deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 16:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/rs3' into jd3mak

Browse Source
This commit is contained in:
jdeckerMS 2017-08-16 11:49:45 -07:00
commit c1a6e57d8c
32 changed files with 536 additions and 131 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.openpublishing.redirection.json
View File

@ -7647,7 +7647,7 @@
},
{
"source_path": "windows/manage/manage-corporate-devices.md",
"redirect_url": "/windows/client-management/manage-corporate-devices",
"redirect_url": "/windows/client-management/index",
"redirect_document_id": true
},
{

14
browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
View File

@ -1,13 +1,15 @@
---
ms.localizationpriority: low
title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
ms.prod: ie11
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
author: eross-msft
ms.prod: ie11
ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
ms.sitesec: library
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
ms.localizationpriority: low
---

19
browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
View File

@ -1,13 +1,20 @@
---
ms.localizationpriority: low
title: Turn on Enterprise Mode and use a site list (Internet Explorer 11 for IT Pros)
description: How to turn on Enterprise Mode and specify a site list.
ms.assetid: 800e9c5a-57a6-4d61-a38a-4cb972d833e1
ms.prod: ie11
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: How to turn on Enterprise Mode and specify a site list.
author: eross-msft
ms.prod: ie11
ms.assetid: 800e9c5a-57a6-4d61-a38a-4cb972d833e1
title: Turn on Enterprise Mode and use a site list (Internet Explorer 11 for IT Pros)
ms.sitesec: library
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
ms.localizationpriority: low
---

10
devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
View File

@ -1,6 +1,6 @@
---
title: PowerShell for Surface Hub (Surface Hub)
description: PowerShell scripts to help set up and manage your Microsoft Surface Hub .
description: PowerShell scripts to help set up and manage your Microsoft Surface Hub.
ms.assetid: 3EF48F63-8E4C-4D74-ACD5-461F1C653784
keywords: PowerShell, set up Surface Hub, manage Surface Hub
ms.prod: w10
@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
ms.date: 06/19/2017
ms.date: 08/16/2017
ms.localizationpriority: medium
---
@ -465,7 +465,7 @@ PrintAction "Configuring password not to expire..."
Start-Sleep -s 20
try
{
Set-AdUser $mailbox.Alias -PasswordNeverExpires $true -Enabled $true
Set-AdUser $mailbox.UserPrincipalName -PasswordNeverExpires $true -Enabled $true
}
catch
{
@ -1243,7 +1243,7 @@ if (!$fExIsOnline)
}
$strAlias = $mailbox.Alias
$strAlias = $mailbox.UserPrincipalName
$strDisplayName = $mailbox.DisplayName
$strLinkedAccount = $strLinkedDomain = $strLinkedUser = $strLinkedServer = $null
@ -1424,7 +1424,7 @@ if ($fHasOnPrem)
else
{
#AD User enabled validation
$accountOnPrem = Get-AdUser $strAlias -properties PasswordNeverExpires -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
$accountOnPrem = Get-AdUser $mailbox.UserPrincipalName -properties PasswordNeverExpires -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
}
$strOnPremUpn = $accountOnPrem.UserPrincipalName
Validate -Test "There is a user account for $strOnPremUpn" -Condition ($accountOnprem -ne $null) -FailureMsg "Could not find an Active Directory account for this user"

9
windows/access-protection/credential-guard/credential-guard-manage.md
View File

@ -100,15 +100,6 @@ You can also enable Credential Guard by using the [Device Guard and Credential G
DG_Readiness_Tool_v3.2.ps1 -Enable -AutoReboot
```
### Credential Guard deployment in virtual machines
Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
#### Requirements for running Credential Guard in Hyper-V virtual machines
- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10.
### Review Credential Guard performance
**Is Credential Guard running?**

13
windows/access-protection/credential-guard/credential-guard-requirements.md
View File

@ -35,6 +35,19 @@ The Virtualization-based security requires:
- CPU virtualization extensions plus extended page tables
- Windows hypervisor
### Credential Guard deployment in virtual machines
Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
#### Requirements for running Credential Guard in Hyper-V virtual machines
- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10.
For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/)
For information about Remote Credential Guard hardware and software requirements, see [Remote Credential Guard requirements](https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard#hardware-and-software-requirements)
## Application requirements
When Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality.

12
windows/access-protection/hello-for-business/hello-planning-guide.md
View File

@ -127,11 +127,11 @@ Hybrid and on-premises deployments include Active Directory as part of their inf
### Public Key Infrastructure
The Windows Hello for Business deployment depends on an enterprise public key infrastructure a trust anchor for authentication. Domain controllers for hybrid and on-prem deployments need a certificate in order for Windows 10 devices to trust the domain controller is a legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
The Windows Hello for Business deployment depends on an enterprise public key infrastructure a trust anchor for authentication. Domain controllers for hybrid and on-prem deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
### Cloud
Some deployment combinations require an Azure account and some require Azure Active Directory for user identities. These cloud requirements can may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiate the components that are needed from the those that are optional.
Some deployment combinations require an Azure account and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiate the components that are needed from the those that are optional.
## Planning a Deployment
@ -188,7 +188,7 @@ If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in
If box **1a** on your planning worksheet reads **hybrid**, then write **Azure AD Connect** in box **1e** on your planning worksheet.
If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusive uses Active Directory for user information with the exception of the multifactor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the users credential remain on the on-premises network.
If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multifactor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the users credential remain on the on-premises network.
### Multifactor Authentication
@ -204,13 +204,13 @@ If box **1a** on your planning worksheet reads **hybrid**, then you have a few o
You can directly use the Azure MFA cloud service for the second factor of authentication. Users contacting the service must authenticate to Azure prior to using the service.
If your Azure AD Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service. Otherwise, your Azure AD Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Azure Active and use the Azure MFA cloud service. If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet.
If your Azure AD Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service. Otherwise, your Azure AD Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Azure Active Directory and use the Azure MFA cloud service. If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet.
You can configure your on-premises Windows Server 2016 AD FS role to use the Azure MFA service adapter. In this configuration, users are redirected to the on premises AD FS server (synchronizing identities only). The AD FS server uses the MFA adapter to communicate to the Azure MFA service to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA cloud service adapter, write **AD FS with Azure MFA cloud adapter** in box **1f** on your planning worksheet.
Alternatively, you can use AD FS with an on-premises Azure MFA server adapter. Rather than AD FS communicating directly with the Azure MFA cloud service, it communicates with an on-premises AD FS server that synchronizes user information with the on-premises Active Directory. The Azure MFA server communicates with Azure MFA cloud services to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet.
The last option is for you to use AD FS with a third-party adapter to as the second factor of authentication. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet.
The last option is for you to use AD FS with a third-party adapter as the second factor of authentication. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet.
If box **1a** on your planning worksheet reads **on-premises**, then you have two second factor authentication options. You must use Windows Server 2016 AD FS with your choice of the on-premises Azure MFA server or with a third-party MFA adapter.
@ -261,7 +261,7 @@ Review the trust type portion of this section if box **4d** on your planning wor
### Public Key Infrastructure
Public key infrastructure prerequisites already exist on your planning worksheet. These conditions are the minimum requirements for any hybrid our on-premises deployment. Additional conditions may be needed based on your trust type.
Public key infrastructure prerequisites already exist in your planning worksheet. These conditions are the minimum requirements for any hybrid or on-premises deployment. Additional conditions may be needed based on your trust type.
If box **1a** on your planning worksheet reads **cloud only**, ignore the public key infrastructure section of your planning worksheet. Cloud only deployments do not use a public key infrastructure.

13
windows/access-protection/remote-credential-guard.md
View File

@ -47,12 +47,15 @@ Use the following table to compare different security options for Remote Desktop
## Hardware and software requirements
The Remote Desktop client and server must meet the following requirements in order to use Remote Credential Guard:
To use Remote Credential Guard, the Remote Desktop client and server must meet the following requirements:
- They must be joined to an Active Directory domain
- Both devices must either joined to the same domain or the Remote Desktop server must be joined to a domain with a trust relationship to the client device's domain.
- They must use Kerberos authentication.
- They must be running at least Windows 10, version 1607 or Windows Server 2016.
- In order to connect using credentials other than signed-in credentials, the Remote Desktop client device must be running at least Windows 10, version 1703.
> [!NOTE]
> Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain.
- For Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication
- The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Remote Credential Guard.
## Enable Remote Credential Guard

1
windows/client-management/TOC.md
View File

@ -7,6 +7,7 @@
## [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
## [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md)
## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
## [Transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md)
## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
## [Windows libraries](windows-libraries.md)
## [Mobile device management for solution providers](mdm/index.md)

14
windows/client-management/index.md
View File

@ -18,15 +18,15 @@ Learn about the administrative tools, tasks and best practices for managing Wind
| Topic | Description |
|---|---|
|[Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)| Links to documentation for tools for IT pros and advanced users in the Administrative Tools folder.|
|[Connect to remote AADJ PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)|
|[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions|
|[Join Windows 10 Mobile to AAD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.|
|[Manage corporate devices](manage-corporate-devices.md)| Listing of resources to manage all your corporate devices running Windows 10 : desktops, laptops, tablets, and phones |
|[Transitioning to modern ITPro management](manage-windows-10-in-your-organization-modern-management.md)| Describes modern Windows 10 ITPro management scenarios across traditional, hybrid and cloud-based enterprise needs|
|[Mandatory user profiles](mandatory-user-profile.md)| Instructions for managing settings commonly defined in a mandatory profiles, including (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more.|
|[Create mandatory user profiles](mandatory-user-profile.md)| Instructions for managing settings commonly defined in a mandatory profiles, including (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more.|
|[Connect to remote Azure Active Directory-joined PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)|
|[Join Windows 10 Mobile to Azure AD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.|
|[New policies for Windows 10](new-policies-for-windows-10.md)| Listing of new group policy settings available in Windows 10|
|[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions|
| [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md) | Starting in Windows 10, version 1703, you can now manage the pages that are shown in the Settings app by using Group Policy. |
|[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)| Instructions for resetting a Windows 10 Mobile device using either *factory* or *'wipe and persist'* reset options|
|[Deploy Windows 10 Mobile](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile|
|[Transitioning to modern ITPro management](manage-windows-10-in-your-organization-modern-management.md)| Describes modern Windows 10 ITPro management scenarios across traditional, hybrid and cloud-based enterprise needs|
|[Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile|
|[Windows libraries](windows-libraries.md)| Considerations and instructions for managing Windows 10 libraries such as My Documents, My Pictures, and My Music.|
|[Mobile device management for solution providers](mdm/index.md) | Procedural and reference documentation for solution providers providing mobile device management (MDM) for Windows 10 devices. |
|[Change history for Client management](change-history-for-client-management.md) | This topic lists new and updated topics in the Client management documentation for Windows 10 and Windows 10 Mobile. |

303
windows/client-management/mdm/bitlocker-csp.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/06/2017
ms.date: 08/14/2017
---
# BitLocker CSP
@ -91,8 +91,38 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Data type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType**
<p style="margin-left: 20px">Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)" (Policy EncryptionMethodWithXts_Name).</p>
<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType**
<p style="margin-left: 20px">Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".</p>
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
<ul>
<li>GP English name: *Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)*</li>
<li>GP name: *EncryptionMethodWithXts_Name*</li>
<li>GP path: *Windows Components/Bitlocker Drive Encryption*</li>
<li>GP ADMX file name: *VolumeEncryption.admx*</li>
</ul>
> [!Tip]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.</p>
@ -140,7 +170,37 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="systemdrivesrequirestartupauthentication"></a>**SystemDrivesRequireStartupAuthentication**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup" (ConfigureAdvancedStartup_Name ).</p>
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".</p>
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
<ul>
<li>GP English name: *Require additional authentication at startup*</li>
<li>GP name: *ConfigureAdvancedStartup_Name*</li>
<li>GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*</li>
<li>GP ADMX file name: *VolumeEncryption.admx*</li>
</ul>
> [!Tip]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.</p>
@ -204,7 +264,37 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="systemdrivesminimumpinlength"></a>**SystemDrivesMinimumPINLength**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup" (GP MinimumPINLength_Name).</p>
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".</p>
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
<ul>
<li>GP English name:*Configure minimum PIN length for startup*</li>
<li>GP name: *MinimumPINLength_Name*</li>
<li>GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*</li>
<li>GP ADMX file name: *VolumeEncryption.admx*</li>
</ul>
> [!Tip]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.</p>
@ -239,6 +329,36 @@ The following diagram shows the BitLocker configuration service provider in tree
<a href="" id="systemdrivesrecoverymessage"></a>**SystemDrivesRecoveryMessage**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name).</p>
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
<ul>
<li>GP English name: *Configure pre-boot recovery message and URL*</li>
<li>GP name: *PrebootRecoveryInfo_Name*</li>
<li>GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*</li>
<li>GP ADMX file name: *VolumeEncryption.admx*</li>
</ul>
> [!Tip]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
</p>
@ -290,6 +410,36 @@ The following diagram shows the BitLocker configuration service provider in tree
<a href="" id="systemdrivesrecoveryoptions"></a>**SystemDrivesRecoveryOptions**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).</p>
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
<ul>
<li>GP English name: *Choose how BitLocker-protected operating system drives can be recovered*</li>
<li>GP name: *OSRecoveryUsage_Name*</li>
<li>GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*</li>
<li>GP ADMX file name: *VolumeEncryption.admx*</li>
</ul>
> [!Tip]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.</p>
@ -357,7 +507,37 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="fixeddrivesrecoveryoptions"></a>**FixedDrivesRecoveryOptions**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (FDVRecoveryUsage_Name).</p>
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().</p>
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
<ul>
<li>GP English name: *Choose how BitLocker-protected fixed drives can be recovered*</li>
<li>GP name: *FDVRecoveryUsage_Name*</li>
<li>GP path: *Windows Components/Bitlocker Drive Encryption/Fixed Drives*</li>
<li>GP ADMX file name: *VolumeEncryption.admx*</li>
</ul>
> [!Tip]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.</p>
@ -427,6 +607,36 @@ The following diagram shows the BitLocker configuration service provider in tree
<a href="" id="fixeddrivesrequireencryption"></a>**FixedDrivesRequireEncryption**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).</p>
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
<ul>
<li>GP English name: *Deny write access to fixed drives not protected by BitLocker*</li>
<li>GP name: *FDVDenyWriteAccess_Name*</li>
<li>GP path: *Windows Components/Bitlocker Drive Encryption/Fixed Drives*</li>
<li>GP ADMX file name: *VolumeEncryption.admx*</li>
</ul>
> [!Tip]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.</p>
@ -459,6 +669,36 @@ The following diagram shows the BitLocker configuration service provider in tree
<a href="" id="removabledrivesrequireencryption"></a>**RemovableDrivesRequireEncryption**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).</p>
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<p style="margin-left: 20px">ADMX Info:</p>
<ul>
<li>GP English name: *Deny write access to removable drives not protected by BitLocker*</li>
<li>GP name: *RDVDenyWriteAccess_Name*</li>
<li>GP path: *Windows Components/Bitlocker Drive Encryption/Removeable Drives*</li>
<li>GP ADMX file name: *VolumeEncryption.admx*</li>
</ul>
> [!Tip]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<p style="margin-left: 20px">This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.</p>
@ -500,6 +740,31 @@ The following diagram shows the BitLocker configuration service provider in tree
</Replace>
```
<a href="" id="allowwarningforotherdiskencryption"></a>**AllowWarningForOtherDiskEncryption**
<p style="margin-left: 20px">Allows the Admin to disable the warning prompt for other disk encryption on the user machines.</p>
<p style="margin-left: 20px">The following list shows the supported values:</p>
- 0 Disables the warning prompt.
- 1 (default) Warning prompt allowed.
<p style="margin-left: 20px">Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>110</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
```
### SyncML example
@ -664,29 +929,3 @@ The following example is provided to show proper format and should not be taken
</SyncBody>
</SyncML>
```
<a href="" id="allowwarningforotherdiskencryption"></a>**AllowWarningForOtherDiskEncryption**
<p style="margin-left: 20px">Allows the Admin to disable the warning prompt for other disk encryption on the user machines.</p>
<p style="margin-left: 20px">The following list shows the supported values:</p>
- 0 Disables the warning prompt.
- 1 (default) Warning prompt allowed.
<p style="margin-left: 20px">Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>110</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
```

7
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/11/2017
ms.date: 08/14/2017
---
# What's new in MDM enrollment and management
@ -1364,6 +1364,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li> Provider/_ProviderID_/EnrollmentInfo</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
<td style="vertical-align:top">Added information to the ADMX-backed policies.
</td></tr>
<tr class="even">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
@ -1394,6 +1398,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</li>
</ul>
<p>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.</p>
<p>Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).</p>
</td></tr>
</tbody>
</table>

26
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/04/2017
ms.date: 08/14/2017
---
# Policy CSP
@ -338,6 +338,30 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-bitlocker.md#bitlocker-encryptionmethod" id="bitlocker-encryptionmethod">Bitlocker/EncryptionMethod</a>
</dd>
<dd>
<a href="./bitlocker-csp.md#encryptionmethodbydrivetype" id="encryptionmethodbydrivetype">BitLocker/EncryptionMethodByDriveType</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#fixeddrivesrecoveryoptions" id="fixeddrivesrecoveryoptions">BitLocker/FixedDrivesRecoveryOptions</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#fixeddrivesrequireencryption" id="fixeddrivesrequireencryption">BitLocker/FixedDrivesRequireEncryption</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#removabledrivesrequireencryption" id="removabledrivesrequireencryption">BitLocker/RemovableDrivesRequireEncryption</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesminimumpinlength" id="systemdrivesminimumpinlength">BitLocker/SystemDrivesMinimumPINLength</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesrecoverymessage" id="systemdrivesrecoverymessage">BitLocker/SystemDrivesRecoveryMessage</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesrecoveryoptions" id="systemdrivesrecoveryoptions">BitLocker/SystemDrivesRecoveryOptions</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesrequirestartupauthentication" id="systemdrivesrequirestartupauthentication">BitLocker/SystemDrivesRequireStartupAuthentication</a> in BitLocker CSP
</dd>
</dl>
### Bluetooth policies

30
windows/client-management/mdm/policy-csp-bitlocker.md
View File

@ -58,6 +58,33 @@ ms.date: 08/09/2017
- 6 - XTS-AES 128-bit (Desktop only)
- 7 - XTS-AES 256-bit (Desktop only)
<p style="margin-left: 20px">You can find the following policies in BitLocker CSP:
<dl>
<dd>
<a href="./bitlocker-csp.md#encryptionmethodbydrivetype" id="encryptionmethodbydrivetype">BitLocker/EncryptionMethodByDriveType</a>
</dd>
<dd>
<a href="./bitlocker-csp.md#fixeddrivesrecoveryoptions" id="fixeddrivesrecoveryoptions">BitLocker/FixedDrivesRecoveryOptions</a>
</dd>
<dd>
<a href="./bitlocker-csp.md#fixeddrivesrequireencryption" id="fixeddrivesrequireencryption">BitLocker/FixedDrivesRequireEncryption</a>
</dd>
<dd>
<a href="./bitlocker-csp.md#removabledrivesrequireencryption" id="removabledrivesrequireencryption">BitLocker/RemovableDrivesRequireEncryption</a>
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesminimumpinlength" id="systemdrivesminimumpinlength">BitLocker/SystemDrivesMinimumPINLength</a>
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesrecoverymessage" id="systemdrivesrecoverymessage">BitLocker/SystemDrivesRecoveryMessage</a>
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesrecoveryoptions" id="systemdrivesrecoveryoptions">BitLocker/SystemDrivesRecoveryOptions</a>
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesrequirestartupauthentication" id="systemdrivesrequirestartupauthentication">BitLocker/SystemDrivesRequireStartupAuthentication</a>
</dd>
</dl>
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
@ -68,5 +95,4 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--EndPolicies-->

2
windows/deployment/update/update-compliance-monitor.md
View File

@ -33,6 +33,8 @@ See the following topics in this guide for detailed information about configurin
- [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment.
- [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance.
<iframe width="560" height="315" align="center" src="https://www.youtube.com/embed/1cmF5c_R8I4" frameborder="0" allowfullscreen></iframe>
An overview of the processes used by the Update Compliance solution is provided below.
## Update Compliance architecture

4
windows/deployment/vda-subscription-activation.md
View File

@ -12,11 +12,7 @@ author: greg-lindsay
# Configure VDA for Windows 10 Subscription Activation
<<<<<<< HEAD
This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based license.
=======
This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops.
>>>>>>> 9cfade7b4735548209a42a177179689a7e522ec6
## Requirements

28
windows/device-security/bitlocker/bitlocker-group-policy-settings.md
View File

@ -237,7 +237,7 @@ On a computer with a compatible TPM, four types of authentication methods can be
- only the TPM for authentication
- insertion of a USB flash drive containing the startup key
- the entry of a 6-digit to 20-digit personal identification number (PIN)
- the entry of a 4-digit to 20-digit personal identification number (PIN)
- a combination of the PIN and the USB flash drive
There are four options for TPM-enabled computers or devices:
@ -323,7 +323,7 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
<tbody>
<tr class="odd">
<td align="left"><p><strong>Policy description</strong></p></td>
<td align="left"><p>With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits, and it can have a maximum length of 20 digits.</p></td>
<td align="left"><p>With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Introduced</strong></p></td>
@ -347,14 +347,34 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
</tr>
<tr class="odd">
<td align="left"><p><strong>When disabled or not configured</strong></p></td>
<td align="left"><p>Users can configure a startup PIN of any length between 6 and 20 digits.</p></td>
<td align="left"><p>Users can configure a startup PIN of any length between 4 and 20 digits.</p></td>
</tr>
</tbody>
</table>
 
**Reference**
This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
This policy setting is applied when you turn on BitLocker.
The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
Originally, BitLocker allowed from 4 to 20 characters for a PIN.
Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability.
For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time.
A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours.
This totals a maximum of about 4415 guesses per year.
If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years.
Increasing the PIN length requires a greater number of guesses for an attacker.
In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello.
To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters.
If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
### Disable new DMA devices when this computer is locked

6
windows/device-security/change-history-for-device-security.md
View File

@ -11,6 +11,12 @@ author: brianlic-msft
# Change history for device security
This topic lists new and updated topics in the [Device security](index.md) documentation.
## September 2017
|New or changed topic |Description |
|---------------------|------------|
| [TPM fundamentals](tpm/tpm-fundamentals.md)<br>[BitLocker Group Policy settings](bitlocker/bitlocker-group-policy-settings.md) | Explained the change to allow reducing the maximum PIN length from 6 characters to 4. |
## August 2017
|New or changed topic |Description |
|---------------------|------------|

2
windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
View File

@ -10,7 +10,7 @@ author: mdsakibMSFT
# Deploy Managed Installer for Device Guard
Creating and maintaining application execution control policies has always been challenging and options for addressing this has been a frequently cited request for customers of AppLocker and Device Guards [configurable code integrity (CI)](device-guard-deployment-guide.md).
Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Device Guard [configurable code integrity (CI)](device-guard-deployment-guide.md).
This is especially true for enterprises with large, ever changing software catalogs.
Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager.

29
windows/device-security/tpm/tpm-fundamentals.md
View File

@ -97,10 +97,7 @@ Because many entities can use the TPM, a single authorization success cannot res
TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer, and the logic varied widely throughout the industry.
> [!WARNING]
> For the purposes of this topic, Windows 8 Certified Hardware also pertains to Windows 8.1 systems. The following references to “Windows” include these supported Windows versions.
For Windows 8 Certified Hardware systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
Attempts to use a key with an authorization value for the next two hours would not return success or failure; instead the response indicates that the TPM is locked. After two hours, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next two hours. If a period of 64 hours elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again.
@ -112,10 +109,28 @@ In some enterprise situations, the TPM owner authorization value is configured t
TPM 2.0 allows some keys to be created without an authorization value associated with them. These keys can be used when the TPM is locked. For example, BitLocker with a default TPM-only configuration is able to use a key in the TPM to start Windows, even when the TPM is locked.
### Rationale behind the Windows 8.1 and Windows 8 defaults
### Rationale behind the defaults
Windows relies on the TPM 2.0 anti-hammering protection for multiple features. The defaults that are selected for Windows 8 balance trade-offs for different scenarios.
For example, when BitLocker is used with a TPM plus PIN configuration, it needs the number of PIN guesses to be limited over time. If the computer is lost, someone could make only 32 PIN guesses immediately, and then only one more guess every two hours. This totals about 4415 guesses per year. This makes a good standard for system administrators to determine how many PIN characters to use for BitLocker deployments.
Originally, BitLocker allowed from 4 to 20 characters for a PIN.
Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability.
For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time.
A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours.
This totals a maximum of about 4415 guesses per year.
If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years.
Increasing the PIN length requires a greater number of guesses for an attacker.
In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello.
To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters.
If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
### TPM-based smart cards
The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards:

90
windows/threat-protection/block-untrusted-fonts-in-enterprise.md
View File

@ -8,10 +8,13 @@ ms.mktglfcycl: deploy
ms.pagetype: security
ms.sitesec: library
author: eross-msft
ms.author: lizross
ms.date: 08/14/2017
ms.localizationpriority: high
---
# Block untrusted fonts in an enterprise
**Applies to:**
- Windows 10
@ -46,19 +49,44 @@ After you turn this feature on, your employees might experience reduced function
- Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office.
## Turn on and use the Blocking Untrusted Fonts feature
Use Group Policy or the registry to turn this feature on, off, or to use audit mode.
**To turn on and use the Blocking Untrusted Fonts feature through Group Policy**
1. Open the Group Policy editor (gpedit.msc) and go to `Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking`.
2. Click **Enabled** to turn the feature on, and then click one of the following **Migitation Options**:
- **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log.
- **Do not block untrusted fonts.** Turns the feature on, but doesn't block untrusted fonts nor does it log installation attempts to the event log.
- **Log events without blocking untrusted fonts**. Turns the feature on, logging installation attempts to the event log, but not blocking untrusted fonts.
3. Click **OK**.
**To turn on and use the Blocking Untrusted Fonts feature through the registry**
To turn this feature on, off, or to use audit mode:
1. Open the registry editor (regedit.exe) and go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\`.
2. If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**.
3. Update the **Value data** of the **MitigationOptions** key, making sure you keep your existing value, like in the important note below:
3. Right click on the **MitigationOptions** key, and then click **Modify**.
The **Edit QWORD (64-bit) Value** box opens.
4. Make sure the **Base** option is **Hexadecimal**, and then update the **Value data**, making sure you keep your existing value, like in the important note below:
- **To turn this feature on.** Type **1000000000000**.
- **To turn this feature off.** Type **2000000000000**.
- **To audit with this feature.** Type **3000000000000**.<p>**Important**<br>Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. 
4. Restart your computer.
- **To turn this feature off.** Type **2000000000000**.
- **To audit with this feature.** Type **3000000000000**.
>[!Important]
>Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. 
4. Restart your computer.
## View the event log
After you turn this feature on, or start using Audit mode, you can look at your event logs for details.
@ -68,27 +96,33 @@ After you turn this feature on, or start using Audit mode, you can look at your
1. Open the event viewer (eventvwr.exe) and go to **Application and Service Logs/Microsoft/Windows/Win32k/Operational**.
2. Scroll down to **EventID: 260** and review the relevant events.
<p>
**Event Example 1 - MS Word**<br>
WINWORD.EXE attempted loading a font that is restricted by font loading policy.<br>
FontType: Memory<br>
FontPath:<br>
Blocked: true<p>
**Note**<br>Because the **FontType** is *Memory*, theres no associated **FontPath.**
<p>
**Event Example 2 - Winlogon**<br>
Winlogon.exe attempted loading a font that is restricted by font loading policy.<br>
FontType: File<br>
FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`<br>
Blocked: true<p>
**Note**<br>Because the **FontType** is *File*, theres also an associated **FontPath.**
<p>
**Event Example 3 - Internet Explorer running in Audit mode**<br>
Iexplore.exe attempted loading a font that is restricted by font loading policy.<br>
FontType: Memory<br>
FontPath:<br>
Blocked: false<p>
**Note**<br>In Audit mode, the problem is recorded, but the font isnt blocked.
**Event Example 1 - MS Word**<br>
WINWORD.EXE attempted loading a font that is restricted by font-loading policy.<br>
FontType: Memory<br>
FontPath:<br>
Blocked: true
>[!NOTE]
>Because the **FontType** is *Memory*, theres no associated **FontPath**.
**Event Example 2 - Winlogon**<br>
Winlogon.exe attempted loading a font that is restricted by font-loading policy.<br>
FontType: File<br>
FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`<br>
Blocked: true
>[!NOTE]
>Because the **FontType** is *File*, theres also an associated **FontPath**.
**Event Example 3 - Internet Explorer running in Audit mode**<br>
Iexplore.exe attempted loading a font that is restricted by font-loading policy.<br>
FontType: Memory<br>
FontPath:<br>
Blocked: false
>[!NOTE]
>In Audit mode, the problem is recorded, but the font isnt blocked.
## Fix apps having problems because of blocked fonts
Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems.
@ -101,12 +135,14 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa
**To fix your apps by excluding processes**
1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`. Like, if you want to exclude Microsoft Word processes, youd use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`.<br><br>For example, if you want to exclude Microsoft Word processes, youd use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature).
2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in the [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature) section of this topic.
 
## Related content
- [Dropping the “Untrusted Font Blocking” setting](https://blogs.technet.microsoft.com/secguide/2017/06/15/dropping-the-untrusted-font-blocking-setting/)
 

1
windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
View File

@ -10,6 +10,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
---

3
windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
View File

@ -10,6 +10,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Manage updates and scans for endpoints that are out of date
@ -92,7 +93,7 @@ See the following for more information and allowed parameters:
## Set the number of days before protection is reported as out-of-date
You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)).
You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source.
**Use Group Policy to specify the number of days before protection is considered out-of-date:**

9
windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
View File

@ -10,6 +10,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Manage the sources for Windows Defender Antivirus protection updates
@ -63,7 +64,11 @@ The older the updates on an endpoint, the larger the download. However, you must
Microsoft Update allows for rapid releases, which means it will download small deltas on a frequent basis. This ensures the best protection, but may increase network bandwidth.
The WSUS, Configuration Manager and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger).
The WSUS, Configuration Manager, and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger).
> [!IMPORTANT]
> If you have set MMPC as a fallback source after WSUS or Microsoft Update, updates will only be downloaded from MMPC when the current update is considered to be out-of-date (by default, this is 2 consecutive days of not being able to apply updates from the WSUS or Microsoft Update services).
> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).
Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table:
@ -73,7 +78,7 @@ WSUS | You are using WSUS to manage updates for your network.
Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use WSUS to manage your updates.
File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.
Configuration Manager | You are using System Center Configuration Manager to update your endpoints.
MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source.
MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from WSUS or Microsoft Update for [a specified number of days](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).
You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI.

2
windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
View File

@ -6,6 +6,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
localizationpriority: high
---

2
windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
View File

@ -6,6 +6,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
localizationpriority: high
---

2
windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
View File

@ -6,6 +6,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
localizationpriority: high
---

2
windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
View File

@ -6,6 +6,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
localizationpriority: high
---

2
windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
View File

@ -6,6 +6,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
localizationpriority: high
---

2
windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
View File

@ -6,6 +6,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
localizationpriority: high
---

4
windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
View File

@ -82,8 +82,8 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec
Service location | .Microsoft.com DNS record
:---|:---
US |```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```us.vortex-win.data.microsoft.com```<br> ```winatp-gw-cus.microsoft.com``` <br> ```winatp-gw-eus.microsoft.com```
Europe |```*.blob.core.windows.net```<br>```crl.microsoft.com```<br> ```eu.vortex-win.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br> ```winatp-gw-weu.microsoft.com```<br>
US |```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```ctldl.windowsupdate.com```<br> ```us.vortex-win.data.microsoft.com```<br> ```winatp-gw-cus.microsoft.com``` <br> ```winatp-gw-eus.microsoft.com```
Europe |```*.blob.core.windows.net```<br>```crl.microsoft.com```<br>```ctldl.windowsupdate.com```<br> ```eu.vortex-win.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br> ```winatp-gw-weu.microsoft.com```<br>
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs.

4
windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
View File

@ -26,9 +26,9 @@ The **Machines list** shows a list of the machines in your network, the domain o
Use the Machines list in these main scenarios:
- **During onboarding**</br>
- **During onboarding**<br>
During the onboarding process, the **Machines list** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis.
- **Day-to-day work**
- **Day-to-day work** <br>
The **Machines list** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them.
## Sort, filter, and download the list of machines from the Machines list