mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-14 14:27:22 +00:00
Merge remote-tracking branch 'refs/remotes/origin/master' into jd-sandbox
This commit is contained in:
jdeckerMS
commit
acad249fc6
@ -23,8 +23,6 @@ Find out how the Microsoft Surface Data Eraser tool can help you securely wipe d
|
||||
|
||||
Compatible Surface devices include:
|
||||
|
||||
- Surface Studio
|
||||
|
||||
- Surface Book
|
||||
|
||||
- Surface Pro 4
|
||||
|
||||
@ -25,7 +25,7 @@ For Credential Guard to provide protections, the computers you are protecting mu
|
||||
|
||||
## Hardware and software requirements
|
||||
|
||||
To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses:
|
||||
To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Guard uses:
|
||||
- Support for Virtualization-based security (required)
|
||||
- Secure boot (required)
|
||||
- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
|
||||
|
||||
@ -48,7 +48,7 @@ The Windows Hello for Business PIN is subject to the same set of IT management p
|
||||
|
||||
## What if someone steals the laptop or phone?
|
||||
|
||||
To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device.
|
||||
To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device.
|
||||
You can provide additional protection for laptops that don't have TPM by enablng BitLocker and setting a policy to limit failed sign-ins.
|
||||
|
||||
**Configure BitLocker without TPM**
|
||||
|
||||
@ -14,6 +14,12 @@ author: jdeckerMS
|
||||
|
||||
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
|
||||
|
||||
## May 2017
|
||||
|
||||
| New or changed topic | Description |
|
||||
| --- | --- |
|
||||
| [ Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added MDM policies for privacy settings. |
|
||||
|
||||
## April 2017
|
||||
|
||||
| New or changed topic | Description |
|
||||
|
||||
@ -25,7 +25,7 @@ If you want to minimize connections from Windows to Microsoft services, or confi
|
||||
|
||||
You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
|
||||
|
||||
To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article.
|
||||
To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. You should not extract this package to the the windows\\system32 folder because it will not apply correctly. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article.
|
||||
|
||||
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
|
||||
|
||||
@ -89,22 +89,22 @@ See the following table for a summary of the management settings for Windows 10
|
||||
| [17.1 General](#bkmk-general) |  |  |  |  | |
|
||||
| [17.2 Location](#bkmk-priv-location) |  |  |  |  | |
|
||||
| [17.3 Camera](#bkmk-priv-camera) |  |  |  |  | |
|
||||
| [17.4 Microphone](#bkmk-priv-microphone) |  |  | |  | |
|
||||
| [17.5 Notifications](#bkmk-priv-notifications) |  |  | |  | |
|
||||
| [17.4 Microphone](#bkmk-priv-microphone) |  |  |  |  | |
|
||||
| [17.5 Notifications](#bkmk-priv-notifications) |  |  | |  | |
|
||||
| [17.6 Speech, inking, & typing](#bkmk-priv-speech) |  |  |  |  | |
|
||||
| [17.7 Account info](#bkmk-priv-accounts) |  |  | |  | |
|
||||
| [17.8 Contacts](#bkmk-priv-contacts) |  |  | |  | |
|
||||
| [17.9 Calendar](#bkmk-priv-calendar) |  |  | |  | |
|
||||
| [17.10 Call history](#bkmk-priv-callhistory) |  |  | |  | |
|
||||
| [17.11 Email](#bkmk-priv-email) |  |  | |  | |
|
||||
| [17.12 Messaging](#bkmk-priv-messaging) |  |  | |  | |
|
||||
| [17.13 Radios](#bkmk-priv-radios) |  |  | |  | |
|
||||
| [17.14 Other devices](#bkmk-priv-other-devices) |  |  | |  | |
|
||||
| [17.7 Account info](#bkmk-priv-accounts) |  |  |  |  | |
|
||||
| [17.8 Contacts](#bkmk-priv-contacts) |  |  |  |  | |
|
||||
| [17.9 Calendar](#bkmk-priv-calendar) |  |  |  |  | |
|
||||
| [17.10 Call history](#bkmk-priv-callhistory) |  |  |  |  | |
|
||||
| [17.11 Email](#bkmk-priv-email) |  |  |  |  | |
|
||||
| [17.12 Messaging](#bkmk-priv-messaging) |  |  |  |  | |
|
||||
| [17.13 Radios](#bkmk-priv-radios) |  |  |  |  | |
|
||||
| [17.14 Other devices](#bkmk-priv-other-devices) |  |  |  |  | |
|
||||
| [17.15 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |  | |
|
||||
| [17.16 Background apps](#bkmk-priv-background) |  | | | | |
|
||||
| [17.17 Motion](#bkmk-priv-motion) |  |  | |  | |
|
||||
| [17.18 Tasks](#bkmk-priv-tasks) |  |  | |  | |
|
||||
| [17.19 App Diagnostics](#bkmk-priv-diag) |  |  | |  | |
|
||||
| [17.16 Background apps](#bkmk-priv-background) |  |  |  | | |
|
||||
| [17.17 Motion](#bkmk-priv-motion) |  |  |  |  | |
|
||||
| [17.18 Tasks](#bkmk-priv-tasks) |  |  |  |  | |
|
||||
| [17.19 App Diagnostics](#bkmk-priv-diag) |  |  |  |  | |
|
||||
| [18. Software Protection Platform](#bkmk-spp) | |  |  |  | |
|
||||
| [19. Sync your settings](#bkmk-syncsettings) |  |  |  |  | |
|
||||
| [20. Teredo](#bkmk-teredo) | |  | |  |  |
|
||||
@ -204,6 +204,7 @@ For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server
|
||||
3. On the **Network Retrieval** tab, select the **Define these policy settings** check box.
|
||||
4. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box, and then click **OK**.
|
||||
|
||||
|
||||
On Windows Server 2016 Nano Server:
|
||||
|
||||
- Create the registry path **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot** and then add a REG\_DWORD registry setting, called **DisableRootAutoUpdate**, with a value of 1.
|
||||
@ -308,7 +309,7 @@ To turn off Find My Device:
|
||||
|
||||
- Turn off the feature in the UI
|
||||
|
||||
-or
|
||||
-or-
|
||||
|
||||
- Disable the Group Policy: **Computer Configuration** > **Administrative Template** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**
|
||||
|
||||
@ -422,7 +423,11 @@ You can also use registry entries to set these Group Policies.
|
||||
| Turn off the flip ahead with page prediction feature | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead!Enabled <br /> REG_DWORD: 0|
|
||||
| Turn off background synchronization for feeds and Web Slices | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds!BackgroundSyncStatus <br/> REG_DWORD:0 |
|
||||
|
||||
To turn off the home page, enable the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Disable changing home page settings**
|
||||
To turn off the home page, enable the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Disable changing home page settings**, and set it to **about:blank**.
|
||||
|
||||
To configure the First Run Wizard, enable the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Prevent running First Run wizard**, and set it to **Go directly to home page**.
|
||||
|
||||
To configure the behavior for a new tab, enable the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Specify default behavior for a new tab**, and set it to **about:blank**.
|
||||
|
||||
### <a href="" id="bkmk-ie-activex"></a>8.1 ActiveX control blocking
|
||||
|
||||
@ -479,11 +484,14 @@ To prevent communication to the Microsoft Account cloud authentication service.
|
||||
- Apply the Group Policy: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**.
|
||||
|
||||
-or-
|
||||
|
||||
- Create a REG\_DWORD registry setting called **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System!NoConnectedUser**, with a value of 3.
|
||||
To disable the Microsoft Account Sign-In Assistant:
|
||||
|
||||
- Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
|
||||
|
||||
- Change the Start REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to a value of **4**.
|
||||
|
||||
|
||||
### <a href="" id="bkmk-edge"></a>12. Microsoft Edge
|
||||
|
||||
@ -521,7 +529,7 @@ Alternatively, you can configure the Microsoft Group Policies using the followin
|
||||
|
||||
| Policy | Registry path |
|
||||
| - | - |
|
||||
| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!Use FormSuggest <br/ > REG_SZ: **about:blank** |
|
||||
| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!Use FormSuggest <br/ > REG_SZ: **no** |
|
||||
| Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!DoNotTrack<br/> REG_DWORD: 1 |
|
||||
| Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!FormSuggest Passwords<br /> REG_SZ: **no** |
|
||||
| Configure search suggestions in Address bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes!ShowSearchSuggestionsGlobal <br /> REG_DWORD: 0|
|
||||
@ -1004,7 +1012,15 @@ To turn off **Let apps use my microphone**:
|
||||
|
||||
- Set the **Select a setting** box to **Force Deny**.
|
||||
|
||||
-or-
|
||||
-or-
|
||||
|
||||
- Apply the Privacy/LetAppsAccessMicrophone MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmicrophone), where:
|
||||
|
||||
- **0**. User in control
|
||||
- **1**. Force allow
|
||||
- **2**. Force deny
|
||||
|
||||
-or-
|
||||
|
||||
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMicrophone**, with a value of 2 (two)
|
||||
|
||||
@ -1026,6 +1042,14 @@ To turn off **Let apps access my notifications**:
|
||||
|
||||
- Set the **Select a setting** box to **Force Deny**.
|
||||
|
||||
-or-
|
||||
|
||||
- Apply the Privacy/LetAppsAccessNotifications MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessnotifications), where:
|
||||
|
||||
- **0**. User in control
|
||||
- **1**. Force allow
|
||||
- **2**. Force deny
|
||||
|
||||
-or-
|
||||
|
||||
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessNotifications**, with a value of 2 (two)
|
||||
@ -1088,6 +1112,14 @@ To turn off **Let apps access my name, picture, and other account info**:
|
||||
|
||||
-or-
|
||||
|
||||
- Apply the Privacy/LetAppsAccessAccountInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessaccountinfo), where:
|
||||
|
||||
- **0**. User in control
|
||||
- **1**. Force allow
|
||||
- **2**. Force deny
|
||||
|
||||
-or-
|
||||
|
||||
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessContacts**, with a value of 2 (two).
|
||||
|
||||
To turn off **Choose the apps that can access your account info**:
|
||||
@ -1108,6 +1140,14 @@ To turn off **Choose apps that can access contacts**:
|
||||
|
||||
- Set the **Select a setting** box to **Force Deny**.
|
||||
|
||||
-or-
|
||||
|
||||
- Apply the Privacy/LetAppsAccessContacts MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscontacts), where:
|
||||
|
||||
- **0**. User in control
|
||||
- **1**. Force allow
|
||||
- **2**. Force deny
|
||||
|
||||
### <a href="" id="bkmk-priv-calendar"></a>17.9 Calendar
|
||||
|
||||
In the **Calendar** area, you can choose which apps have access to an employee's calendar.
|
||||
@ -1124,6 +1164,14 @@ To turn off **Let apps access my calendar**:
|
||||
|
||||
-or-
|
||||
|
||||
- Apply the Privacy/LetAppsAccessCalendar MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscalendar), where:
|
||||
|
||||
- **0**. User in control
|
||||
- **1**. Force allow
|
||||
- **2**. Force deny
|
||||
|
||||
-or-
|
||||
|
||||
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCalendar**, with a value of 2 (two).
|
||||
|
||||
To turn off **Choose apps that can access calendar**:
|
||||
@ -1144,7 +1192,15 @@ To turn off **Let apps access my call history**:
|
||||
|
||||
- Set the **Select a setting** box to **Force Deny**.
|
||||
|
||||
-or-
|
||||
-or-
|
||||
|
||||
- Apply the Privacy/LetAppsAccessCallHistory MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscallhistory), where:
|
||||
|
||||
- **0**. User in control
|
||||
- **1**. Force allow
|
||||
- **2**. Force deny
|
||||
|
||||
-or-
|
||||
|
||||
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCallHistory**, with a value of 2 (two).
|
||||
|
||||
@ -1162,7 +1218,15 @@ To turn off **Let apps access and send email**:
|
||||
|
||||
- Set the **Select a setting** box to **Force Deny**.
|
||||
|
||||
-or-
|
||||
-or-
|
||||
|
||||
- Apply the Privacy/LetAppsAccessEmail MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessemail), where:
|
||||
|
||||
- **0**. User in control
|
||||
- **1**. Force allow
|
||||
- **2**. Force deny
|
||||
|
||||
-or-
|
||||
|
||||
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessEmail**, with a value of 2 (two).
|
||||
|
||||
@ -1182,6 +1246,14 @@ To turn off **Let apps read or send messages (text or MMS)**:
|
||||
|
||||
-or-
|
||||
|
||||
- Apply the Privacy/LetAppsAccess<Messaging MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmessaging), where:
|
||||
|
||||
- **0**. User in control
|
||||
- **1**. Force allow
|
||||
- **2**. Force deny
|
||||
|
||||
-or-
|
||||
|
||||
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMessaging**, with a value of 2 (two).
|
||||
|
||||
To turn off **Choose apps that can read or send messages**:
|
||||
@ -1204,6 +1276,14 @@ To turn off **Let apps control radios**:
|
||||
|
||||
-or-
|
||||
|
||||
- Apply the Privacy/LetAppsAccessRadios MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessradios), where:
|
||||
|
||||
- **0**. User in control
|
||||
- **1**. Force allow
|
||||
- **2**. Force deny
|
||||
|
||||
-or-
|
||||
|
||||
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessRadios**, with a value of 2 (two).
|
||||
|
||||
|
||||
@ -1225,6 +1305,14 @@ To turn off **Let apps automatically share and sync info with wireless devices t
|
||||
|
||||
-or-
|
||||
|
||||
- Apply the Privacy/LetAppsSyncWithDevices MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappssyncwithdevices), where:
|
||||
|
||||
- **0**. User in control
|
||||
- **1**. Force allow
|
||||
- **2**. Force deny
|
||||
|
||||
-or-
|
||||
|
||||
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsSyncWithDevices**, with a value of 2 (two).
|
||||
|
||||
To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**:
|
||||
@ -1336,6 +1424,15 @@ To turn off **Let apps run in the background**:
|
||||
|
||||
- Set the **Select a setting** box to **Force Deny**.
|
||||
|
||||
-or-
|
||||
|
||||
- Apply the Privacy/LetAppsRunInBackground MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessruninbackground), where:
|
||||
|
||||
- **0**. User in control
|
||||
- **1**. Force allow
|
||||
- **2**. Force deny
|
||||
|
||||
|
||||
### <a href="" id="bkmk-priv-motion"></a>17.17 Motion
|
||||
|
||||
In the **Motion** area, you can choose which apps have access to your motion data.
|
||||
@ -1350,6 +1447,14 @@ To turn off **Let Windows and your apps use your motion data and collect motion
|
||||
|
||||
-or-
|
||||
|
||||
- Apply the Privacy/LetAppsAccessMotion MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmotion), where:
|
||||
|
||||
- **0**. User in control
|
||||
- **1**. Force allow
|
||||
- **2**. Force deny
|
||||
|
||||
-or-
|
||||
|
||||
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMotion**, with a value of 2 (two).
|
||||
|
||||
### <a href="" id="bkmk-priv-tasks"></a>17.18 Tasks
|
||||
@ -1366,6 +1471,14 @@ To turn this off:
|
||||
|
||||
- Set the **Select a setting** box to **Force Deny**.
|
||||
|
||||
-or-
|
||||
|
||||
- Apply the Privacy/LetAppsAccessTasks MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesstasks), where:
|
||||
|
||||
- **0**. User in control
|
||||
- **1**. Force allow
|
||||
- **2**. Force deny
|
||||
|
||||
### <a href="" id="bkmk-priv-diag"></a>17.19 App Diagnostics
|
||||
|
||||
In the **App diagnostics** area, you can choose which apps have access to your diagnostic information.
|
||||
@ -1378,6 +1491,15 @@ To turn this off:
|
||||
|
||||
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access dignostic information about other apps**
|
||||
|
||||
-or-
|
||||
|
||||
- Apply the Privacy/LetAppsGetDiagnosticInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsgetdiagnosticinfo), where:
|
||||
|
||||
- **0**. User in control
|
||||
- **1**. Force allow
|
||||
- **2**. Force deny
|
||||
|
||||
|
||||
### <a href="" id="bkmk-spp"></a>18. Software Protection Platform
|
||||
|
||||
Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
|
||||
@ -1563,7 +1685,7 @@ If you're running Windows 10, version 1607 or later, you only need to enable the
|
||||
|
||||
-or-
|
||||
|
||||
- Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
|
||||
- Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
|
||||
|
||||
If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
|
||||
|
||||
@ -1591,7 +1713,7 @@ If you're not running Windows 10, version 1607 or later, you can use the other o
|
||||
> This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenImage**, with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenOverlaysDisabled**, with a value of 1 (one).
|
||||
|
||||
|
||||
- **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**.
|
||||
- **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**.
|
||||
|
||||
-or-
|
||||
|
||||
@ -1599,9 +1721,9 @@ If you're not running Windows 10, version 1607 or later, you can use the other o
|
||||
|
||||
- **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**.
|
||||
|
||||
-or-
|
||||
-or-
|
||||
|
||||
- Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsConsumerFeatures**, with a value of 1 (one).
|
||||
- Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsConsumerFeatures**, with a value of 1 (one).
|
||||
|
||||
For more info, see [Windows Spotlight on the lock screen](windows-spotlight.md).
|
||||
|
||||
|
||||
@ -71,7 +71,7 @@ The following table describes settings that you can configure using the wizards
|
||||
|
||||
<table><tr><td align="left">**Step**</td><td align="left">**Description**</td><td>**Desktop</br>wizard**</td><td align="center">**Mobile</br>wizard**</td><td>**Kiosk</br>wizard**</td></tr>
|
||||
<tr><td valign="top">Set up device</td><td valign="top">Assign device name,</br>enter product key to upgrade Windows,</br>configure shared used,</br>remove pre-installed software</td><td align="center" valign="top"></td><td align="center" valign="top"></br>(Only device name and upgrade key)</td><td align="center" valign="top"></td></tr>
|
||||
<tr><td valign="top">Set up network</td><td valign="top">Connect to a Wi-Fit network</td><td align="center" valign="top"></td><td align="center" valign="top"></td><td align="center" valign="top"></td></tr>
|
||||
<tr><td valign="top">Set up network</td><td valign="top">Connect to a Wi-Fi network</td><td align="center" valign="top"></td><td align="center" valign="top"></td><td align="center" valign="top"></td></tr>
|
||||
<tr><td valign="top">Account management</td><td valign="top">Enroll device in Active Directory,</br>enroll device in Azure Active Directory,</br>or create a local administrator account</td><td align="center" valign="top"></td><td align="center" valign="top"></td><td align="center" valign="top"></td></tr>
|
||||
<tr><td valign="top">Bulk Enrollment in Azure AD</td><td valign="top">Enroll device in Azure Active Directory</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup).</td><td align="center" valign="top"></td><td align="center" valign="top"></td><td align="center" valign="top"></td></tr>
|
||||
<tr><td valign="top">Add applications</td><td valign="top">Install applications using the provisioning package.</td><td align="center" valign="top"></td><td align="center" valign="top"></td><td align="center" valign="top"></td></tr>
|
||||
|
||||
@ -90,12 +90,6 @@ Starting with version 1703, when configuring pause through policy, a start date
|
||||
|
||||
In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date.
|
||||
|
||||
With version 1703, pausing through the settings app will provide a more consistent experience:
|
||||
- Any active restart notification are cleared or closed
|
||||
- Any pending restarts are canceled
|
||||
- Any pending update installations are canceled
|
||||
- Any update installation running when pause is activated will attempt to rollback
|
||||
|
||||
>[!IMPORTANT]
|
||||
>This policy does not apply to Windows 10 Mobile Enterprise.
|
||||
>
|
||||
@ -123,6 +117,12 @@ The local group policy editor (GPEdit.msc) will not reflect if your Feature Upda
|
||||
>[!NOTE]
|
||||
>If not configured by policy, users can pause feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
|
||||
|
||||
With version 1703, pausing through the settings app will provide a more consistent experience:
|
||||
- Any active restart notification are cleared or closed
|
||||
- Any pending restarts are canceled
|
||||
- Any pending update installations are canceled
|
||||
- Any update installation running when pause is activated will attempt to rollback
|
||||
|
||||
## Configure when devices receive Quality Updates
|
||||
|
||||
Quality Updates are typically published the first Tuesday of every month, though can be released at any time by Microsoft. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.
|
||||
@ -152,12 +152,6 @@ Starting with version 1703, when configuring pause through policy, a start date
|
||||
|
||||
In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date.
|
||||
|
||||
With version 1703, pause will provide a more consistent experience:
|
||||
- Any active restart notification are cleared or closed
|
||||
- Any pending restarts are canceled
|
||||
- Any pending update installations are canceled
|
||||
- Any update installation running when pause is activated will attempt to rollback
|
||||
|
||||
>[!IMPORTANT]
|
||||
>This policy pauses both Feature and Quality Updates on Windows 10 Mobile Enterprise.
|
||||
|
||||
@ -183,6 +177,12 @@ The local group policy editor (GPEdit.msc) will not reflect if your Quality Upda
|
||||
>[!NOTE]
|
||||
>If not configured by policy, users can pause quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
|
||||
|
||||
With version 1703, pausing through the settings app will provide a more consistent experience:
|
||||
- Any active restart notification are cleared or closed
|
||||
- Any pending restarts are canceled
|
||||
- Any pending update installations are canceled
|
||||
- Any update installation running when pause is activated will attempt to rollback
|
||||
|
||||
## Exclude drivers from Quality Updates
|
||||
|
||||
In Windows 10, starting with version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle. This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete.
|
||||
@ -225,7 +225,7 @@ Below are quick-reference tables of the supported Windows Update for Business po
|
||||
|
||||
## Update devices to newer versions
|
||||
|
||||
Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703, is also using a few new GPO and MDM keys than those available in version 1607. However,Windows Update for Business clients running version older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, it should be noted that only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator.
|
||||
Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703, also uses a few GPO and MDM keys that are different to what's available in version 1607. However, Windows Update for Business clients running version older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, it should be noted that only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator.
|
||||
|
||||
### How older version policies are respected on newer versions
|
||||
|
||||
|
||||
@ -36,54 +36,39 @@ Windows Update for Business is a free service that is available for Windows Pro,
|
||||
|
||||
Windows Update for Business provides three types of updates to Windows 10 devices:
|
||||
|
||||
- **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released at a slower cadence, every 4 to 8 months.
|
||||
- **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-anually.
|
||||
- **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates.
|
||||
- **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred.
|
||||
|
||||
Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business.
|
||||
|
||||
<table>
|
||||
<tr>
|
||||
<th>Category</th>
|
||||
<th>Maximum deferral</th>
|
||||
<th>Deferral increments</th>
|
||||
<th>Example</th>
|
||||
<th>Classification GUID</th>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Feature Updates</td>
|
||||
<td>180 days</td>
|
||||
<td>Days</td>
|
||||
<td>From Windows 10, version 1511 to version 1607</td>
|
||||
<td>3689BDC8-B205-4AF4-8D4A-A63924C5E9D5</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td rowspan="4">Quality Updates</td>
|
||||
<td rowspan="4">30 days</td>
|
||||
<td rowspan="4">Days</td>
|
||||
<td>Security updates</td>
|
||||
<td>0FA1201D-4330-4FA8-8AE9-B877473B6441</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Drivers (optional)</td>
|
||||
<td>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Non-security updates</td>
|
||||
<td>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</td>
|
||||
</tr><tr><td>Microsoft updates (Office, Visual Studio, etc.)</td><td>varies</td></tr>
|
||||
<tr>
|
||||
<td>Non-deferrable</td>
|
||||
<td>No deferral</td>
|
||||
<td>No deferral</td>
|
||||
<td>Definition updates</td>
|
||||
<td>E0789628-CE08-4437-BE74-2495B842F43B</td>
|
||||
</tr>
|
||||
</table>
|
||||
| Category | Maximum deferral | Deferral increments | Example | Classification GUID |
|
||||
| --- | --- | --- | --- | --- |
|
||||
| Feature Updates | 365 days | Days | From Windows 10, version 1511 to version 1607 maximum was 180 days</br>In Windows 10, version 1703 maximum is 365 | 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
|
||||
| Quality Updates | 30 days | Days | Security updates</br>Drivers (optional)</br>Non-security updates</br>Microsoft updates (Office,Visual Studio, etc.) | 0FA1201D-4330-4FA8-8AE9-B877473B6441</br>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</br>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</br>varies |
|
||||
| Non-deferrable | No deferral | No deferral | Definition updates | E0789628-CE08-4437-BE74-2495B842F43B |
|
||||
|
||||
>[!NOTE]
|
||||
>For information about classification GUIDs, see [WSUS Classification GUIDs](https://msdn.microsoft.com/en-us/library/ff357803.aspx).
|
||||
|
||||
## Changes to Windows Update for Business in Windows 10, version 1703
|
||||
|
||||
### Options added to Settings
|
||||
|
||||
We have added a few controls into settings to allow users to control Windows Update for Business through an interface.
|
||||
- [Configuring the device's branch readiness level](waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), through **Settings > Update & security > Windows Update > Advanced options**
|
||||
- [Pausing feature updates](waas-configure-wufb.md#pause-feature-updates), through **Settings > Update & security > Window Update > Advanced options**
|
||||
|
||||
### Adjusted time periods
|
||||
|
||||
We have adjusted the maximum pause period for both quality and feature updates to be 35 days, as opposed to 30 and 60 days previously, respectively.
|
||||
|
||||
We have also adjusted the maximum feature update deferral period to be 365 days, as opposed to 180 days previously.
|
||||
|
||||
### Additional changes
|
||||
|
||||
The pause period is now calculated starting from the set start date. For additional details, see [Pause Feature Updates](waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](waas-configure-wufb.md#pause-quality-updates). Due to that, some policy keys are now named differently. For more information, see [Comparing the version 1607 keys to the version 1703 keys](waas-configure-wufb.md#comparing-the-version-1607-keys-to-the-version-1703-keys).
|
||||
|
||||
## Comparing Windows Update for Business in Windows 10, version 1511 and version 1607
|
||||
|
||||
Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior.
|
||||
|
||||
@ -25,7 +25,7 @@ The Windows 10 operating system introduces a new way to build, deploy, and servi
|
||||
|
||||
## Building
|
||||
|
||||
Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesn’t work in today’s rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges. Windows as a service will deliver smaller feature updates two to three times per year to help address these issues.
|
||||
Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesn’t work in today’s rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges. Windows as a service will deliver smaller feature updates two times per year, around March and September, to help address these issues.
|
||||
|
||||
In the past, when Microsoft developed new versions of Windows, it typically released technical previews near the end of the process, when Windows was nearly ready to ship. With Windows 10, new features will be delivered to the [Windows Insider community](https://insider.windows.com/) as soon as possible — during the development cycle, through a process called *flighting* — so that organizations can see exactly what Microsoft is developing and start their testing as soon as possible.
|
||||
|
||||
@ -53,7 +53,7 @@ Device compatibility in Windows 10 is also very strong; new hardware is not need
|
||||
|
||||
## Servicing
|
||||
|
||||
Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month.
|
||||
Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality twice per year, and quality updates that provide security and reliability fixes at least once a month.
|
||||
|
||||
With Windows 10, organizations will need to change the way they approach deploying updates. Servicing branches are the first way to separate users into deployment groups for feature and quality updates. With the introduction of servicing branches comes the concept of a [deployment ring](waas-deployment-rings-windows-10-updates.md), which is simply a way to categorize the combination of a deployment group and a servicing branch to group devices for successive waves of deployment. For more information about developing a deployment strategy that leverages servicing branches and deployment rings, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md).
|
||||
|
||||
@ -64,7 +64,10 @@ To align with this new update delivery model, Windows 10 has three servicing bra
|
||||
|
||||
### Feature updates
|
||||
|
||||
With Windows 10, Microsoft will package new features into feature updates that can be deployed using existing management tools. Because feature updates are delivered more frequently than with previous Windows releases — two to three times per year rather than every 3–5 years — changes will be in bite-sized chunks rather than all at once and end user readiness time much shorter.
|
||||
With Windows 10, Microsoft will package new features into feature updates that can be deployed using existing management tools. Because feature updates are delivered more frequently than with previous Windows releases — twice per year, around March and September, rather than every 3–5 years — changes will be in bite-sized chunks rather than all at once and end user readiness time much shorter.
|
||||
|
||||
>[!TIP]
|
||||
> The feature update cadence has been aligned with Office 365 ProPlus updates. Starting with this falls' update, both Windows and Office will deliver their major updates semi-annually, around March and September. See [upcoming changes to Office 365 ProPlus update management](https://support.office.com/article/Overview-of-the-upcoming-changes-to-Office-365-ProPlus-update-management-78b33779-9356-4cdf-9d2c-08350ef05cca) for more information about changes to Office update management.
|
||||
|
||||
### Quality updates
|
||||
|
||||
@ -97,7 +100,7 @@ When Microsoft officially releases a feature update for Windows 10, that update
|
||||
|
||||
### Current Branch for Business
|
||||
|
||||
Organizations typically prefer to have a testing cycle before broadly deploying new features to business users. For Windows 10, most pilot testing will be done using the CB servicing branch. In contrast, the CBB servicing branch is typically used for broad deployment. Windows 10 clients in the CBB servicing branch receive the same build of Windows 10 as those in the CB servicing branch, just at a later time. CB releases are transitioned to CBB after about 4 months, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Therefore, CB and CBB have an inherent “staging” effect. Both of these branches have a purpose in the overall deployment process for an enterprise, providing another layer of testing capabilities in addition to the traditional phased deployment methods to specific groups of machines. Microsoft will support two CBB builds at a time, plus a 60 day grace period. Each feature update release will be supported and updated for a minimum of 18 months.
|
||||
Organizations typically prefer to have a testing cycle before broadly deploying new features to business users. For Windows 10, most pilot testing will be done using the CB servicing branch. In contrast, the CBB servicing branch is typically used for broad deployment. Windows 10 clients in the CBB servicing branch receive the same build of Windows 10 as those in the CB servicing branch, just at a later time. CB releases are transitioned to CBB after about 4 months, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Therefore, CB and CBB have an inherent “staging” effect. Both of these branches have a purpose in the overall deployment process for an enterprise, providing another layer of testing capabilities in addition to the traditional phased deployment methods to specific groups of machines. Each feature update release will be supported and updated for 18 months from the time of its release.
|
||||
|
||||
|
||||
>[!NOTE]
|
||||
@ -126,7 +129,7 @@ LTSB is available only in the Windows 10 Enterprise LTSB edition. This build of
|
||||
|
||||
For many IT pros, gaining visibility into feature updates early—before they’re available to the CB servicing branch—can be both intriguing and valuable for future end user communications as well as provide additional prestaging for CB machines. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to CB, organizations can test their deployment on test devices for compatibility validation.
|
||||
|
||||
Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about how to sign up for the Windows Insider Program and enroll test devices, go to [https://insider.windows.com](https://insider.windows.com).
|
||||
Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about the Windows Insider Program for Business, go to [Windows Insider Program for Business](waas-windows-insider-for-business.md).
|
||||
|
||||
>[!NOTE]
|
||||
>Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app.
|
||||
|
||||
@ -36,7 +36,7 @@ Windows 10 gains new functionality with twice-per-year feature update releases.
|
||||
|
||||
Each Windows 10 feature update will be serviced with quality updates for 18 months from the date of the feature update release.
|
||||
|
||||
Windows 10 Enterprise LTSB is a separate **Long Term Servicing Branch (LTSB)** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
|
||||
Windows 10 Enterprise LTSB is a separate **Long Term Servicing Channel** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
|
||||
|
||||
See [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) for more information.
|
||||
|
||||
|
||||
@ -30,6 +30,7 @@ The User State Migration Tool (USMT) 10.0 does not have any explicit RAM or CPU
|
||||
The following table lists the operating systems supported in USMT.
|
||||
|
||||
<table>
|
||||
|
||||
<colgroup>
|
||||
<col width="33%" />
|
||||
<col width="33%" />
|
||||
@ -83,7 +84,8 @@ You can migrate a 32-bit operating system to a 64-bit operating system. However,
|
||||
|
||||
USMT does not support any of the Windows Server® operating systems, Windows 2000, Windows XP, or any of the starter editions for Windows Vista or Windows 7.
|
||||
|
||||
|
||||
USMT for Windows 10 should not be used for migrating from Windows 7 to Windows 8.1. It is meant to migrate to Windows 10.
|
||||
For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](https://go.microsoft.com/fwlink/p/?LinkId=246564).
|
||||
|
||||
## Windows PE
|
||||
|
||||
|
||||
@ -106,7 +106,7 @@ Typically, deployment of Device Guard happens best in phases, rather than being
|
||||
|
||||
## Device Guard deployment in virtual machines
|
||||
|
||||
Device Guard can protect a Hyper-V virtual machine, just as it would a physical machine. The enablement steps are the same from within the virtual machine.
|
||||
Device Guard can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable Device Guard are the same from within the virtual machine.
|
||||
|
||||
Device Guard protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable Device Guard for a virtual machine:
|
||||
|
||||
@ -116,6 +116,10 @@ Device Guard protects against malware running in the guest virtual machine. It d
|
||||
### Requirements for running Device Guard in Hyper-V virtual machines
|
||||
- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
|
||||
- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
|
||||
- Device Guard and [nested virtualization](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time.
|
||||
- Virtual Fibre Channel adapters are not compatible with Device Guard. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using Set-VMSecurity.
|
||||
- The AllowFullSCSICommandSet option for pass-through disks is not compatible with Device Guard. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using Set-VMSecurity.
|
||||
|
||||
|
||||
## Reviewing your applications: application signing and catalog files
|
||||
|
||||
|
||||
@ -74,7 +74,7 @@ The TPM Group Policy settings in the following list are located at:
|
||||
|
||||
This policy setting allows you to manage the maximum number of authorization failures for the TPM for all standard users. If the total number of authorization failures for all users equals the duration that is set for the policy, all users are prevented from sending commands to the TPM that require authorization.
|
||||
|
||||
For information about mitigating dictionary attacks that use the lockout settings, see [TPM fundamentals](tpm-fundamentals.md#how-the-tpm-mitigates-dictionary-attacks).
|
||||
For information about mitigating dictionary attacks that use the lockout settings, see [TPM fundamentals](tpm-fundamentals.md#anti-hammering).
|
||||
|
||||
## Use the TPM cmdlets
|
||||
|
||||
|
||||
@ -47,7 +47,7 @@ The following sections provide an overview of the technologies that support the
|
||||
|
||||
- [TPM Key Attestation](#key-attestation)
|
||||
|
||||
- [How the TPM mitigates dictionary attacks](#how-the-tpm-mitigates-dictionary-attacks)
|
||||
- [Anti-hammering](#anti-hammering)
|
||||
|
||||
The following topic describes the TPM Services that can be controlled centrally by using Group Policy settings:
|
||||
[TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
|
||||
@ -85,17 +85,17 @@ For a TPM to be usable by a trusted application, it must contain an endorsement
|
||||
|
||||
TPM key attestation allows a certification authority to verify that a private key is actually protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys which have been proven valid can be used to bind the user identity to a device. Moreover, the user certificate with a TPM attested key provides higher security assurance backed up by the non-exportability, anti-hammering, and isolation of keys provided by a TPM.
|
||||
|
||||
## How the TPM mitigates dictionary attacks
|
||||
## Anti-hammering
|
||||
|
||||
When a TPM processes a command, it does so in a protected environment, for example, a dedicated microcontroller on a discrete chip or a special hardware-protected mode on the main CPU. A TPM can be used to create a cryptographic key that is not disclosed outside the TPM, but is able to be used in the TPM after the correct authorization value is provided.
|
||||
|
||||
TPMs have dictionary attack logic that is designed to prevent brute force attacks that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys is not technically practical, so TPMs have a global lockout when too many authorization failures occur.
|
||||
TPMs have anti-hammering protection that is designed to prevent brute force attacks, or more complex dictionary attacks, that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys is not technically practical, so TPMs have a global lockout when too many authorization failures occur.
|
||||
|
||||
Because many entities can use the TPM, a single authorization success cannot reset the TPM’s dictionary attack logic. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM’s dictionary attack logic. Generally TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM’s lockout logic.
|
||||
Because many entities can use the TPM, a single authorization success cannot reset the TPM’s anti-hammering protection. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM’s protection. Generally, TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM’s lockout logic.
|
||||
|
||||
### TPM 2.0 dictionary attack behavior
|
||||
### TPM 2.0 anti-hammering
|
||||
|
||||
TPM 2.0 has well defined dictionary attack logic behavior. This is in contrast to TPM 1.2 for which the dictionary attack logic was set by the manufacturer, and the logic varied widely throughout the industry.
|
||||
TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer, and the logic varied widely throughout the industry.
|
||||
|
||||
> [!WARNING]
|
||||
> For the purposes of this topic, Windows 8 Certified Hardware also pertains to Windows 8.1 systems. The following references to “Windows” include these supported Windows versions.
|
||||
@ -106,7 +106,7 @@ Attempts to use a key with an authorization value for the next two hours would n
|
||||
|
||||
Windows 8 Certification does not require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows does require that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for two hours.
|
||||
|
||||
The dictionary attack logic for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators.
|
||||
The anti-hammering protection for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators.
|
||||
|
||||
In some enterprise situations, the TPM owner authorization value is configured to be stored centrally in Active Directory, and it is not stored on the local system. An administrator can launch the TPM MMC and choose to reset the TPM lockout time. If the TPM owner password is stored locally, it is used to reset the lockout time. If the TPM owner password is not available on the local system, the administrator needs to provide it. If an administrator attempts to reset the TPM lockout state with the wrong TPM owner password, the TPM does not allow another attempt to reset the lockout state for 24 hours.
|
||||
|
||||
@ -114,12 +114,12 @@ TPM 2.0 allows some keys to be created without an authorization value associate
|
||||
|
||||
### Rationale behind the Windows 8.1 and Windows 8 defaults
|
||||
|
||||
Windows relies on the TPM 2.0 dictionary attack protection for multiple features. The defaults that are selected for Windows 8 balance trade-offs for different scenarios.
|
||||
Windows relies on the TPM 2.0 anti-hammering protection for multiple features. The defaults that are selected for Windows 8 balance trade-offs for different scenarios.
|
||||
For example, when BitLocker is used with a TPM plus PIN configuration, it needs the number of PIN guesses to be limited over time. If the computer is lost, someone could make only 32 PIN guesses immediately, and then only one more guess every two hours. This totals about 4415 guesses per year. This makes a good standard for system administrators to determine how many PIN characters to use for BitLocker deployments.
|
||||
|
||||
The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards:
|
||||
|
||||
- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM’s dictionary attack is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors.
|
||||
- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM’s anti-hammering protection is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors.
|
||||
|
||||
- Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements.
|
||||
|
||||
|
||||
@ -94,7 +94,7 @@
|
||||
##### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
|
||||
##### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
|
||||
### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
|
||||
#### [Utilize Microsoft cloud-provided protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
|
||||
#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
|
||||
##### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
|
||||
##### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
|
||||
##### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
|
||||
|
||||
@ -51,10 +51,10 @@ The following table lists the services and their associated URLs that your netwo
|
||||
</tr>
|
||||
<tr style="vertical-align:top">
|
||||
<td>
|
||||
Windows Defender Antivirus cloud-based protection service, also referred to as Microsoft Active Protection Service (MAPS)
|
||||
Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)
|
||||
</td>
|
||||
<td>
|
||||
Used by Windows Defender Antivirus to provide cloud-based protection
|
||||
Used by Windows Defender Antivirus to provide cloud-delivered protection
|
||||
</td>
|
||||
<td>
|
||||
*.wdcp.microsoft.com*<br />
|
||||
|
||||
@ -41,7 +41,7 @@ author: iaanw
|
||||
|
||||
You can enable or disable Windows Defender Antivirus cloud-delivered protection with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app.
|
||||
|
||||
See [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-based protection.
|
||||
See [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection.
|
||||
|
||||
There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections for Windows Defender AV](configure-network-connections-windows-defender-antivirus.md) for more details.
|
||||
|
||||
|
||||
@ -33,7 +33,7 @@ author: iaanw
|
||||
|
||||
Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates".
|
||||
|
||||
The cloud-based protection is “always-on” and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured).
|
||||
The cloud-delivered protection is “always-on” and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured).
|
||||
|
||||
There are two components to managing protection updates - where the updates are downloaded from, and when updates are downloaded and applied.
|
||||
|
||||
|
||||
@ -33,7 +33,7 @@ You can also apply [Windows security baselines](https://technet.microsoft.com/en
|
||||
|
||||
Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates".
|
||||
|
||||
The cloud-based protection is “always-on” and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
|
||||
The cloud-delivered protection is “always-on” and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
|
||||
|
||||
|
||||
## Product updates
|
||||
@ -49,5 +49,5 @@ Topic | Description
|
||||
[Manage how protection updates are downloaded and applied](manage-protection-updates-windows-defender-antivirus.md) | Protection updates can be delivered through a number of sources.
|
||||
[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) | You can schedule when protection updates should be downloaded.
|
||||
[Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next log on.
|
||||
[Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-based protection events.
|
||||
[Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events.
|
||||
[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines.
|
||||
|
||||
@ -33,7 +33,7 @@ Enabling cloud-delivered protection helps detect and block new malware - even if
|
||||
|
||||
Cloud-delivered protection is enabled by default, however you may need to re-enable it if it has been disabled as part of previous organizational policies.
|
||||
|
||||
The following table describes the differences in cloud-based protection between recent versions of Windows and System Center Configuration Manager.
|
||||
The following table describes the differences in cloud-delivered protection between recent versions of Windows and System Center Configuration Manager.
|
||||
|
||||
|
||||
Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | Configuration manager 2012 | Configuration manager (current branch) | Microsoft Intune
|
||||
@ -54,4 +54,4 @@ You can also [configure Windows Defender AV to automatically receive new protect
|
||||
[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and System Center Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
|
||||
[Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
|
||||
[Configure the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for a traditional signature. You can enable and configure it with System Center Configuration Manager and Group Policy.
|
||||
[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-based protection service. You can configure the amount of time the file will be prevented from running with System Center Configuration Manager and Group Policy.
|
||||
[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with System Center Configuration Manager and Group Policy.
|
||||
@ -29,6 +29,15 @@ There are some minimum requirements for onboarding your network and endpoints.
|
||||
You must be on Windows 10, version 1607 at a minimum.
|
||||
For more information, see [Windows 10 Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/buy).
|
||||
|
||||
### Licensing requirements
|
||||
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
|
||||
|
||||
- Windows 10 Enterprise E5
|
||||
- Windows 10 Education E5
|
||||
- Secure Productive Enterprise E5 (SPE E5) which includes Windows 10 Enterprise E5
|
||||
|
||||
For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
|
||||
|
||||
### Network and data storage and configuration requirements
|
||||
When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: either in a European or United States datacenter.
|
||||
|
||||
|
||||
@ -23,7 +23,16 @@ localizationpriority: high
|
||||
|
||||
You need to onboard to Windows Defender ATP before you can use the service.
|
||||
|
||||
For more information, see [Onboard your Windows 10 endpoints to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be).
|
||||
For more information, see [Onboard your Windows 10 endpoints to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be).
|
||||
|
||||
## Licensing requirements
|
||||
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
|
||||
|
||||
- Windows 10 Enterprise E5
|
||||
- Windows 10 Education E5
|
||||
- Secure Productive Enterprise E5 (SPE E5) which includes Windows 10 Enterprise E5
|
||||
|
||||
For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
|
||||
|
||||
## In this section
|
||||
Topic | Description
|
||||
|
||||
@ -260,6 +260,14 @@ If the verification fails and your environment is using a proxy to connect to th
|
||||
|
||||
|
||||
|
||||
## Licensing requirements
|
||||
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
|
||||
|
||||
- Windows 10 Enterprise E5
|
||||
- Windows 10 Education E5
|
||||
- Secure Productive Enterprise E5 (SPE E5) which includes Windows 10 Enterprise E5
|
||||
|
||||
For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
@ -27,7 +27,7 @@ localizationpriority: high
|
||||
|
||||
Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.
|
||||
|
||||
Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see (Windows Defender ATP for Windows 10 Creators Update)[https://technet.microsoft.com/en-au/windows/mt782787].
|
||||
Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/en-au/windows/mt782787).
|
||||
|
||||
Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
|
||||
|
||||
|
||||
@ -510,21 +510,21 @@ Optionally, if you don’t want everyone in your organization to be able to shar
|
||||
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
|
||||
|
||||
## Related topics
|
||||
- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
|
||||
|
||||
- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune)
|
||||
|
||||
- [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/)
|
||||
|
||||
- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
|
||||
|
||||
- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
|
||||
|
||||
- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
|
||||
|
||||
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
|
||||
|
||||
- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
|
||||
|
||||
- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune and MAM](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune)
|
||||
|
||||
- [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/)
|
||||
|
||||
- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
|
||||
|
||||
|
||||
|
||||
>[!NOTE]
|
||||
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
|
||||
|
||||
@ -490,13 +490,21 @@ After you've finished configuring your policy, you can review all of your info o
|
||||
## Deploy the WIP policy
|
||||
After you’ve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
|
||||
- [Operations and Maintenance for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708224)
|
||||
|
||||
- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708225)
|
||||
|
||||
- [How to Deploy Configuration Baselines in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708226)
|
||||
|
||||
## Related topics
|
||||
- [System Center Configuration Manager and Endpoint Protection (Version 1606)](https://go.microsoft.com/fwlink/p/?LinkId=717372)
|
||||
|
||||
- [TechNet documentation for Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=691623)
|
||||
|
||||
- [Manage mobile devices with Configuration Manager and Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=691624)
|
||||
|
||||
- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
|
||||
|
||||
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
|
||||
|
||||
>[!NOTE]
|
||||
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
|
||||
@ -24,7 +24,7 @@ This list provides all of the tasks and settings that are required for the opera
|
||||
|Task|Description|
|
||||
|----|-----------|
|
||||
|Add at least one app to the **Allowed apps** list in your WIP policy.|You must have at least one app added to your **Allowed apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Allowed apps list** section of the policy creation topics.|
|
||||
|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Hide Overrides**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics.|
|
||||
|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Hide Overrides**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|
||||
|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
|
||||
|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
|
||||
|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
|
||||
|
||||
@ -132,6 +132,9 @@ You can set your WIP policy to use 1 of 4 protection and management modes:
|
||||
|Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
|
||||
|Off |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.<p>**Note**<br>For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. |
|
||||
|
||||
>[!NOTE]
|
||||
>For info about how to collect your audit logs, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
|
||||
|
||||
## Turn off WIP
|
||||
You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied.
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user