From 5b5e36f7030f2a9524477b5060e180ea728f215d Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Thu, 22 Dec 2016 18:34:03 -0800 Subject: [PATCH 01/10] Fixed broken link at end of BitLocker overview --- windows/keep-secure/bitlocker-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/bitlocker-overview.md b/windows/keep-secure/bitlocker-overview.md index 2921e55f01..89aea0f522 100644 --- a/windows/keep-secure/bitlocker-overview.md +++ b/windows/keep-secure/bitlocker-overview.md @@ -79,4 +79,4 @@ When installing the BitLocker optional component on a server you will also need | [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| -If you're looking for info on how to use it with Windows 10 IoT Core, see [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/win10/SB_BL.htm). \ No newline at end of file +If you're looking for info on how to use it with Windows 10 IoT Core, see [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker). \ No newline at end of file From ef3720e484246266d0e70524f4a798b6e7a65eda Mon Sep 17 00:00:00 2001 From: Martin Stangl Date: Fri, 23 Dec 2016 08:55:17 +0100 Subject: [PATCH 02/10] Hint at difference in computer and user settings. The user configuration contains only a subset of Windows Hello settings. Might be worth pointing out. Would have helped me save some time and therefore might be helpful to others as well. --- .../implement-microsoft-passport-in-your-organization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md index a4444b25e1..31ea44aebd 100644 --- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md +++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md @@ -28,7 +28,7 @@ You can create a Group Policy or mobile device management (MDM) policy that will   ## Group Policy settings for Windows Hello for Business -The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. +The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. Be aware that not all settings are in both places. From 56a6e4bc5eb72fad3764ad585dd475fcd309eab4 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Thu, 29 Dec 2016 11:28:24 -0800 Subject: [PATCH 03/10] For removing, made it clearer you can use readiness tool --- windows/keep-secure/credential-guard.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index ea7309fee3..a92cf8f9f5 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -195,10 +195,9 @@ Requirements for running Credential Guard in Hyper-V virtual machines - The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. - The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. - ### Remove Credential Guard -If you have to remove Credential Guard on a PC, you need to do the following: +If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). 1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**). 2. Delete the following registry settings: @@ -242,7 +241,8 @@ If you have to remove Credential Guard on a PC, you need to do the following: For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md). -**Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool** + +#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). From 71651c0bc42920dfbad7f20e0ff93f45ad248cdc Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Fri, 30 Dec 2016 15:16:31 -0800 Subject: [PATCH 04/10] Based on customer fdbk, added links. Also fixed 2 typos. --- windows/keep-secure/create-applocker-default-rules.md | 4 ++++ .../requirements-for-deploying-applocker-policies.md | 2 +- windows/keep-secure/select-types-of-rules-to-create.md | 2 +- windows/keep-secure/tools-to-use-with-applocker.md | 2 +- windows/keep-secure/understanding-applocker-default-rules.md | 3 +-- .../keep-secure/understanding-applocker-rule-collections.md | 2 ++ ...er-and-software-restriction-policies-in-the-same-domain.md | 2 +- windows/keep-secure/working-with-applocker-rules.md | 2 +- 8 files changed, 12 insertions(+), 7 deletions(-) diff --git a/windows/keep-secure/create-applocker-default-rules.md b/windows/keep-secure/create-applocker-default-rules.md index 930d2bc4d7..6f5b802707 100644 --- a/windows/keep-secure/create-applocker-default-rules.md +++ b/windows/keep-secure/create-applocker-default-rules.md @@ -27,3 +27,7 @@ You can perform this task by using the Group Policy Management Console for an Ap 1. Open the AppLocker console. 2. Right-click the appropriate rule type for which you want to automatically generate default rules. You can automatically generate rules for executable, Windows Installer, script rules and Packaged app rules. 3. Click **Create Default Rules**. + +## Related topics + +- [Understanding AppLocker default rules](understanding-applocker-default-rules.md) diff --git a/windows/keep-secure/requirements-for-deploying-applocker-policies.md b/windows/keep-secure/requirements-for-deploying-applocker-policies.md index e3b6c29aa7..874036e3b6 100644 --- a/windows/keep-secure/requirements-for-deploying-applocker-policies.md +++ b/windows/keep-secure/requirements-for-deploying-applocker-policies.md @@ -24,7 +24,7 @@ The following requirements must be met or addressed before you deploy your AppLo ### Deployment plan -An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). +An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md)).
diff --git a/windows/keep-secure/select-types-of-rules-to-create.md b/windows/keep-secure/select-types-of-rules-to-create.md index 00ae11caf5..35f8ffd6b2 100644 --- a/windows/keep-secure/select-types-of-rules-to-create.md +++ b/windows/keep-secure/select-types-of-rules-to-create.md @@ -55,7 +55,7 @@ In the Woodgrove Bank example, the line-of-business app for the Bank Tellers bus ### Determine how to allow system files to run -Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection. +Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules (listed in [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules)) as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection. You can also create a rule for the system files based on the path condition. In the preceding example, for the Bank Tellers group, all Windows files reside under C:\\Windows and can be defined with the path rule condition type. This will permit access to these files whenever updates are applied and the files change. If you require additional application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions: diff --git a/windows/keep-secure/tools-to-use-with-applocker.md b/windows/keep-secure/tools-to-use-with-applocker.md index 5d2d69ff81..a5346774ab 100644 --- a/windows/keep-secure/tools-to-use-with-applocker.md +++ b/windows/keep-secure/tools-to-use-with-applocker.md @@ -24,7 +24,7 @@ The following tools can help you administer the application control policies cre - **Generate Default Rules tool** - AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md). + AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md). For a list of the default rules, see [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules). - **Automatically Generate AppLocker Rules wizard** diff --git a/windows/keep-secure/understanding-applocker-default-rules.md b/windows/keep-secure/understanding-applocker-default-rules.md index b0aa99f22e..f0b744d7ad 100644 --- a/windows/keep-secure/understanding-applocker-default-rules.md +++ b/windows/keep-secure/understanding-applocker-default-rules.md @@ -42,5 +42,4 @@ These permissions settings are applied to this folder for app compatibility. How ## Related topics - [How AppLocker works](how-applocker-works-techref.md) -  -  +- [Create AppLocker default rules](create-applocker-default-rules.md) \ No newline at end of file diff --git a/windows/keep-secure/understanding-applocker-rule-collections.md b/windows/keep-secure/understanding-applocker-rule-collections.md index b8adef234c..bfe5fd07ce 100644 --- a/windows/keep-secure/understanding-applocker-rule-collections.md +++ b/windows/keep-secure/understanding-applocker-rule-collections.md @@ -33,3 +33,5 @@ For info about how to enable the DLL rule collection, see [Enable the DLL rule c ## Related topics - [How AppLocker works](how-applocker-works-techref.md) +- [Understanding AppLocker default rules](understanding-applocker-default-rules.md) + diff --git a/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md index 17fe40b6a1..0fa2a8f258 100644 --- a/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -61,7 +61,7 @@ The following table compares the features and functions of Software Restriction +

SRP can also be configured in the “allow list mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.

diff --git a/windows/keep-secure/working-with-applocker-rules.md b/windows/keep-secure/working-with-applocker-rules.md index 9c528133ef..52ab34863e 100644 --- a/windows/keep-secure/working-with-applocker-rules.md +++ b/windows/keep-secure/working-with-applocker-rules.md @@ -123,7 +123,7 @@ When you choose the file hash rule condition, the system computes a cryptographi ## AppLocker default rules -AppLocker allows you to generate default rules for each rule collection. +AppLocker includes default rules, which are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For background, see [Understanding AppLocker default rules](understanding-applocker-default-rules), and for steps, see [Create AppLocker default rules](create-applocker-default-rules.md). Executable default rule types include: From c8e482fc202571e2fc1d450d0b476915b7e5fd9e Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Fri, 30 Dec 2016 15:29:52 -0800 Subject: [PATCH 05/10] Fixed an incorrectly coded link --- windows/keep-secure/working-with-applocker-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/working-with-applocker-rules.md b/windows/keep-secure/working-with-applocker-rules.md index 52ab34863e..26270475b6 100644 --- a/windows/keep-secure/working-with-applocker-rules.md +++ b/windows/keep-secure/working-with-applocker-rules.md @@ -123,7 +123,7 @@ When you choose the file hash rule condition, the system computes a cryptographi ## AppLocker default rules -AppLocker includes default rules, which are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For background, see [Understanding AppLocker default rules](understanding-applocker-default-rules), and for steps, see [Create AppLocker default rules](create-applocker-default-rules.md). +AppLocker includes default rules, which are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For background, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md), and for steps, see [Create AppLocker default rules](create-applocker-default-rules.md). Executable default rule types include: From d11b9b658ab79a369348d46de98fa3ab56508299 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Fri, 30 Dec 2016 16:16:35 -0800 Subject: [PATCH 06/10] Based on customer fdbk, added text re opening BitLocker applet --- windows/keep-secure/bitlocker-basic-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/bitlocker-basic-deployment.md b/windows/keep-secure/bitlocker-basic-deployment.md index b83692c713..fbc016705b 100644 --- a/windows/keep-secure/bitlocker-basic-deployment.md +++ b/windows/keep-secure/bitlocker-basic-deployment.md @@ -40,7 +40,7 @@ BitLocker encryption can be done using the following methods: ### Encrypting volumes using the BitLocker control panel -Encrypting volumes with the BitLocker control panel is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. +Encrypting volumes with the BitLocker control panel (click **Start**, type **bitlocker**, click **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume). ### Operating system volume From eb3e6f5e3c7b0bbe5ce546144e94bc51c1e17439 Mon Sep 17 00:00:00 2001 From: KeenRivals Date: Tue, 3 Jan 2017 09:21:30 -0500 Subject: [PATCH 07/10] Add line break in related topics Separate links on lines in Related Topics to make them consistent. --- windows/manage/configure-windows-10-taskbar.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/manage/configure-windows-10-taskbar.md b/windows/manage/configure-windows-10-taskbar.md index 8f9c046ff2..50576b01ad 100644 --- a/windows/manage/configure-windows-10-taskbar.md +++ b/windows/manage/configure-windows-10-taskbar.md @@ -289,7 +289,9 @@ The resulting taskbar for computers in any other country region: ## Related topics -[Manage Windows 10 Start and taskbar layout ](windows-10-start-layout-options-and-policies.md)[Customize and export Start layout](customize-and-export-start-layout.md) +[Manage Windows 10 Start and taskbar layout ](windows-10-start-layout-options-and-policies.md) + +[Customize and export Start layout](customize-and-export-start-layout.md) [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) From 5804004f5447536c52b869b4ae34528398e85bbb Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 3 Jan 2017 07:25:13 -0800 Subject: [PATCH 08/10] format --- windows/manage/configure-devices-without-mdm.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/manage/configure-devices-without-mdm.md b/windows/manage/configure-devices-without-mdm.md index b28734a5f6..7b63a5986b 100644 --- a/windows/manage/configure-devices-without-mdm.md +++ b/windows/manage/configure-devices-without-mdm.md @@ -104,11 +104,13 @@ When you run Windows ICD, you have several options for creating your package. 6. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network. 7. Click **Enroll into Active Directory**. 8. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account. + > [!WARNING] > If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend: - Use a least-privileged domain account to join the device to the domain. - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully. - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory. + 9. Click **Finish**. 10. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package. 11. Click **Create**. From 23542380d3de9a8a7eaec1ab4de3eab133e6c019 Mon Sep 17 00:00:00 2001 From: Justinha Date: Tue, 3 Jan 2017 09:21:23 -0800 Subject: [PATCH 09/10] added changed WMI filter topic for Dec --- .../change-history-for-keep-windows-10-secure.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 759d44b4af..e17a75ec92 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -12,6 +12,13 @@ author: brianlic-msft # Change history for Keep Windows 10 secure This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## December 2016 + +| New or changed topic | Description | +| --- | --- | +|[Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) |Added filter examples for Windows 10 and Windows Server 2016. | + + ## November 2016 | New or changed topic | Description | | --- | --- | From d0f4e623458589f75398a15c7b1e9b28c67e9c4c Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 3 Jan 2017 09:48:40 -0800 Subject: [PATCH 10/10] format --- windows/manage/configure-devices-without-mdm.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/manage/configure-devices-without-mdm.md b/windows/manage/configure-devices-without-mdm.md index 7b63a5986b..d5f5cf6cc2 100644 --- a/windows/manage/configure-devices-without-mdm.md +++ b/windows/manage/configure-devices-without-mdm.md @@ -107,6 +107,7 @@ When you run Windows ICD, you have several options for creating your package. > [!WARNING] > If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend: + - Use a least-privileged domain account to join the device to the domain. - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully. - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.

Enforcement mode

SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default.

-

SRP can also be configured in the “allow list mode” such that the by default all files are blocked and administrators need to create allow rules for files that they want to allow.

AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule.