From b8ec04cd1a8aeca88cf9101df48aecc7e6ab708f Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 27 Jul 2018 10:34:09 -0700 Subject: [PATCH 1/4] removed migration steps --- .../bitlocker-management-for-enterprises.md | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index ce3943134e..eaea53000a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 07/18/2018 +ms.date: 07/27/2018 --- # BitLocker Management for Enterprises @@ -21,15 +21,7 @@ Though much Windows BitLocker [documentation](bitlocker-overview.md) has been pu Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx). -Enterprises can use [Microsoft BitLocker Administration and Management (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. When moving to cloud-based management, following these steps could be helpful: - -1. Disable MBAM management and leave MBAM as only a database backup for the recovery key. -2. Join the computers to Azure Active Directory (Azure AD). -3. Use `Manage-bde -protectors -aadbackup` to backup the recovery key to Azure AD. - -BitLocker recovery keys can be managed from Azure AD thereafter. The MBAM database does not need to be migrated. - -Enterprises that choose to continue managing BitLocker on-premises after MBAM support ends can use the [BitLocker WMI provider class](https://msdn.microsoft.com/library/windows/desktop/aa376483) to create a custom management solution. +Enterprises can use [Microsoft BitLocker Administration and Management (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. ## Managing devices joined to Azure Active Directory From da7fbba7f144ae6781376ef4337aa242649af2c1 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 27 Jul 2018 10:43:46 -0700 Subject: [PATCH 2/4] added link to PS examples --- .../bitlocker/bitlocker-management-for-enterprises.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index eaea53000a..691e7ec1de 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -21,11 +21,11 @@ Though much Windows BitLocker [documentation](bitlocker-overview.md) has been pu Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx). -Enterprises can use [Microsoft BitLocker Administration and Management (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. +Enterprises can use [Microsoft BitLocker Administration and Management (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD). ## Managing devices joined to Azure Active Directory -Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy from an MDM solution such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. +Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones. From 0c5e05b531fa67c9dfeeb75d589dc97918523132 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 27 Jul 2018 21:19:27 +0000 Subject: [PATCH 3/4] Merged PR 10154: Added descriptions to Antispyware nodes in DeviceStatus CSP --- windows/client-management/mdm/devicestatus-csp.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index 89a798ab13..a20317c21f 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 07/26/2018 --- # DeviceStatus CSP @@ -178,11 +178,24 @@ Supported operation is Get. **DeviceStatus/Antispyware/SignatureStatus** Added in Windows, version 1607. Integer that specifies the status of the antispyware signature. +Valid values: + +- 0 - The security software reports that it is not the most recent version. +- 1 - The security software reports that it is the most recent version. +- 2 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) + Supported operation is Get. **DeviceStatus/Antispyware/Status** Added in Windows, version 1607. Integer that specifies the status of the antispyware. +Valid values: + +- 0 - The status of the security provider category is good and does not need user attention. +- 1 - The status of the security provider category is not monitored by Windows Security Center (WSC). +- 2 - The status of the security provider category is poor and the computer may be at risk. +- 3 - The security provider category is in snooze state. Snooze indicates that WSC is not actively protecting the computer. + Supported operation is Get. **DeviceStatus/Firewall** From beb20690c2e3339893afda55f290801abb921c3e Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 27 Jul 2018 21:33:18 +0000 Subject: [PATCH 4/4] Merged PR 10166: Experience - added new policies in Policy CSP --- .../policy-configuration-service-provider.md | 8 + .../mdm/policy-csp-experience.md | 158 ++++++++++++++++++ 2 files changed, 166 insertions(+) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 6ff4d2dc96..e95aba3fb5 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1246,6 +1246,12 @@ The following diagram shows the Policy configuration service provider in tree fo
Experience/DoNotShowFeedbackNotifications
+
+ Experience/DoNotSyncBrowserSetting +
+
+ Experience/PreventUsersFromTurningOnBrowserSyncing +
### ExploitGuard policies @@ -4319,6 +4325,8 @@ The following diagram shows the Policy configuration service provider in tree fo - [Experience/AllowWindowsTips](./policy-csp-experience.md#experience-allowwindowstips) - [Experience/ConfigureWindowsSpotlightOnLockScreen](./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen) - [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications) +- [Experience/DoNotSyncBrowserSetting](./policy-csp-experience.md#experience-donotsyncbrowsersetting) +- [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing) - [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings) - [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) - [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index f2dec99193..a0a6355c06 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -90,6 +90,12 @@ ms.date: 07/13/2018
Experience/DoNotShowFeedbackNotifications
+
+ Experience/DoNotSyncBrowserSetting +
+
+ Experience/PreventUsersFromTurningOnBrowserSyncing +
@@ -1390,6 +1396,158 @@ The following list shows the supported values: +<<<<<<< HEAD +
+ + +**Experience/DoNotSyncBrowserSetting** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcheck mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +By default, the "browser" group syncs automatically between user’s devices and allowing users to choose to make changes. The "browser" group uses the **Sync your Settings** option in Settings to sync information like history and favorites. Enabling this policy prevents the "browser" group from using the **Sync your Settings** option. If you want syncing turned off by default but not disabled, select the Allow users to turn "browser" syncing option. + +Related policy: PreventUsersFromTurningOnBrowserSyncing. + +Value type is integer. Supported values: + +- 0 (default) - Allowed/turned on. The "browser" group syncs automatically between user’s devices and lets users to make changes. +- 2 - Prevented/turned off. The "browser" group does not use the **Sync your Settings** option. + + + +ADMX Info: +- GP English name: *Do not sync browser settings* +- GP name: *DisableWebBrowserSettingSync* +- GP path: *Windows Components/Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + + + + + + + + + + + +
+ + +**Experience/PreventUsersFromTurningOnBrowserSyncing** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcheck mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +By default, the "browser" group syncs automatically between the user’s devices, letting users make changes. With this policy, though, you can prevent the "browser" group from syncing and prevent users from turning on the Sync your Settings toggle in Settings. If you want syncing turned off by default but not disabled, select the Allow users to turn "browser" syncing option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy. + +Related policy: DoNotSyncBrowserSetting + +Value type is integer. Supported values: + +- 0 - Allowed/turned on. Users can sync the browser settings. +- 1 (default) - Prevented/turned off. + +This policy only works with the Experience/DoNotSyncBrowserSetting policy, and for this policy to work correctly, you must set Experience/DoNotSynBrowserSettings to 2 (enabled). By default, when you set this policy and the Experience/DoNotSyncBrowserSetting policy to 0 (disabled or not configured), the browser settings sync automatically. However, with this policy, you can prevent the syncing of browser settings and prevent users from turning on the Sync your Settings option. Additionally, you can prevent syncing the browser settings but give users a choice to turn on syncing. + +If you want to prevent syncing of browser settings and prevent users from turning it on: +1. Set Experience/DoNotSyncBrowserSetting to 2 (enabled). +1. Set this policy (Experience/PreventUsersFromTurningOnBrowserSyncing) to 1 (enabled or not configured). + +If you want to prevent syncing of browser settings but give users a choice to turn on syncing: +1. Set Experience/DoNotSyncBrowserSetting to 2 (enabled). +1. Set this policy (Experience/PreventUsersFromTurningOnBrowserSyncing) to 0 (disabled). + + + +ADMX Info: +- GP English name: *Do not sync browser settings* +- GP name: *DisableWebBrowserSettingSync* +- GP element: *CheckBox_UserOverride* +- GP path: *Windows Components/Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + + + + + + + +**Validation procedure:** + +Microsoft Edge on your PC: +1. Select More > Settings. +1. See if the setting is enabled or disabled based on your setting. + + + +======= +>>>>>>> 785954ffa54220bce4c3bdaef580253b43197a5a
Footnote: