mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
Merge pull request #6142 from MandiOhlinger/ado5700386-round1
ADO 5700386: Removing Win10 Mobile - Final PR
This commit is contained in:
Diana Hanson
GitHub
commit
b631833ee6
@ -17,12 +17,12 @@ ms.topic: article
|
||||
# What's new in Windows 10 Enterprise LTSC 2015
|
||||
|
||||
**Applies to**
|
||||
- Windows 10 Enterprise LTSC 2015
|
||||
- Windows 10 Enterprise LTSC 2015
|
||||
|
||||
This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
|
||||
This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
|
||||
|
||||
>[!NOTE]
|
||||
>Features in Windows 10 Enterprise LTSC 2015 are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md).
|
||||
> [!NOTE]
|
||||
> Features in Windows 10 Enterprise LTSC 2015 are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md).
|
||||
|
||||
## Deployment
|
||||
|
||||
@ -42,7 +42,6 @@ Enhancements to AppLocker in Windows 10 include:
|
||||
|
||||
- A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**.
|
||||
- A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server.
|
||||
- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](/windows/client-management/mdm/applocker-csp).
|
||||
|
||||
[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview).
|
||||
|
||||
@ -58,7 +57,7 @@ Enhancements to AppLocker in Windows 10 include:
|
||||
|
||||
### Certificate management
|
||||
|
||||
For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile)
|
||||
For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates.
|
||||
|
||||
### Microsoft Passport
|
||||
|
||||
@ -68,13 +67,13 @@ Microsoft Passport lets users authenticate to a Microsoft account, an Active Dir
|
||||
|
||||
### Security auditing
|
||||
|
||||
In Windows 10, security auditing has added some improvements:
|
||||
In Windows 10, security auditing has added some improvements:
|
||||
- [New audit subcategories](#bkmk-auditsubcat)
|
||||
- [More info added to existing audit events](#bkmk-moreinfo)
|
||||
|
||||
#### <a href="" id="bkmk-auditsubcat"></a>New audit subcategories
|
||||
|
||||
In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
|
||||
In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
|
||||
- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
|
||||
When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event.
|
||||
- [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
|
||||
@ -83,7 +82,7 @@ In Windows 10, two new audit subcategories were added to the Advanced Audit Pol
|
||||
|
||||
#### <a href="" id="bkmk-moreinfo"></a>More info added to existing audit events
|
||||
|
||||
With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:
|
||||
With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:
|
||||
- [Changed the kernel default audit policy](#bkmk-kdal)
|
||||
- [Added a default process SACL to LSASS.exe](#bkmk-lsass)
|
||||
- [Added new fields in the logon event](#bkmk-logon)
|
||||
@ -94,11 +93,11 @@ With Windows 10, version 1507, we've added more info to existing audit events t
|
||||
|
||||
#### <a href="" id="bkmk-kdal"></a>Changed the kernel default audit policy
|
||||
|
||||
In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts.
|
||||
In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts.
|
||||
|
||||
#### <a href="" id="bkmk-lsass"></a>Added a default process SACL to LSASS.exe
|
||||
|
||||
In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**.
|
||||
In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**.
|
||||
This can help identify attacks that steal credentials from the memory of a process.
|
||||
|
||||
#### <a href="" id="bkmk-logon"></a>New fields in the logon event
|
||||
@ -137,7 +136,7 @@ The logon event ID 4688 has been updated to include more verbose information to
|
||||
|
||||
#### <a href="" id="bkmk-sam"></a>New Security Account Manager events
|
||||
|
||||
In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited:
|
||||
In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited:
|
||||
- SamrEnumerateGroupsInDomain
|
||||
- SamrEnumerateUsersInDomain
|
||||
- SamrEnumerateAliasesInDomain
|
||||
@ -170,9 +169,9 @@ Event ID 6416 has been added to track when an external device is detected throug
|
||||
|
||||
### Trusted Platform Module
|
||||
|
||||
#### New TPM features in Windows 10
|
||||
#### New TPM features in Windows 10
|
||||
|
||||
The following sections describe the new and changed functionality in the TPM for Windows 10:
|
||||
The following sections describe the new and changed functionality in the TPM for Windows 10:
|
||||
- [Device health attestation](#bkmk-dha)
|
||||
- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support
|
||||
- [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support
|
||||
@ -186,7 +185,8 @@ Some things that you can check on the device are:
|
||||
- Is BitLocker Drive Encryption supported and enabled?
|
||||
- Is SecureBoot supported and enabled?
|
||||
|
||||
> **Note** The device must be running Windows 10 and it must support at least TPM 2.0.
|
||||
> [!NOTE]
|
||||
> The device must be running Windows 10 and it must support at least TPM 2.0.
|
||||
|
||||
[Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview).
|
||||
|
||||
@ -198,7 +198,7 @@ You should not turn off UAC because this is not a supported scenario for devices
|
||||
|
||||
For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings).
|
||||
|
||||
In Windows 10, User Account Control has added some improvements:
|
||||
In Windows 10, User Account Control has added some improvements:
|
||||
|
||||
- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](/windows/win32/amsi/antimalware-scan-interface-portal) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked.
|
||||
|
||||
@ -219,13 +219,13 @@ Windows 10 provides a set of VPN features that both increase enterprise security
|
||||
|
||||
## Management
|
||||
|
||||
Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.
|
||||
Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.
|
||||
|
||||
### MDM support
|
||||
|
||||
MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more.
|
||||
MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more.
|
||||
|
||||
MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification.
|
||||
MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification.
|
||||
|
||||
Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](/windows/client-management/mdm/)
|
||||
|
||||
@ -245,8 +245,8 @@ Enterprises have the following identity and management choices.
|
||||
| Grouping | Domain join; Workgroup; Azure AD join |
|
||||
| Device management | Group Policy; Microsoft Endpoint Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
|
||||
|
||||
> **Note**
|
||||
With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](/lifecycle/).
|
||||
> [!NOTE]
|
||||
> With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](/lifecycle/).
|
||||
|
||||
|
||||
### Device lockdown
|
||||
@ -272,9 +272,9 @@ Administrators can also use mobile device management (MDM) or Group Policy to di
|
||||
|
||||
## Updates
|
||||
|
||||
Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
|
||||
Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
|
||||
|
||||
By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
|
||||
By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
|
||||
|
||||
- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met).
|
||||
|
||||
@ -287,7 +287,7 @@ Together, these Windows Update for Business features help reduce device manageme
|
||||
|
||||
Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
|
||||
|
||||
For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates).
|
||||
For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates).
|
||||
|
||||
## Microsoft Edge
|
||||
|
||||
@ -295,4 +295,4 @@ The new chromium-based Microsoft Edge is not included in the LTSC release of Win
|
||||
|
||||
## See Also
|
||||
|
||||
[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release.
|
||||
[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release.
|
||||
|
||||
@ -17,9 +17,9 @@ ms.topic: article
|
||||
# What's new in Windows 10 Enterprise LTSC 2016
|
||||
|
||||
**Applies to**
|
||||
- Windows 10 Enterprise LTSC 2016
|
||||
- Windows 10 Enterprise LTSC 2016
|
||||
|
||||
This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2016 (LTSB), compared to Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
|
||||
This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2016 (LTSB), compared to Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
|
||||
|
||||
>[!NOTE]
|
||||
>Features in Windows 10 Enterprise LTSC 2016 are equivalent to Windows 10, version 1607.
|
||||
@ -76,7 +76,6 @@ Additional changes for Windows Hello in Windows 10 Enterprise LTSC 2016:
|
||||
- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
|
||||
- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.
|
||||
- Beginning in this version of Windows 10, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**.
|
||||
<!--- Users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser.-->
|
||||
|
||||
[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification)
|
||||
|
||||
@ -88,7 +87,9 @@ Additional changes for Windows Hello in Windows 10 Enterprise LTSC 2016:
|
||||
It provides the following benefits:
|
||||
- The algorithm is FIPS-compliant.
|
||||
- Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization.
|
||||
>**Note:** Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms.
|
||||
|
||||
> [!NOTE]
|
||||
> Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms.
|
||||
|
||||
### Security auditing
|
||||
|
||||
@ -135,7 +136,7 @@ With the growing threat from more sophisticated targeted attacks, a new security
|
||||
- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
|
||||
- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
|
||||
- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607)
|
||||
- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins.
|
||||
- Microsoft Intune: *VPN* profile template includes support for native VPN plug-ins. For more information, see [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure).
|
||||
|
||||
## Management
|
||||
|
||||
@ -179,4 +180,4 @@ The new chromium-based Microsoft Edge is not included in the LTSC release of Win
|
||||
|
||||
## See Also
|
||||
|
||||
[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release.
|
||||
[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release.
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: What's new in Windows 10, versions 1507 and 1511 (Windows 10)
|
||||
description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511) and Windows 10 Mobile.
|
||||
description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511).
|
||||
ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6
|
||||
ms.reviewer:
|
||||
ms.prod: w10
|
||||
@ -34,11 +34,10 @@ With Windows 10, you can create provisioning packages that let you quickly and e
|
||||
|
||||
### AppLocker
|
||||
|
||||
#### New AppLocker features in Windows 10, version 1507
|
||||
#### New AppLocker features in Windows 10, version 1507
|
||||
|
||||
- A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**.
|
||||
- A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server.
|
||||
- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](/windows/client-management/mdm/applocker-csp).
|
||||
|
||||
[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview).
|
||||
|
||||
@ -51,10 +50,10 @@ With Windows 10, you can create provisioning packages that let you quickly and e
|
||||
- The algorithm is FIPS-compliant.
|
||||
- Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization.
|
||||
|
||||
>[!NOTE]
|
||||
>Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms.
|
||||
> [!NOTE]
|
||||
> Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms.
|
||||
|
||||
#### New BitLocker features in Windows 10, version 1507
|
||||
#### New BitLocker features in Windows 10, version 1507
|
||||
|
||||
<!-- The link in the first bullet below will need to be refreshed Jan/Feb 2017. -->
|
||||
|
||||
@ -80,7 +79,7 @@ With Windows 10, you can create provisioning packages that let you quickly and e
|
||||
### Easier certificate management
|
||||
|
||||
|
||||
For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile)
|
||||
For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates.
|
||||
|
||||
### Microsoft Passport
|
||||
|
||||
@ -94,15 +93,15 @@ Microsoft Passport lets users authenticate to a Microsoft account, an Active Dir
|
||||
|
||||
- The [WindowsSecurityAuditing](/windows/client-management/mdm/windowssecurityauditing-csp) and [Reporting](/windows/client-management/mdm/reporting-csp) configuration service providers allow you to add security audit policies to mobile devices.
|
||||
|
||||
#### New features in Windows 10, version 1507
|
||||
#### New features in Windows 10, version 1507
|
||||
|
||||
In Windows 10, security auditing has added some improvements:
|
||||
In Windows 10, security auditing has added some improvements:
|
||||
- [New audit subcategories](#bkmk-auditsubcat)
|
||||
- [More info added to existing audit events](#bkmk-moreinfo)
|
||||
|
||||
##### <a href="" id="bkmk-auditsubcat"></a>New audit subcategories
|
||||
|
||||
In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
|
||||
In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
|
||||
- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
|
||||
When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event.
|
||||
- [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
|
||||
@ -111,7 +110,7 @@ In Windows 10, two new audit subcategories were added to the Advanced Audit Pol
|
||||
|
||||
##### <a href="" id="bkmk-moreinfo"></a>More info added to existing audit events
|
||||
|
||||
With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:
|
||||
With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:
|
||||
- [Changed the kernel default audit policy](#bkmk-kdal)
|
||||
- [Added a default process SACL to LSASS.exe](#bkmk-lsass)
|
||||
- [Added new fields in the logon event](#bkmk-logon)
|
||||
@ -122,11 +121,11 @@ With Windows 10, version 1507, we've added more info to existing audit events t
|
||||
|
||||
##### <a href="" id="bkmk-kdal"></a>Changed the kernel default audit policy
|
||||
|
||||
In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts.
|
||||
In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts.
|
||||
|
||||
##### <a href="" id="bkmk-lsass"></a>Added a default process SACL to LSASS.exe
|
||||
|
||||
In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**.
|
||||
In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**.
|
||||
This can help identify attacks that steal credentials from the memory of a process.
|
||||
|
||||
##### <a href="" id="bkmk-logon"></a>New fields in the logon event
|
||||
@ -165,7 +164,7 @@ The logon event ID 4688 has been updated to include more verbose information to
|
||||
|
||||
##### <a href="" id="bkmk-sam"></a>New Security Account Manager events
|
||||
|
||||
In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited:
|
||||
In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited:
|
||||
- SamrEnumerateGroupsInDomain
|
||||
- SamrEnumerateUsersInDomain
|
||||
- SamrEnumerateAliasesInDomain
|
||||
@ -198,13 +197,13 @@ Event ID 6416 has been added to track when an external device is detected throug
|
||||
|
||||
### Trusted Platform Module
|
||||
|
||||
#### New TPM features in Windows 10, version 1511
|
||||
#### New TPM features in Windows 10, version 1511
|
||||
|
||||
- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC).
|
||||
|
||||
#### New TPM features in Windows 10, version 1507
|
||||
#### New TPM features in Windows 10, version 1507
|
||||
|
||||
The following sections describe the new and changed functionality in the TPM for Windows 10:
|
||||
The following sections describe the new and changed functionality in the TPM for Windows 10:
|
||||
- [Device health attestation](#bkmk-dha)
|
||||
- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support
|
||||
- [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support
|
||||
@ -219,7 +218,7 @@ Some things that you can check on the device are:
|
||||
- Is SecureBoot supported and enabled?
|
||||
|
||||
>[!NOTE]
|
||||
>The device must be running Windows 10 and it must support at least TPM 2.0.
|
||||
>The device must be running Windows 10 and it must support at least TPM 2.0.
|
||||
|
||||
[Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview).
|
||||
|
||||
@ -231,9 +230,9 @@ You should not turn off UAC because this is not a supported scenario for devices
|
||||
|
||||
For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings).
|
||||
|
||||
In Windows 10, User Account Control has added some improvements.
|
||||
In Windows 10, User Account Control has added some improvements.
|
||||
|
||||
#### New User Account Control features in Windows 10, version 1507
|
||||
#### New User Account Control features in Windows 10, version 1507
|
||||
|
||||
- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](/windows/win32/amsi/antimalware-scan-interface-portal) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked.
|
||||
|
||||
@ -254,13 +253,13 @@ Windows 10 provides a set of VPN features that both increase enterprise security
|
||||
|
||||
## Management
|
||||
|
||||
Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.
|
||||
Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.
|
||||
|
||||
### MDM support
|
||||
|
||||
MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more.
|
||||
MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more.
|
||||
|
||||
MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification.
|
||||
MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification.
|
||||
|
||||
Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](/windows/client-management/mdm/)
|
||||
|
||||
@ -282,7 +281,8 @@ Enterprises have the following identity and management choices.
|
||||
| Grouping | Domain join; Workgroup; Azure AD join |
|
||||
| Device management | Group Policy; Microsoft Endpoint Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
|
||||
|
||||
**Note:** With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](/lifecycle/).
|
||||
> [!NOTE]
|
||||
> With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](/lifecycle/).
|
||||
|
||||
|
||||
### Device lockdown
|
||||
@ -318,9 +318,9 @@ For more information, see [Microsoft Store for Business overview](/microsoft-sto
|
||||
|
||||
## Updates
|
||||
|
||||
Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
|
||||
Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
|
||||
|
||||
By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
|
||||
By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
|
||||
|
||||
- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met).
|
||||
|
||||
@ -333,7 +333,7 @@ Together, these Windows Update for Business features help reduce device manageme
|
||||
|
||||
Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
|
||||
|
||||
For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates).
|
||||
For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates).
|
||||
|
||||
## Microsoft Edge
|
||||
Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
|
||||
@ -344,9 +344,9 @@ Microsoft Edge takes you beyond just browsing to actively engaging with the web
|
||||
- **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
|
||||
|
||||
### Enterprise guidance
|
||||
Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956).
|
||||
Microsoft Edge is the default browser experience for Windows 10. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956).
|
||||
|
||||
We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
|
||||
We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
|
||||
|
||||
[Learn more about using Microsoft Edge in the enterprise](/microsoft-edge/deploy/emie-to-improve-compatibility)
|
||||
|
||||
@ -354,7 +354,3 @@ We also recommend that you upgrade to IE11 if you're running any earlier version
|
||||
## Learn more
|
||||
|
||||
- [Windows 10 release information](https://technet.microsoft.com/windows/release-info)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: What's new in Windows 10, version 1607 (Windows 10)
|
||||
description: What's new in Windows 10 for Windows 10 (version 1607) and Windows 10 Mobile.
|
||||
description: What's new in Windows 10 for Windows 10 (version 1607).
|
||||
keywords: ["What's new in Windows 10", "Windows 10", "anniversary update"]
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -19,7 +19,7 @@ Below is a list of some of the new and updated features in Windows 10, version 1
|
||||
|
||||
>[!NOTE]
|
||||
>For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info).
|
||||
|
||||
|
||||
## Deployment
|
||||
|
||||
### Windows Imaging and Configuration Designer (ICD)
|
||||
@ -78,7 +78,6 @@ Additional changes for Windows Hello in Windows 10, version 1607:
|
||||
- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
|
||||
- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.
|
||||
- Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
|
||||
<!--- Users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser.-->
|
||||
|
||||
[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification)
|
||||
|
||||
@ -87,7 +86,7 @@ Additional changes for Windows Hello in Windows 10, version 1607:
|
||||
- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
|
||||
- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
|
||||
- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607)
|
||||
- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins.
|
||||
- Microsoft Intune: *VPN* profile template includes support for native VPN plug-ins. For more information, see [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure).
|
||||
|
||||
|
||||
### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user