deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into rs2

Browse Source
This commit is contained in:
jdeckerMS 2017-03-21 14:00:16 -07:00
commit b3d4d770d6
7 changed files with 32 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/deploy/images/ur-overview.PNG
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 38 KiB

After

Width:  |  Height:  |  Size: 32 KiB

8
windows/deploy/upgrade-readiness-upgrade-overview.md
View File

@ -17,9 +17,13 @@ The following color-coded status changes are reflected on the upgrade overview b
- No delay in processing device inventory data = "Last updated" banner is displayed in green.
- Delay processing device inventory data = "Last updated" banner is displayed in amber.
- Computers with incomplete data:
- Less than 4% = Count is displayed in black.
- Less than 4% = Count is displayed in green.
- 4% - 10% = Count is displayed in amber.
- Greater than 10% = Count is displayed in red.
- Computers with outdated KB:
- Less than 10% = Count is displayed in green.
- 10% - 30% = Count is displayed in amber.
- Greater than 30% = Count is displayed in red.
- User changes:
- Pending user changes = User changes count displays "Data refresh pending" in amber.
- No pending user changes = User changes count displays "Up to date" in green.
@ -28,6 +32,8 @@ The following color-coded status changes are reflected on the upgrade overview b
- If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber.
- If the current value is a deprecated OS version, the version is displayed in red.
Click on a row to drill down and see details about individual computers. If KBs are missing, see [Deploy the compatibility update and related KBs](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for information on required KBs.
In the following example, there is no delay in data processing, less than 4% of computers (6k\294k) have incomplete data, there are no pending user changes, and the currently selected target OS version is the same as the recommended version:
![Upgrade overview](images/ur-overview.png)

2
windows/keep-secure/TOC.md
View File

@ -575,7 +575,7 @@
###### [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md)
###### [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)
###### [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)
###### [Interactive logon: Don\'t display last signed-in](interactive-logon-do-not-display-last-user-name.md)
###### [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md)
###### [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)
###### [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md)
###### [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)

22
windows/keep-secure/enterprise-certificate-pinning.md
View File

@ -18,8 +18,8 @@ localizationpriority: high
**Applies to**
- Windows 10
Enterprise certificate pinning is a Windows feature for remembering, or “pinning” a root, issuing certificate authority, or end entity certificate to a given domain name.
Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates to help reduce man-in-the-middle attacks.
Enterprise certificate pinning is a Windows feature for remembering, or “pinning,” a root issuing certificate authority or end entity certificate to a given domain name.
Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates.
>[!NOTE]
> External domain names, where the certificate issued to these domains is issued by a public certificate authority, are not ideal for enterprise certificate pinning. Web administrators should configure their web servers to use HTTP public key pinning (HPKP) and encourage users to use web browsers that support HPKP.
@ -73,6 +73,7 @@ The PinRules element can have the following attributes.
For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml) or [Representing a Duration in XML](#representing-a-duration-in-xml).
- **Duration** or **NextUpdate**
Specifies when the Pin Rules will expire.
Either is required.
**NextUpdate** takes precedence if both are specified.
@ -83,6 +84,7 @@ For help with formatting Pin Rules, see [Representing a Date in XML](#representi
**Required?** Yes. At least one is required.
- **LogDuration** or **LogEndDate**
Configures auditing only to extend beyond the expiration of enforcing the Pin Rules.
**LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified.
@ -94,6 +96,7 @@ For help with formatting Pin Rules, see [Representing a Date in XML](#representi
**Required?** No.
- **ListIdentifier**
Provides a friendly name for the list of pin rules.
Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL).
@ -104,6 +107,7 @@ For help with formatting Pin Rules, see [Representing a Date in XML](#representi
The **PinRule** element can have the following attributes:
- **Name**
Uniquely identifies the **PinRule**.
Windows uses this attribute to identify the element for a parsing error or for verbose output.
The attribute is not included in the generated certificate trust list (CTL).
@ -111,6 +115,7 @@ The **PinRule** element can have the following attributes:
**Required?** Yes.
- **Error**
Describes the action Windows performs when it encounters a PIN mismatch.
You can choose from the following string values:
- **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site.
@ -119,7 +124,8 @@ The **PinRule** element can have the following attributes:
**Required?** No.
- **Log**
- **Log**
A Boolean value represent as string that equals **true** or **false**.
By default, logging is enabled (**true**).
@ -130,6 +136,7 @@ The **PinRule** element can have the following attributes:
The **Certificate** element can have the following attributes:
- **File**
Path to a file containing one or more certificates.
Where the certificate(s) can be encoded as:
- single certificate
@ -142,12 +149,14 @@ The **Certificate** element can have the following attributes:
**Required?** Yes (File, Directory or Base64 must be present).
- **Directory**
Path to a directory containing one or more of the above certificate files.
Skips any files not containing any certificates.
**Required?** Yes (File, Directory or Base64 must be present).
- **Base64**
Base64 encoded certificate(s).
Where the certificate(s) can be encoded as:
- single certificate
@ -161,7 +170,8 @@ The **Certificate** element can have the following attributes:
**Required?** Yes (File, Directory or Base64 must be present).
- **EndDate**
- **EndDate**
Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this elements certificates.
@ -177,6 +187,7 @@ The **Certificate** element can have the following attributes:
The **Site** element can have the following attributes:
- **Domain**
Contains the DNS name to be matched for this pin rule.
When creating the certificate trust list, the parser normalizes the input name string value as follows:
- If the DNS name has a leading "*" it is removed.
@ -189,6 +200,7 @@ The **Site** element can have the following attributes:
**Required?** Yes.
- **AllSubdomains**
By default, wildcard left hand label matching is restricted to a single left hand label.
This attribute can be set to "true" to enable wildcard matching of all of the left hand labels.
@ -196,7 +208,7 @@ The **Site** element can have the following attributes:
**Required?** No.
### Create a Pin Rules Certificate Trust List
### Create a Pin Rules Certificate Trust List
The command line utility, **Certutil.exe**, includes the **generatePinRulesCTL** argument to parse the XML file and generate the encoded certificate trust list (CTL) that you add to your reference Windows 10 version 1703 computer and subsequently deploy.
The usage syntax is:

BIN
windows/keep-secure/images/enterprise-certificate-pinning-converting-an-xml-date.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

5
windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md
View File

@ -21,7 +21,7 @@ This security setting controls whether details such as email address or domain\u
For clients that run Windows 10 version 1511 and 1507 (RTM), this setting works similarly to previous versions of Windows.
However, because of a new **Privacy** setting introduced in Windows 10 version 1607, this security setting affects those clients differently.
### Changes in Windows 10 version 1607
### Changes beginning with Windows 10 version 1607
Beginning with Windows 10 version 1607, new functionality was added to Windows 10 to hide username details such as email address by default, with the ability to change the default to show the details.
This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
@ -65,7 +65,8 @@ Clients that run Windows 10 version 1607 will not show details on the sign-in sc
If the **Privacy** setting is turned on, details will show.
The **Privacy** setting cannot be changed for clients in bulk.
Instead, apply [KB 4013429](http://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows.
Instead, apply [KB 4013429](http://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows.
Clients that run later versions of Windows 10 do not require a hotfix.
There are related Group Policy settings:

8
windows/manage/windows-store-for-business-overview.md
View File

@ -254,6 +254,7 @@ Store for Business is currently available in these markets.
<li>Luxembourg</li>
<li>Malaysia</li>
<li>Malta</li>
<li>Mauritius</li>
<li>Mexico</li>
<li>Mongolia</li>
<li>Montenegro</li>
@ -275,12 +276,12 @@ Store for Business is currently available in these markets.
<li>Portugal</li>
<li>Puerto Rico</li>
<li>Qatar</li>
<li>Romania</li>
<li>Rwanda</li>
<li>Romania</li>
</ul>
</td>
<td>
<ul>
<li>Rwanda</li>
<li>Saint Kitts and Nevis</li>
<li>Saudi Arabia</li>
<li>Senegal</li>
@ -305,8 +306,7 @@ Store for Business is currently available in these markets.
<li>Viet Nam</li>
<li>Virgin Islands, U.S.</li>
<li>Zambia</li>
<li>Zimbabwe<br>&nbsp;<br>&nbsp;<br>&nbsp;<br>&nbsp;</li>
<li>Zimbabwe<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</li>
</ul>
</td>
</tr>