-filters-for-the-gpo.md | 2 +- ...s-firewall-with-advanced-security-strategy.md | 2 +- ...ermining-the-trusted-state-of-your-devices.md | 2 +- windows/keep-secure/documenting-the-zones.md | 2 +- .../domain-isolation-policy-design-example.md | 2 +- .../domain-isolation-policy-design.md | 2 +- .../enable-predefined-inbound-rules.md | 2 +- .../enable-predefined-outbound-rules.md | 2 +- windows/keep-secure/encryption-zone-gpos.md | 2 +- windows/keep-secure/encryption-zone.md | 2 +- ...all-with-advanced-security-design-examples.md | 2 +- windows/keep-secure/event-4706.md | 12 ++++++------ windows/keep-secure/event-4716.md | 12 ++++++------ windows/keep-secure/event-4739.md | 16 ++++++++-------- .../exempt-icmp-from-authentication.md | 2 +- windows/keep-secure/exemption-list.md | 2 +- windows/keep-secure/firewall-gpos.md | 2 +- .../firewall-policy-design-example.md | 6 +++--- ...ion-about-your-active-directory-deployment.md | 2 +- ...-about-your-current-network-infrastructure.md | 2 +- .../gathering-information-about-your-devices.md | 2 +- .../gathering-other-relevant-information.md | 2 +- .../gathering-the-information-you-need.md | 2 +- windows/keep-secure/gpo-domiso-boundary.md | 2 +- windows/keep-secure/gpo-domiso-firewall.md | 2 +- .../gpo-domiso-isolateddomain-clients.md | 2 +- .../gpo-domiso-isolateddomain-servers.md | 2 +- ...ll-with-advanced-security-deployment-goals.md | 2 +- ...irewall-with-advanced-security-design-plan.md | 2 +- windows/keep-secure/isolated-domain-gpos.md | 2 +- windows/keep-secure/isolated-domain.md | 2 +- .../isolating-apps-on-your-network.md | 2 +- .../keep-secure/link-the-gpo-to-the-domain.md | 2 +- ...ows-firewall-with-advanced-security-design.md | 2 +- windows/keep-secure/microsoft-passport-guide.md | 2 +- ...-to-a-different-zone-or-version-of-windows.md | 2 +- ...management-console-to-ip-security-policies.md | 2 +- ...to-windows-firewall-with-advanced-security.md | 2 +- ...icy-management-console-to-windows-firewall.md | 2 +- ...en-windows-firewall-with-advanced-security.md | 2 +- .../planning-certificate-based-authentication.md | 2 +- .../planning-domain-isolation-zones.md | 2 +- windows/keep-secure/planning-gpo-deployment.md | 2 +- ...policy-deployment-for-your-isolation-zones.md | 2 +- .../planning-isolation-groups-for-the-zones.md | 2 +- .../planning-network-access-groups.md | 2 +- .../planning-server-isolation-zones.md | 2 +- ...nning-settings-for-a-basic-firewall-policy.md | 2 +- windows/keep-secure/planning-the-gpos.md | 2 +- ...oy-windows-firewall-with-advanced-security.md | 2 +- ...ows-firewall-with-advanced-security-design.md | 2 +- .../keep-secure/procedures-used-in-this-guide.md | 2 +- ...tect-devices-from-unwanted-network-traffic.md | 2 +- ...when-accessing-sensitive-network-resources.md | 2 +- ...-access-to-only-specified-users-or-devices.md | 2 +- .../restrict-access-to-only-trusted-devices.md | 2 +- ...t-server-access-to-members-of-a-group-only.md | 2 +- ...nd-to-end-ipsec-connections-by-using-ikev2.md | 2 +- windows/keep-secure/server-isolation-gpos.md | 2 +- .../server-isolation-policy-design-example.md | 2 +- .../server-isolation-policy-design.md | 2 +- ...ws-firewall-and-configure-default-behavior.md | 2 +- ...rol-group-policy-and-registry-key-settings.md | 2 +- .../keep-secure/user-account-control-overview.md | 2 +- ...rify-that-network-traffic-is-authenticated.md | 2 +- windows/keep-secure/windows-10-security-guide.md | 2 +- ...ity-administration-with-windows-powershell.md | 2 +- ...ll-with-advanced-security-deployment-guide.md | 2 +- ...rewall-with-advanced-security-design-guide.md | 2 +- .../windows-firewall-with-advanced-security.md | 2 +- ...ure-windows-telemetry-in-your-organization.md | 2 +- 115 files changed, 137 insertions(+), 137 deletions(-) diff --git a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md index fc07133c99..69108c1fcc 100644 --- a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md +++ b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices. diff --git a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md index f5f2edf9d6..11b782d3f8 100644 --- a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md +++ b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device. diff --git a/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md index f72093bb1e..f567285c1b 100644 --- a/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md +++ b/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). diff --git a/windows/keep-secure/assign-security-group-filters-to-the-gpo.md b/windows/keep-secure/assign-security-group-filters-to-the-gpo.md index f6dcdfddf4..d70e138887 100644 --- a/windows/keep-secure/assign-security-group-filters-to-the-gpo.md +++ b/windows/keep-secure/assign-security-group-filters-to-the-gpo.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO. diff --git a/windows/keep-secure/basic-firewall-policy-design.md b/windows/keep-secure/basic-firewall-policy-design.md index 3863b0cf74..bbc34eda26 100644 --- a/windows/keep-secure/basic-firewall-policy-design.md +++ b/windows/keep-secure/basic-firewall-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization. diff --git a/windows/keep-secure/boundary-zone-gpos.md b/windows/keep-secure/boundary-zone-gpos.md index 66865b93a6..550aa7e934 100644 --- a/windows/keep-secure/boundary-zone-gpos.md +++ b/windows/keep-secure/boundary-zone-gpos.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section. diff --git a/windows/keep-secure/boundary-zone.md b/windows/keep-secure/boundary-zone.md index b44e15fdc1..da0878002d 100644 --- a/windows/keep-secure/boundary-zone.md +++ b/windows/keep-secure/boundary-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain. @@ -60,4 +60,4 @@ The boundary zone GPO for devices running at least Windows Server 2008 should i >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) -**Next: **[Encryption Zone](encryption-zone.md) +**Next:**[Encryption Zone](encryption-zone.md) diff --git a/windows/keep-secure/certificate-based-isolation-policy-design-example.md b/windows/keep-secure/certificate-based-isolation-policy-design-example.md index 8b5e59db2e..0c3612bef6 100644 --- a/windows/keep-secure/certificate-based-isolation-policy-design-example.md +++ b/windows/keep-secure/certificate-based-isolation-policy-design-example.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md). diff --git a/windows/keep-secure/certificate-based-isolation-policy-design.md b/windows/keep-secure/certificate-based-isolation-policy-design.md index 8d0483f776..6a1a244f5c 100644 --- a/windows/keep-secure/certificate-based-isolation-policy-design.md +++ b/windows/keep-secure/certificate-based-isolation-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic. diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 58a9cc9fd8..2393c3659e 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -47,7 +47,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also | [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Added errors 0x80090029 and 0x80070057, and merged entries for error 0x801c03ed. | | [Microsoft Passport guide](microsoft-passport-guide.md) | Updated Roadmap section content | |[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) |Updated info based on changes to the features and functionality.| -| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview | +| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 | |[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (mutiple topics) | New | ## April 2016 diff --git a/windows/keep-secure/change-rules-from-request-to-require-mode.md b/windows/keep-secure/change-rules-from-request-to-require-mode.md index 156957d053..747345df41 100644 --- a/windows/keep-secure/change-rules-from-request-to-require-mode.md +++ b/windows/keep-secure/change-rules-from-request-to-require-mode.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that are not part of the isolated domain. diff --git a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md index 979ef0e243..af8be53831 100644 --- a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md +++ b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules. diff --git a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md index a3cd9303ca..5385c20f4d 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md). diff --git a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md index f954a6f45e..996a84ad21 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md index 898aff61c0..93506e5368 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md index 8bf35ebe8e..aba8c91407 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md index 41375ddbad..4533b51003 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. diff --git a/windows/keep-secure/checklist-creating-group-policy-objects.md b/windows/keep-secure/checklist-creating-group-policy-objects.md index b846638c4e..207e94a1a5 100644 --- a/windows/keep-secure/checklist-creating-group-policy-objects.md +++ b/windows/keep-secure/checklist-creating-group-policy-objects.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group. diff --git a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md index 16681cba2a..bf0e277be4 100644 --- a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md +++ b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This checklist includes tasks for creating firewall rules in your GPOs. diff --git a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md index 22b8d892c8..9187d83a88 100644 --- a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md +++ b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This checklist includes tasks for creating outbound firewall rules in your GPOs. diff --git a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md index bd5a21cdb8..febc811262 100644 --- a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md +++ b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone. diff --git a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md index f72a945895..0e170e2c53 100644 --- a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. @@ -26,7 +26,7 @@ The procedures in this section use the Group Policy MMC snap-in interfaces to co | Task | Reference | | - | - | | Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Basic Firewall Policy Design](basic-firewall-policy-design.md)
[Firewall Policy Design Example](firewall-policy-design-example.md)
[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)| -| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016 Technical Preview, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016 Technical Preview, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| | If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)| | Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)| | Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)| diff --git a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md index 1cab0a3744..6a65e70ac2 100644 --- a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design. diff --git a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md index a57af52e9a..1c370cc0c7 100644 --- a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. diff --git a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md index e4ed2e3d00..533859a661 100644 --- a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md). diff --git a/windows/keep-secure/configure-authentication-methods.md b/windows/keep-secure/configure-authentication-methods.md index c637681093..cee5bff4da 100644 --- a/windows/keep-secure/configure-authentication-methods.md +++ b/windows/keep-secure/configure-authentication-methods.md @@ -14,7 +14,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone. diff --git a/windows/keep-secure/configure-data-protection-quick-mode-settings.md b/windows/keep-secure/configure-data-protection-quick-mode-settings.md index 1b0e5489ab..4c7f4c94ea 100644 --- a/windows/keep-secure/configure-data-protection-quick-mode-settings.md +++ b/windows/keep-secure/configure-data-protection-quick-mode-settings.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone. diff --git a/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md index a3687db1b5..0251ff4352 100644 --- a/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md +++ b/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate. diff --git a/windows/keep-secure/configure-key-exchange-main-mode-settings.md b/windows/keep-secure/configure-key-exchange-main-mode-settings.md index 097d29b877..dd11e2d12d 100644 --- a/windows/keep-secure/configure-key-exchange-main-mode-settings.md +++ b/windows/keep-secure/configure-key-exchange-main-mode-settings.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic. diff --git a/windows/keep-secure/configure-the-windows-firewall-log.md b/windows/keep-secure/configure-the-windows-firewall-log.md index 0784a64b85..086d294c27 100644 --- a/windows/keep-secure/configure-the-windows-firewall-log.md +++ b/windows/keep-secure/configure-the-windows-firewall-log.md @@ -14,7 +14,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To configure Windows Firewall to log dropped packets or successful connections, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in. diff --git a/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md b/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md index 89b5eb68e9..3b75bc141f 100644 --- a/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md +++ b/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements. diff --git a/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md index b4990058e6..057dd20255 100644 --- a/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md +++ b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To configure Windows Firewall to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Firewall with Advanced Security node in the Group Policy Management console. diff --git a/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md index 0423277e45..c64746932b 100644 --- a/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md +++ b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices. diff --git a/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md b/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md index 694250fe3b..0b0fc49d34 100644 --- a/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md +++ b/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in. @@ -47,4 +47,4 @@ To complete this procedure, you must be a member of the Domain Administrators gr 12. Type the name of the group that contains members of the boundary zone, for example **CG\_DOMISO\_Boundary**, and then click **OK**. -13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016 Technical Preview, then select a WMI filter that allows only those devices to read and apply the GPO. +13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO. diff --git a/windows/keep-secure/create-a-group-account-in-active-directory.md b/windows/keep-secure/create-a-group-account-in-active-directory.md index 6aeb64d983..6ada08d53f 100644 --- a/windows/keep-secure/create-a-group-account-in-active-directory.md +++ b/windows/keep-secure/create-a-group-account-in-active-directory.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console. diff --git a/windows/keep-secure/create-a-group-policy-object.md b/windows/keep-secure/create-a-group-policy-object.md index 42a0e5ae62..bdd41a37ca 100644 --- a/windows/keep-secure/create-a-group-policy-object.md +++ b/windows/keep-secure/create-a-group-policy-object.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To create a new GPO, use the Active Directory Users and Computers MMC snap-in. diff --git a/windows/keep-secure/create-an-authentication-exemption-list-rule.md b/windows/keep-secure/create-an-authentication-exemption-list-rule.md index b0a4ec1118..e48455f5e9 100644 --- a/windows/keep-secure/create-an-authentication-exemption-list-rule.md +++ b/windows/keep-secure/create-an-authentication-exemption-list-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies. diff --git a/windows/keep-secure/create-an-authentication-request-rule.md b/windows/keep-secure/create-an-authentication-request-rule.md index 1c947f68f9..42617dc699 100644 --- a/windows/keep-secure/create-an-authentication-request-rule.md +++ b/windows/keep-secure/create-an-authentication-request-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you have configured IPsec algorithms and authentication methods, you can create the rule that requires the devices on the network to use those protocols and methods before they can communicate. diff --git a/windows/keep-secure/create-an-inbound-icmp-rule.md b/windows/keep-secure/create-an-inbound-icmp-rule.md index f76bba3007..83983389da 100644 --- a/windows/keep-secure/create-an-inbound-icmp-rule.md +++ b/windows/keep-secure/create-an-inbound-icmp-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network. diff --git a/windows/keep-secure/create-an-inbound-port-rule.md b/windows/keep-secure/create-an-inbound-port-rule.md index e2a911293f..212bf9a8fc 100644 --- a/windows/keep-secure/create-an-inbound-port-rule.md +++ b/windows/keep-secure/create-an-inbound-port-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. diff --git a/windows/keep-secure/create-an-inbound-program-or-service-rule.md b/windows/keep-secure/create-an-inbound-program-or-service-rule.md index 51524c047d..62c8e83e1b 100644 --- a/windows/keep-secure/create-an-inbound-program-or-service-rule.md +++ b/windows/keep-secure/create-an-inbound-program-or-service-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To allow inbound network traffic to a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port. diff --git a/windows/keep-secure/create-an-outbound-port-rule.md b/windows/keep-secure/create-an-outbound-port-rule.md index 98c85d581c..9a06f49266 100644 --- a/windows/keep-secure/create-an-outbound-port-rule.md +++ b/windows/keep-secure/create-an-outbound-port-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. diff --git a/windows/keep-secure/create-an-outbound-program-or-service-rule.md b/windows/keep-secure/create-an-outbound-program-or-service-rule.md index 342e863ffd..2e7e5c2e1e 100644 --- a/windows/keep-secure/create-an-outbound-program-or-service-rule.md +++ b/windows/keep-secure/create-an-outbound-program-or-service-rule.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port. diff --git a/windows/keep-secure/create-inbound-rules-to-support-rpc.md b/windows/keep-secure/create-inbound-rules-to-support-rpc.md index 0ba04d529e..a7cf60c649 100644 --- a/windows/keep-secure/create-inbound-rules-to-support-rpc.md +++ b/windows/keep-secure/create-inbound-rules-to-support-rpc.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To allow inbound remote procedure call (RPC) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper. diff --git a/windows/keep-secure/create-wmi-filters-for-the-gpo.md b/windows/keep-secure/create-wmi-filters-for-the-gpo.md index f4b066d3e1..3cbb5be9a5 100644 --- a/windows/keep-secure/create-wmi-filters-for-the-gpo.md +++ b/windows/keep-secure/create-wmi-filters-for-the-gpo.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device. diff --git a/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md index 144252b206..df45d7bcb2 100644 --- a/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices. diff --git a/windows/keep-secure/determining-the-trusted-state-of-your-devices.md b/windows/keep-secure/determining-the-trusted-state-of-your-devices.md index 8bbd75608d..01ed85051c 100644 --- a/windows/keep-secure/determining-the-trusted-state-of-your-devices.md +++ b/windows/keep-secure/determining-the-trusted-state-of-your-devices.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status. diff --git a/windows/keep-secure/documenting-the-zones.md b/windows/keep-secure/documenting-the-zones.md index 88e67e80c4..9c120835e8 100644 --- a/windows/keep-secure/documenting-the-zones.md +++ b/windows/keep-secure/documenting-the-zones.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Firewall with Advanced Security Strategy section. A sample is shown here: diff --git a/windows/keep-secure/domain-isolation-policy-design-example.md b/windows/keep-secure/domain-isolation-policy-design-example.md index 2bfcf9cbc8..f5cc8ea0f6 100644 --- a/windows/keep-secure/domain-isolation-policy-design-example.md +++ b/windows/keep-secure/domain-isolation-policy-design-example.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams. diff --git a/windows/keep-secure/domain-isolation-policy-design.md b/windows/keep-secure/domain-isolation-policy-design.md index da2564242b..6f15c8338f 100644 --- a/windows/keep-secure/domain-isolation-policy-design.md +++ b/windows/keep-secure/domain-isolation-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain. diff --git a/windows/keep-secure/enable-predefined-inbound-rules.md b/windows/keep-secure/enable-predefined-inbound-rules.md index fe16701837..59e8325dac 100644 --- a/windows/keep-secure/enable-predefined-inbound-rules.md +++ b/windows/keep-secure/enable-predefined-inbound-rules.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Windows Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. diff --git a/windows/keep-secure/enable-predefined-outbound-rules.md b/windows/keep-secure/enable-predefined-outbound-rules.md index 1691399b8a..137de67aa2 100644 --- a/windows/keep-secure/enable-predefined-outbound-rules.md +++ b/windows/keep-secure/enable-predefined-outbound-rules.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Firewall with Advanced Security includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. diff --git a/windows/keep-secure/encryption-zone-gpos.md b/windows/keep-secure/encryption-zone-gpos.md index dcb49121a4..357f2eebfc 100644 --- a/windows/keep-secure/encryption-zone-gpos.md +++ b/windows/keep-secure/encryption-zone-gpos.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section. diff --git a/windows/keep-secure/encryption-zone.md b/windows/keep-secure/encryption-zone.md index f6fd2aacd4..7e59ef31e3 100644 --- a/windows/keep-secure/encryption-zone.md +++ b/windows/keep-secure/encryption-zone.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Some servers in the organization host data that is very sensitive, including medical, financial, or other personally identifying data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices. diff --git a/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md index 35a8444e6e..c7fe4f7637 100644 --- a/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md +++ b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 The following Windows Firewall with Advanced Security design examples illustrate how you can use Windows Firewall with Advanced Security to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Firewall with Advanced Security designs and to determine which design or combination of designs best suits the goals of your organization. diff --git a/windows/keep-secure/event-4706.md b/windows/keep-secure/event-4706.md index 3eb6bdda15..936468b4c3 100644 --- a/windows/keep-secure/event-4706.md +++ b/windows/keep-secure/event-4706.md @@ -127,13 +127,13 @@ This event is generated only on domain controllers. | 0x1 | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A<-->B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A<-->B<-->C trust linkage. | | 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. | | 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/en-us/library/cc237940.aspx). | -| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | -| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | +| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | | 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](http://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx).
Only evaluated on TRUST\_TYPE\_MIT | -| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | -| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Evaluated only on Windows Server 2016 Technical Preview
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | +| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | +| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Evaluated only on Windows Server 2016
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | - **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust: diff --git a/windows/keep-secure/event-4716.md b/windows/keep-secure/event-4716.md index 8140c94b16..65ea86275d 100644 --- a/windows/keep-secure/event-4716.md +++ b/windows/keep-secure/event-4716.md @@ -127,13 +127,13 @@ This event is generated only on domain controllers. | 0x1 | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A<-->B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A<-->B<-->C trust linkage. | | 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. | | 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/en-us/library/cc237940.aspx). | -| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | -| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | +| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | | 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](http://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx).
Only evaluated on TRUST\_TYPE\_MIT | -| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | -| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Evaluated only on Windows Server 2016 Technical Preview
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | +| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | +| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Evaluated only on Windows Server 2016
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | - **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust: diff --git a/windows/keep-secure/event-4739.md b/windows/keep-secure/event-4739.md index 8b692f1ea3..44897f5f13 100644 --- a/windows/keep-secure/event-4739.md +++ b/windows/keep-secure/event-4739.md @@ -165,14 +165,14 @@ This event generates when one of the following changes was made to local compute | Value | Identifier | Domain controller operating systems that are allowed in the domain | |-------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0 | DS\_BEHAVIOR\_WIN2000 | Windows 2000 Server operating system
Windows Server 2003 operating system
Windows Server 2008 operating system
Windows Server 2008 R2 operating system
Windows Server 2012 operating system
Windows Server 2012 R2 operating system
Windows Server 2016 Technical Preview operating system | -| 1 | DS\_BEHAVIOR\_WIN2003\_WITH\_MIXED\_DOMAINS | Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview | -| 2 | DS\_BEHAVIOR\_WIN2003 | Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview | -| 3 | DS\_BEHAVIOR\_WIN2008 | Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview | -| 4 | DS\_BEHAVIOR\_WIN2008R2 | Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview | -| 5 | DS\_BEHAVIOR\_WIN2012 | Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview | -| 6 | DS\_BEHAVIOR\_WIN2012R2 | Windows Server 2012 R2
Windows Server 2016 Technical Preview | -| 7 | DS\_BEHAVIOR\_WINTHRESHOLD | Windows Server 2016 Technical Preview | +| 0 | DS\_BEHAVIOR\_WIN2000 | Windows 2000 Server operating system
Windows Server 2003 operating system
Windows Server 2008 operating system
Windows Server 2008 R2 operating system
Windows Server 2012 operating system
Windows Server 2012 R2 operating system
Windows Server 2016 operating system | +| 1 | DS\_BEHAVIOR\_WIN2003\_WITH\_MIXED\_DOMAINS | Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 | +| 2 | DS\_BEHAVIOR\_WIN2003 | Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 | +| 3 | DS\_BEHAVIOR\_WIN2008 | Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 | +| 4 | DS\_BEHAVIOR\_WIN2008R2 | Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 | +| 5 | DS\_BEHAVIOR\_WIN2012 | Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 | +| 6 | DS\_BEHAVIOR\_WIN2012R2 | Windows Server 2012 R2
Windows Server 2016 | +| 7 | DS\_BEHAVIOR\_WINTHRESHOLD | Windows Server 2016 | - **OEM Information** \[Type = UnicodeString\]: there is no information about this field in this document. diff --git a/windows/keep-secure/exempt-icmp-from-authentication.md b/windows/keep-secure/exempt-icmp-from-authentication.md index a60e483753..21100a9674 100644 --- a/windows/keep-secure/exempt-icmp-from-authentication.md +++ b/windows/keep-secure/exempt-icmp-from-authentication.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol. diff --git a/windows/keep-secure/exemption-list.md b/windows/keep-secure/exemption-list.md index 3ebf7a465b..fc0fd3b704 100644 --- a/windows/keep-secure/exemption-list.md +++ b/windows/keep-secure/exemption-list.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devicess on the internal network, yet secured from network attacks. However, if they must remain available to all devicess on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. diff --git a/windows/keep-secure/firewall-gpos.md b/windows/keep-secure/firewall-gpos.md index b264a38993..229cb2a3e0 100644 --- a/windows/keep-secure/firewall-gpos.md +++ b/windows/keep-secure/firewall-gpos.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters. diff --git a/windows/keep-secure/firewall-policy-design-example.md b/windows/keep-secure/firewall-policy-design-example.md index 41310314aa..8dad2b48f7 100644 --- a/windows/keep-secure/firewall-policy-design-example.md +++ b/windows/keep-secure/firewall-policy-design-example.md @@ -13,13 +13,13 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 In this example, the fictitious company Woodgrove Bank is a financial services institution. Woodgrove Bank has an Active Directory domain that provides Group Policy-based management for all their Windows devices. The Active Directory domain controllers also host Domain Name System (DNS) for host name resolution. Separate devices host Windows Internet Name Service (WINS) for network basic input/output system (NetBIOS) name resolution. A set of devices that are running UNIX provide the Dynamic Host Configuration Protocol (DHCP) services for automatic IP addressing. -Woodgrove Bank is in the process of migrating their devices from Windows Vista and Windows Server 2008 to Windows 10 and Windows Server 2016 Technical Preview. A significant number of the devices at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems. +Woodgrove Bank is in the process of migrating their devices from Windows Vista and Windows Server 2008 to Windows 10 and Windows Server 2016. A significant number of the devices at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems. A key line-of-business program called WGBank consists of a client program running on most of the desktop devices in the organization. This program accesses several front-end server devices that run the server-side part of WGBank. These front-end servers only do the processing — they do not store the data. The data is stored in several back-end database devices that are running Microsoft SQL Server. @@ -60,7 +60,7 @@ Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy t - Client devices that run Windows 10, Windows 8, or Windows 7 -- WGBank front-end servers that run Windows Server 2016 Technical Preview, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them) +- WGBank front-end servers that run Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them) - WGBank partner servers that run Windows Server 2008 diff --git a/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md index 33727fc9f4..0c507fdc73 100644 --- a/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md +++ b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Firewall with Advanced Security. Review the following list for information needed: diff --git a/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md index 65555cc782..67dcea5661 100644 --- a/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Perhaps the most important aspect of planning for Windows Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Firewall with Advanced Security solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project: diff --git a/windows/keep-secure/gathering-information-about-your-devices.md b/windows/keep-secure/gathering-information-about-your-devices.md index 1f3b73fa21..7f4692a95a 100644 --- a/windows/keep-secure/gathering-information-about-your-devices.md +++ b/windows/keep-secure/gathering-information-about-your-devices.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server devices on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned. diff --git a/windows/keep-secure/gathering-other-relevant-information.md b/windows/keep-secure/gathering-other-relevant-information.md index ca8d396fcb..83ee00960a 100644 --- a/windows/keep-secure/gathering-other-relevant-information.md +++ b/windows/keep-secure/gathering-other-relevant-information.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Firewall with Advanced Security policies in your organization. diff --git a/windows/keep-secure/gathering-the-information-you-need.md b/windows/keep-secure/gathering-the-information-you-need.md index 3e8a62b0cc..a11fbf67c8 100644 --- a/windows/keep-secure/gathering-the-information-you-need.md +++ b/windows/keep-secure/gathering-the-information-you-need.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Before starting the planning process for a Windows Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation. diff --git a/windows/keep-secure/gpo-domiso-boundary.md b/windows/keep-secure/gpo-domiso-boundary.md index 22db5273b8..00fb043b7a 100644 --- a/windows/keep-secure/gpo-domiso-boundary.md +++ b/windows/keep-secure/gpo-domiso-boundary.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. diff --git a/windows/keep-secure/gpo-domiso-firewall.md b/windows/keep-secure/gpo-domiso-firewall.md index 226c9deac1..d1349941e1 100644 --- a/windows/keep-secure/gpo-domiso-firewall.md +++ b/windows/keep-secure/gpo-domiso-firewall.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008. diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md index 0f2faadb9e..a6ab80ad09 100644 --- a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md +++ b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista. diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md index fb984adf5f..91cd4e3890 100644 --- a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md +++ b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008. diff --git a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index b1adf33fd9..092982bd0a 100644 --- a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Correctly identifying your Windows Firewall with Advanced Security deployment goals is essential for the success of your Windows Firewall with Advanced Security design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Firewall with Advanced Security by using an iterative approach. You can take advantage of the predefined Windows Firewall with Advanced Security deployment goals presented in this guide that are relevant to your scenarios. diff --git a/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md index 25f0fba560..6099d183c9 100644 --- a/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 The following are important factors in the implementation of your Windows Firewall with Advanced Security design plan: diff --git a/windows/keep-secure/isolated-domain-gpos.md b/windows/keep-secure/isolated-domain-gpos.md index b7f6c3b921..745da6642b 100644 --- a/windows/keep-secure/isolated-domain-gpos.md +++ b/windows/keep-secure/isolated-domain-gpos.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section. diff --git a/windows/keep-secure/isolated-domain.md b/windows/keep-secure/isolated-domain.md index 3d23484bf9..43e1461c41 100644 --- a/windows/keep-secure/isolated-domain.md +++ b/windows/keep-secure/isolated-domain.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 The isolated domain is the primary zone for trusted devices. The devices in this zone use connection security and firewall rules to control the communications that can be sent between devices in the zone. diff --git a/windows/keep-secure/isolating-apps-on-your-network.md b/windows/keep-secure/isolating-apps-on-your-network.md index 09367196c5..c8adf77620 100644 --- a/windows/keep-secure/isolating-apps-on-your-network.md +++ b/windows/keep-secure/isolating-apps-on-your-network.md @@ -12,7 +12,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 When you add new devices to your network, you may want to customize your Windows Firewall configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app. diff --git a/windows/keep-secure/link-the-gpo-to-the-domain.md b/windows/keep-secure/link-the-gpo-to-the-domain.md index ab224211e6..ba14d60b0e 100644 --- a/windows/keep-secure/link-the-gpo-to-the-domain.md +++ b/windows/keep-secure/link-the-gpo-to-the-domain.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices. diff --git a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md index 3187e17371..49dc1620f6 100644 --- a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md +++ b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you finish reviewing the existing Windows Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design. diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md index b78b6f94f7..45548bb40f 100644 --- a/windows/keep-secure/microsoft-passport-guide.md +++ b/windows/keep-secure/microsoft-passport-guide.md @@ -101,7 +101,7 @@ Microsoft Passport offers four significant advantages over the current state of **It’s flexible** Microsoft Passport offers unprecedented flexibility. Although the format and use of reusable passwords are fixed, Microsoft Passport gives both administrators and users options to manage authentication. First and foremost, Microsoft Passport works with both biometric identifiers and PINs, so users’ credentials are protected even on devices that don’t support biometrics. Users can even use their phone to release their credentials instead of a PIN or biometric gesture on the main device. Microsoft Passport seamlessly takes advantage of the hardware of the devices in use; as users upgrade to newer devices, Microsoft Passport is ready to use them, and organizations can upgrade existing devices by adding biometric sensors where appropriate. -Microsoft Passport offers flexibility in the datacenter, too. To deploy it, in some modes you must add Windows Server 2016 Technical Preview domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Microsoft Passport build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport on your network. The choice of which users you should enable for Microsoft Passport use is completely up to you: you choose the policies and devices to support and which authentication factors you want users to have access to. This makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding strong credential protection to users who don’t currently have it or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems (described in the [Design a Microsoft Passport deployment](#design) section). +Microsoft Passport offers flexibility in the datacenter, too. To deploy it, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Microsoft Passport build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport on your network. The choice of which users you should enable for Microsoft Passport use is completely up to you: you choose the policies and devices to support and which authentication factors you want users to have access to. This makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding strong credential protection to users who don’t currently have it or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems (described in the [Design a Microsoft Passport deployment](#design) section). **It’s standardized** diff --git a/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md index 95ab7cda01..d2ed73907e 100644 --- a/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md +++ b/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain. diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md index f29f5afbb7..420518e4ca 100644 --- a/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md +++ b/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC). diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md index e179647bac..bbecb7b8ad 100644 --- a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security. diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md index 2d848ec539..9712af0076 100644 --- a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md +++ b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To open a GPO to Windows Firewall diff --git a/windows/keep-secure/open-windows-firewall-with-advanced-security.md b/windows/keep-secure/open-windows-firewall-with-advanced-security.md index cda993d4ad..8f20a73c1c 100644 --- a/windows/keep-secure/open-windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/open-windows-firewall-with-advanced-security.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This procedure shows you how to open the Windows Firewall with Advanced Security console. diff --git a/windows/keep-secure/planning-certificate-based-authentication.md b/windows/keep-secure/planning-certificate-based-authentication.md index 69e599b812..ab5b21c69b 100644 --- a/windows/keep-secure/planning-certificate-based-authentication.md +++ b/windows/keep-secure/planning-certificate-based-authentication.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Sometimes a device cannot join an Active Directory domain, and therefore cannot use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication. diff --git a/windows/keep-secure/planning-domain-isolation-zones.md b/windows/keep-secure/planning-domain-isolation-zones.md index 208265eefb..a18fb27051 100644 --- a/windows/keep-secure/planning-domain-isolation-zones.md +++ b/windows/keep-secure/planning-domain-isolation-zones.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you have the required information about your network, Active Directory, and client and server devices, you can use that information to make decisions about the isolation zones you want to use in your environment. diff --git a/windows/keep-secure/planning-gpo-deployment.md b/windows/keep-secure/planning-gpo-deployment.md index 050a5550f7..abdff4b8ca 100644 --- a/windows/keep-secure/planning-gpo-deployment.md +++ b/windows/keep-secure/planning-gpo-deployment.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 You can control which GPOs are applied to devices in Active Directory in a combination of three ways: diff --git a/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md index fff34a12c7..0718187682 100644 --- a/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md +++ b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you have decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan. diff --git a/windows/keep-secure/planning-isolation-groups-for-the-zones.md b/windows/keep-secure/planning-isolation-groups-for-the-zones.md index b4f667a50b..0c4488940a 100644 --- a/windows/keep-secure/planning-isolation-groups-for-the-zones.md +++ b/windows/keep-secure/planning-isolation-groups-for-the-zones.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group which represents that zone. diff --git a/windows/keep-secure/planning-network-access-groups.md b/windows/keep-secure/planning-network-access-groups.md index 4d9b002e7c..929c583624 100644 --- a/windows/keep-secure/planning-network-access-groups.md +++ b/windows/keep-secure/planning-network-access-groups.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 A network access group (NAG) is used to identify users and devices that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a device, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required. diff --git a/windows/keep-secure/planning-server-isolation-zones.md b/windows/keep-secure/planning-server-isolation-zones.md index 12688b93c9..9995c0e5fc 100644 --- a/windows/keep-secure/planning-server-isolation-zones.md +++ b/windows/keep-secure/planning-server-isolation-zones.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any devices that are outside the isolated domain, and encrypts all network connections to server. diff --git a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md index 4fcbd977dc..fdcf972088 100644 --- a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md +++ b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you have identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices. diff --git a/windows/keep-secure/planning-the-gpos.md b/windows/keep-secure/planning-the-gpos.md index b22f0497cd..84b3750822 100644 --- a/windows/keep-secure/planning-the-gpos.md +++ b/windows/keep-secure/planning-the-gpos.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the devices to the zones. diff --git a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md index 1801d2a86a..8423e4b94f 100644 --- a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you collect information about your environment and decide on a design by following the guidance in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Firewall with Advanced Security in your organization. diff --git a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md index c800eca94d..736612379f 100644 --- a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md +++ b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. diff --git a/windows/keep-secure/procedures-used-in-this-guide.md b/windows/keep-secure/procedures-used-in-this-guide.md index d19699b94b..7374820ed8 100644 --- a/windows/keep-secure/procedures-used-in-this-guide.md +++ b/windows/keep-secure/procedures-used-in-this-guide.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order. diff --git a/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md b/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md index a24379dacf..f4134b9ce9 100644 --- a/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md +++ b/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable device are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats. diff --git a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md index 890eaf1d99..42da77aa05 100644 --- a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted. diff --git a/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md b/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md index 049625343b..fa2225b9c4 100644 --- a/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data. diff --git a/windows/keep-secure/restrict-access-to-only-trusted-devices.md b/windows/keep-secure/restrict-access-to-only-trusted-devices.md index d2b47a2dbe..dc34b9ac84 100644 --- a/windows/keep-secure/restrict-access-to-only-trusted-devices.md +++ b/windows/keep-secure/restrict-access-to-only-trusted-devices.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that are not owned by your organization to your network. Because you do not manage those devices, you cannot trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it is truly required. diff --git a/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md index 85d7267abb..57d1bc1e9d 100644 --- a/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md +++ b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you have configured the IPsec connection security rules that force client devices to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those devices or users who have been identified through the authentication process as members of the isolated server’s access group. diff --git a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md index fa9c66bfb4..e3cd578183 100644 --- a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -12,7 +12,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 IKEv2 offers the following: diff --git a/windows/keep-secure/server-isolation-gpos.md b/windows/keep-secure/server-isolation-gpos.md index 149730d1a5..e0075d930f 100644 --- a/windows/keep-secure/server-isolation-gpos.md +++ b/windows/keep-secure/server-isolation-gpos.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The Woodgrove Bank example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose. diff --git a/windows/keep-secure/server-isolation-policy-design-example.md b/windows/keep-secure/server-isolation-policy-design-example.md index 4d38ed4c99..f6ddc73bf4 100644 --- a/windows/keep-secure/server-isolation-policy-design-example.md +++ b/windows/keep-secure/server-isolation-policy-design-example.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section. diff --git a/windows/keep-secure/server-isolation-policy-design.md b/windows/keep-secure/server-isolation-policy-design.md index a2397773da..de45c1b7c7 100644 --- a/windows/keep-secure/server-isolation-policy-design.md +++ b/windows/keep-secure/server-isolation-policy-design.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 In the server isolation policy design, you assign servers to a zone that allows access only to users and devices that authenticate as members of an approved network access group (NAG). diff --git a/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md index 758bffcd66..618894db96 100644 --- a/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md +++ b/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 To enable Windows Firewall and configure its default behavior, use the Windows Firewall with Advanced Security node in the Group Policy Management console. diff --git a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md index e2e57dd1bd..3aabc0a07e 100644 --- a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 ## Group Policy settings There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings). diff --git a/windows/keep-secure/user-account-control-overview.md b/windows/keep-secure/user-account-control-overview.md index 32edfe0160..1e1801da84 100644 --- a/windows/keep-secure/user-account-control-overview.md +++ b/windows/keep-secure/user-account-control-overview.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. diff --git a/windows/keep-secure/verify-that-network-traffic-is-authenticated.md b/windows/keep-secure/verify-that-network-traffic-is-authenticated.md index 44e4ba7803..03fcc34124 100644 --- a/windows/keep-secure/verify-that-network-traffic-is-authenticated.md +++ b/windows/keep-secure/verify-that-network-traffic-is-authenticated.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 After you have configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the devices on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the devices have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot. diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md index bb757267bb..8715dfddd2 100644 --- a/windows/keep-secure/windows-10-security-guide.md +++ b/windows/keep-secure/windows-10-security-guide.md @@ -334,7 +334,7 @@ The sections that follow describe these improvements in more detail. **SMB hardening improvements for SYSVOL and NETLOGON connections** -In Windows 10 and Windows Server 2016 Technical Preview, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). +In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). - **What value does this change add?** This change reduces the likelihood of man-in-the-middle attacks. - **What works differently?** diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index 23f9e3d1c0..c70e57a4b1 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -12,7 +12,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 The Windows Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Firewall with Advanced Security management. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Firewall with Advanced Security management in Windows. diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md index 5dabaedf02..9cfe29f6c0 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 You can use the Windows Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network. diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md b/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md index acc229bd6a..47830f44c9 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md @@ -13,7 +13,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Windows Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Firewall with Advanced Security supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot authenticate cannot communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices. diff --git a/windows/keep-secure/windows-firewall-with-advanced-security.md b/windows/keep-secure/windows-firewall-with-advanced-security.md index 51c6967315..4433aaf633 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security.md @@ -12,7 +12,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 This is an overview of the Windows Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md index db19b958a4..0ed8e5a3e5 100644 --- a/windows/manage/configure-windows-telemetry-in-your-organization.md +++ b/windows/manage/configure-windows-telemetry-in-your-organization.md @@ -124,7 +124,7 @@ The Upgrade Analytics workflow steps you through the discovery and rationalizati ### Data collection -Windows 10 and Windows Server 2016 Technical Preview includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. +Windows 10 and Windows Server 2016 includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. 1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces. 2. Events are gathered using public operating system event logging and tracing APIs. From 295373c1b741337d166c56e4a302f989a036f40e Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 20 Jul 2016 14:12:17 -0700 Subject: [PATCH 17/27] Updated topic based on tech review --- ...reate-and-verify-an-efs-dra-certificate.md | 60 ++++++++++++------- 1 file changed, 40 insertions(+), 20 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 1d26215059..eb3965f6f1 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -1,6 +1,7 @@ --- title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10) description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. +keywords: Windows Information Protection, WIP, WIP, Enterprise Data Protection ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -15,12 +16,12 @@ ms.pagetype: security [Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] -If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. +If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. -The recovery process included in this topic only works for desktop devices. EDP deletes the data on Windows 10 Mobile devices. +The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices. >**Important**
-If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. +If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx). **To manually create an EFS DRA certificate** @@ -37,30 +38,32 @@ If you already have an EFS DRA certificate for your organization, you can skip c The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. >**Important**
- Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. + Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. -4. Add your EFS DRA certificate to your EDP policy by using either Microsoft Intune or System Center Configuration Manager. +4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. >**Note**
- To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. + To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. -**To verify your data recovery certificate is correctly set up on an EDP client computer** +**To verify your data recovery certificate is correctly set up on an WIP client computer** -1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. +1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it’s encrypted by WIP. -2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: +2. Open an app on your protected app list, and then create and save a file so that it’s encrypted by WIP. + +3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: `cipher /c ` Where *<filename>* is the name of the file you created in Step 1. -3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. +4. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. **To recover your data using the EFS DRA certificate in a test environment** -1. Copy your EDP-encrypted file to a location where you have admin access. +1. Copy your WIP-encrypted file to a location where you have admin access. -2. Install the EFSDRA.pfx file, using your password. +2. Install the EFSDRA.pfx file, using its password. 3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: @@ -68,22 +71,39 @@ If you already have an EFS DRA certificate for your organization, you can skip c Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. -**To recover your EDP-protected desktop data after unenrollment** +**To quickly recover WIP-protected desktop data after unenrollment** +It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps. + +>**Important**
To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. 1. Have your employee sign in to the unenrolled device, open a command prompt, and type: - `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` + `Robocopy “%localappdata%\Microsoft\WIP\Recovery” <“new_location”> /EFSRAW` - Where *<”new_location”>* is a different location from where you store your recovery data. This location can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that you can reach while logged in as a data recovery agent. + Where *<”new_location”>* is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent. -2. Sign in to a different device with administrator credentials that have access to your organization's Data Recovery Agent (DRA) certificate, and perform the file decryption and recovery by typing: +2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing: `cipher.exe /D <“new_location”>` -3. Sign in to the unenrolled device as the employee, and type: +3. Have your employee sign in to the unenrolled device, and type: + + `Robocopy <”new_location”> “%localappdata%\Microsoft\WIP\Recovery\Input”` + +4. Ask the employee to lock and unlock the device. + + The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. + +## Related topics +- [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) + +- [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx) + +- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) + +- [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) + +- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/en-us/library/cc875821.aspx#EJAA) - `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` -4. Ask the employee to log back in to the device or to lock and unlock the device. - The Windows Credential service automatically recovers the protected data from the `Recovery\Input` location. From 382ed225f82478ec33ade1a7702d283ba75b5692 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 20 Jul 2016 14:15:01 -0700 Subject: [PATCH 18/27] adding virtual machine requirement --- windows/keep-secure/credential-guard.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index ec7cb18cf2..08aef3e947 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -109,7 +109,11 @@ The PC must meet the following hardware and software requirements to use Credent

Physical PC

-

For PCs running Windows 10, you cannot run Credential Guard on a virtual machine.

+

For PCs running Windows 10, version 1511 and Windows 10, version 1507, you cannot run Credential Guard on a virtual machine.

+ + +

Virtual machine

+

For PCs running Windows 10, version 1607, you can run Credential Guard on a generation 2 virtual machine.

From 56f2bb27c97968abedd87bc6543f40a3629bf770 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 20 Jul 2016 14:22:07 -0700 Subject: [PATCH 19/27] Fixed typo --- windows/keep-secure/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 59d9b683d8..86c984bbe8 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -29,7 +29,7 @@ ##### [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) ##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) #### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) -#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] +#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) ### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) #### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) From e6ca478c43c5b69593cdee2c0b43bc5af4b756cc Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 20 Jul 2016 14:26:51 -0700 Subject: [PATCH 20/27] Added spacing --- windows/keep-secure/create-and-verify-an-efs-dra-certificate.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index eb3965f6f1..a2e26f0b66 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -71,7 +71,7 @@ If you already have an EFS DRA certificate for your organization, you can skip c Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. -**To quickly recover WIP-protected desktop data after unenrollment** +**To quickly recover WIP-protected desktop data after unenrollment**
It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps. >**Important**
To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. From 8a6699637772f2a94f79a8afdd4e96cffb9a39fc Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 20 Jul 2016 16:07:11 -0700 Subject: [PATCH 21/27] added or later to TPM table --- windows/keep-secure/credential-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 08aef3e947..94996dab65 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -90,7 +90,7 @@ The PC must meet the following hardware and software requirements to use Credent TPM 2.0 -Windows 10 version 1511 +Windows 10 version 1511 or later TPM 2.0 or TPM 1.2 @@ -113,7 +113,7 @@ The PC must meet the following hardware and software requirements to use Credent

Virtual machine

-

For PCs running Windows 10, version 1607, you can run Credential Guard on a generation 2 virtual machine.

+

For PCs running Windows 10, version 1607, you can run Credential Guard on a Generation 2 virtual machine.

From 4358b36b4cdcdf9ec1cace6eb59f100f09033086 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Thu, 21 Jul 2016 14:46:06 +1000 Subject: [PATCH 22/27] fix typo --- ...oints-mdm-windows-defender-advanced-threat-protection.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 22692ee168..699d49c7ec 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -53,7 +53,7 @@ Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThrea Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1
Default value: 1 | Windows Defender ATP Sample sharing is enabled -> **Note**  Policies **Health Status for onboarded machines** use read-only properties and can't be remediated. +> **Note**  The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated. ### Offboard and monitor endpoints @@ -82,11 +82,11 @@ Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP -> **Note**  Policies **Health Status for offboarded machines** use read-only properties and can't be remediated. +> **Note**  The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated. ## Related topics - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) - [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) From c0e1575f37b597d4c3b0349170049c15b022db37 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 06:59:22 -0700 Subject: [PATCH 23/27] Updated with note about expired DRA certs --- windows/keep-secure/create-and-verify-an-efs-dra-certificate.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index a2e26f0b66..5f9b52ebf2 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -21,7 +21,7 @@ If you don’t already have an EFS DRA certificate, you’ll need to create and The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices. >**Important**
-If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx). +If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx).

If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. **To manually create an EFS DRA certificate** From 6c16831ff5860de735e0f9bae5de1806dbe72d87 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 07:30:54 -0700 Subject: [PATCH 24/27] Updated --- ...change-history-for-keep-windows-10-secure.md | 2 +- windows/manage/manage-cortana-in-enterprise.md | 17 +++++++++-------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 1fe970c712..1292a8cbbc 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,7 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| -|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |New | |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New | |[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New | |[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New | diff --git a/windows/manage/manage-cortana-in-enterprise.md b/windows/manage/manage-cortana-in-enterprise.md index b44e4c4920..98ed3188ee 100644 --- a/windows/manage/manage-cortana-in-enterprise.md +++ b/windows/manage/manage-cortana-in-enterprise.md @@ -50,14 +50,15 @@ Set up and manage Cortana by using the following Group Policy and mobile device |Group policy |MDM policy |Description | |-------------|-----------|------------| -|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.

**Note**
Employees can still perform searches even with Cortana turned off. | -|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInput Personalization |Specifies whether to turn on automatic learning, which allows the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana.

**Important**
Cortana won’t work if this setting is turned off (disabled). | -|None |System/AllowLocation |Specifies whether to allow app access to the Location service. | -|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |None |Specifies whether search can perform queries on the web and if the web results are displayed in search.

**Important**
Cortana won’t work if this setting is turned off (disabled). | -|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUse Location |Specifies whether search and Cortana can provide location aware search and Cortana results.

**Important**
Cortana won’t work if this setting is turned off (disabled). | -|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearch Permissions |Specifies what level of safe search (filtering adult content) is required.

**Note**
This setting only applies to Windows 10 Mobile. | -|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.

**Important**
Cortana won’t work if this setting is turned off (disabled). | -|User Configuration\Administrative Templates\Start Menu and Taskbar\Do not search communications |None |Specifies whether the Start menu search box searches communications.

**Important**
Cortana won’t work if this setting is turned off (disabled). | +|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.

**Note**
This setting only applies to Windows 10 for desktop devices. | +|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in the enterprise.

**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).

**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled). | +|None |System/AllowLocation |Specifies whether to allow app access to the Location service.

**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).

**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled). | +|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.

Use this setting if you only want to support Azure AD in your organization. | +|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders. | +|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required.

**Note**
This setting only applies to Windows 10 Mobile. | +|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference. | +|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |None |Specifies whether search can perform queries on the web and if the web results are displayed in search.

**In Windows 10 Pro edition**
This setting can’t be managed.

**In Windows 10 Enterprise edition**
Cortana won't work if this setting is turned off (disabled). | +|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.

**Important**
Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off. | **More info:** - For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381). From 2e5d6060653451c577be001ffbe56c84c0a451db Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 21 Jul 2016 10:52:54 -0700 Subject: [PATCH 25/27] redirected page --- windows/whats-new/device-management.md | 111 +------------------------ 1 file changed, 2 insertions(+), 109 deletions(-) diff --git a/windows/whats-new/device-management.md b/windows/whats-new/device-management.md index 55051d9fd0..52e09d3d1a 100644 --- a/windows/whats-new/device-management.md +++ b/windows/whats-new/device-management.md @@ -7,118 +7,11 @@ ms.pagetype: devices, mobile ms.mktglfcycl: explore ms.sitesec: library author: jdeckerMS +redirect_url: /whats-new/whats-new-windows-10-version-1507-and-1511 --- # Enterprise management for Windows 10 devices - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. - -## MDM support - - -MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Windows Store, VPN configuration, and more. To learn more about the changes in MDM policies for Windows 10, version 1607, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607). - -MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](http://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. - -Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. - -## Unenrollment - - -When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device. - -When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed. - -## Infrastructure - - -Enterprises have the following identity and management choices. - -| Area | Choices | -|---|---| -| Identity | Active Directory; Azure AD | -| Grouping | Domain join; Workgroup; Azure AD join | -| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | - -  - -**Note**   -With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](http://go.microsoft.com/fwlink/p/?LinkID=613512). - -  - -## Device lockdown - - -Do you need a computer that can only do one thing? For example: - -- A device in the lobby that customers can use to view your product catalog. - -- A portable device that drivers can use to check a route on a map. - -- A device that a temporary worker uses to enter data. - -You can configure a persistent locked down state to [create a kiosk-type device](https://technet.microsoft.com/en-us/itpro/windows/manage/set-up-a-device-for-anyone-to-use). When the locked-down account is logged on, the device displays only the app that you select. - -You can also [configure a lockdown state](https://technet.microsoft.com/en-us/itpro/windows/manage/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify. - -Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/en-us/itpro/windows/manage/windows-10-start-layout-options-and-policies). - -## Updates - - -With Windows 10, your enterprise will have more choice and flexibility in applying operating system updates. You can manage and control updates to devices running Windows 10 Pro and Windows 10 Enterprise using MDM policies. - -While Windows Update provides updates to unmanaged devices, most enterprises prefer to manage and control the flow of updates using their device management solution. You can choose to apply the latest updates as soon as they are available, or you can set a source and schedule for updates that works for your specific requirements. - -For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md). - -## Easier certificate management - - -For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](https://tnstage.redmond.corp.microsoft.com/en-us/itpro/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile) - -## Learn more - - -[Windows 10: Manageability Choices](http://go.microsoft.com/fwlink/p/?LinkId=533886) - -[Windows 10: Management](http://go.microsoft.com/fwlink/p/?LinkId=533887) - -[Windows 10 Technical Preview Fundamentals for IT Pros: Windows 10 Management and Deployment](http://go.microsoft.com/fwlink/p/?LinkId=533888) - -[Reference for Mobile device management for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=533172) - -Active Directory blog posts on Azure AD and Windows 10: - -- [Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility!](http://go.microsoft.com/fwlink/p/?LinkId=619025) - -- [Azure AD Join on Windows 10 devices](http://go.microsoft.com/fwlink/p/?LinkID=616791) - -- [Azure AD on Windows 10 Personal Devices]( http://go.microsoft.com/fwlink/p/?LinkId=619028) - -- [Azure Active Directory and Windows 10: Bringing the cloud to enterprise desktops!](http://go.microsoft.com/fwlink/p/?LinkID=615765) - -## Related topics - - -[Manage corporate devices](../manage/manage-corporate-devices.md) - -[Windows Hello](microsoft-passport.md) - -[Enterprise Data Protection Overview](edp-whats-new-overview.md) - -  - -  - - - +This page has been redirected to **What's new in Windows 10, versions 1507 and 1511**. From d2ea061b63b46f01bd746733edcb763354c2b927 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 21 Jul 2016 10:54:46 -0700 Subject: [PATCH 26/27] redirected topic --- .../whats-new/lockdown-features-windows-10.md | 103 +----------------- 1 file changed, 2 insertions(+), 101 deletions(-) diff --git a/windows/whats-new/lockdown-features-windows-10.md b/windows/whats-new/lockdown-features-windows-10.md index 0acfd3723a..90a8a04ba6 100644 --- a/windows/whats-new/lockdown-features-windows-10.md +++ b/windows/whats-new/lockdown-features-windows-10.md @@ -8,108 +8,9 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: jdeckerMS +redirect_url: /manage/lockdown-features-windows-10 --- # Lockdown features from Windows Embedded 8.1 Industry -**Applies to** -- Windows 10 -- Windows 10 Mobile - -Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation. - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows Embedded 8.1 Industry lockdown featureWindows 10 featureChanges

[Hibernate Once/Resume Many (HORM)](http://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device

N/A

HORM is supported in Windows 10, version 1607.

[Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media

[Unified Writer Filter](http://go.microsoft.com/fwlink/p/?LinkId=626607)

The Unified Write Filter is continued in Windows 10, with the exception of HORM which has been deprecated.

[Keyboard Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626761): block hotkeys and other key combinations

[Keyboard Filter](http://go.microsoft.com/fwlink/p/?LinkId=708391)

Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via Turn Windows Features On/Off. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.

[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on

[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=618603)

Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the SMISettings category.

-

Learn [how to use Shell Launcher to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application.

[Application Launcher]( http://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on

[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)

The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus.

[Dialog Filter](http://go.microsoft.com/fwlink/p/?LinkId=626762): suppress system dialogs and control which processes can run

[AppLocker](../keep-secure/applocker-overview.md)

Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.

-
    -

  • Control over which processes are able to run will now be provided by AppLocker.

    • -

  • System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.

    • -

[Toast Notification Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626673): suppress toast notifications

Mobile device management (MDM) and Group Policy

Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps.

-

Group Policy: User Configuration > Administrative Templates > Start Menu and Taskbar > Notifications

-

MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow action center notifications and a [custom OMA-URI setting](http://go.microsoft.com/fwlink/p/?LinkID=616317) for AboveLock/AllowActionCenterNotifications.

[Embedded Lockdown Manager](http://go.microsoft.com/fwlink/p/?LinkId=626763): configure lockdown features

[Windows Imaging and Configuration Designer (ICD)](http://go.microsoft.com/fwlink/p/?LinkID=525483)

The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager.

[USB Filter](http://go.microsoft.com/fwlink/p/?LinkId=626674): restrict USB devices and peripherals on system

MDM and Group Policy

The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.

-

Group Policy: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions

-

MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow removable storage or Allow USB connection (Windows 10 Mobile only).

[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkID=613653): launch a UWP app on sign-in and lock access to system

[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)

Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device.

-

In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.

-

Learn [how to use Assigned Access to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Universal Windows app.

[Gesture Filter](http://go.microsoft.com/fwlink/p/?LinkId=626672): block swipes from top, left, and right edges of screen

[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)

The capabilities of Gesture Filter have been consolidated into Assigned Access for Windows 10. In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. For Windows 10, Charms have been removed, and blocking the closing or switching of apps is part of Assigned Access.

[Custom Logon]( http://go.microsoft.com/fwlink/p/?LinkId=626759): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown

[Embedded Logon](http://go.microsoft.com/fwlink/p/?LinkId=626760)

No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.

[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626872): custom brand a device by removing or replacing Windows boot UI elements

[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626873)

No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.

-  -  -  +This topic has been redirected. \ No newline at end of file From f924ad0b42496154e78c666345be4f36c04d8a99 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 21 Jul 2016 10:56:02 -0700 Subject: [PATCH 27/27] topic redirected --- windows/whats-new/microsoft-passport.md | 30 ++----------------------- 1 file changed, 2 insertions(+), 28 deletions(-) diff --git a/windows/whats-new/microsoft-passport.md b/windows/whats-new/microsoft-passport.md index a132b19ad6..57ac5201dc 100644 --- a/windows/whats-new/microsoft-passport.md +++ b/windows/whats-new/microsoft-passport.md @@ -8,35 +8,9 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: mobile, security author: jdeckerMS +redirect_url: /whats-new/whats-new-windows-10-version-1607 --- # Windows Hello overview -**Applies to** -- Windows 10 -- Windows 10 Mobile -> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. - -In Windows 10, Windows Hello replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. - -Windows Hello lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports [Fast ID Online (FIDO)](http://go.microsoft.com/fwlink/p/?LinkId=533889) authentication. After an initial two-step verification during Hello enrollment, Hello is set up on the user's device and the user sets a gesture, which can be biometric such as a fingerprint or a PIN. The user provides the gesture to verify identity; Windows then uses Hello to authenticate users and help them to access protected resources and services. -Hello also enables Windows 10 Mobile devices to be used as a remote credential when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions - -## Benefits of Windows Hello - -- **User convenience**. The employee provides credentials (such as account and password, or other credentials), and is then guided to set up Windows Hello. From that point on, the employee can access enterprise resources by providing a gesture. -- **Security**. Hello helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Microsoft - -Passport credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of Trusted Platform Modules (TPMs). -[Learn how to implement and manage Windows Hello for Business in your organization.](../keep-secure/implement-microsoft-passport-in-your-organization.md) - -## Learn more - -[Why a PIN is better than a password](../keep-secure/why-a-pin-is-better-than-a-password.md) -[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](http://go.microsoft.com/fwlink/p/?LinkId=533890) -[Windows 10: The End Game for Passwords and Credential Theft?](http://go.microsoft.com/fwlink/p/?LinkId=533891) - -## Related topics -[Device management](device-management.md) -  -  +This topic has been redirected. \ No newline at end of file