mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-14 06:17:22 +00:00
Merge pull request #5441 from MicrosoftDocs/master
Publish 07/23/2021, 3:30 PM
This commit is contained in:
Gary Moore
GitHub
commit
c6f84f7679
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.technology: windows
|
||||
author: dansimp
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 06/23/2021
|
||||
ms.date: 07/23/2021
|
||||
---
|
||||
|
||||
# Defender CSP
|
||||
@ -61,7 +61,7 @@ Defender
|
||||
--------SupportLogLocation (Added in the next major release of Windows 10)
|
||||
--------PlatformUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
|
||||
--------EngineUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
|
||||
--------SignaturesUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
|
||||
--------DefinitionUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
|
||||
--------DisableGradualRelease (Added with the 4.18.2106.5 Defender platform release)
|
||||
----Scan
|
||||
----UpdateSignature
|
||||
|
||||
@ -22,9 +22,9 @@ ms.topic: article
|
||||
|
||||
This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps:
|
||||
|
||||
1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured.
|
||||
2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured.
|
||||
3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance).
|
||||
1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured.
|
||||
2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured.
|
||||
3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance).
|
||||
|
||||
## Create a configuration profile
|
||||
|
||||
@ -37,7 +37,7 @@ Take the following steps to create a configuration profile that will set require
|
||||
5. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
|
||||
6. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
|
||||
1. If you don't already have it, get your Commercial ID. For steps, see [Get your CommmercialID](update-compliance-get-started.md#get-your-commercialid).
|
||||
2. Add a setting for **Commercial ID** ) with the following values:
|
||||
2. Add a setting for **Commercial ID** with the following values:
|
||||
- **Name**: Commercial ID
|
||||
- **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace.
|
||||
- **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID`
|
||||
@ -61,17 +61,17 @@ Take the following steps to create a configuration profile that will set require
|
||||
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData`
|
||||
- **Data type**: Integer
|
||||
- **Value**: 1
|
||||
5. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance:
|
||||
5. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance:
|
||||
- **Name**: Allow Update Compliance Processing
|
||||
- **Description**: Opts device data into Update Compliance processing. Required to see data.
|
||||
- **Description**: Opts device data into Update Compliance processing. Required to see data.
|
||||
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing`
|
||||
- **Data type**: Integer
|
||||
- **Value**: 16
|
||||
7. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
|
||||
8. Review and select **Create**.
|
||||
7. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
|
||||
8. Review and select **Create**.
|
||||
|
||||
## Deploy the configuration script
|
||||
|
||||
The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
|
||||
The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
|
||||
|
||||
When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices.
|
||||
When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices.
|
||||
|
||||
@ -5,7 +5,7 @@ keywords: updates, servicing, current, deployment, semi-annual channel, feature,
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
author: jaimeo
|
||||
ms.localizationpriority: medium
|
||||
ms.localizationpriority: high
|
||||
ms.author: jaimeo
|
||||
ms.reviewer:
|
||||
manager: laurawi
|
||||
@ -74,4 +74,4 @@ See [Build deployment rings for Windows 10 updates](waas-deployment-rings-window
|
||||
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
|
||||
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
|
||||
- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure)
|
||||
- [Manage device restarts after updates](waas-restart.md)
|
||||
- [Manage device restarts after updates](waas-restart.md)
|
||||
|
||||
@ -101,11 +101,9 @@
|
||||
href: virtual-smart-cards\virtual-smart-card-tpmvscmgr.md
|
||||
- name: Enterprise Certificate Pinning
|
||||
href: enterprise-certificate-pinning.md
|
||||
- name: Install digital certificates on Windows 10 Mobile
|
||||
href: installing-digital-certificates-on-windows-10-mobile.md
|
||||
- name: Windows 10 credential theft mitigation guide abstract
|
||||
href: windows-credential-theft-mitigation-guide-abstract.md
|
||||
- name: Configure S/MIME for Windows 10 and Windows 10 Mobile
|
||||
- name: Configure S/MIME for Windows 10
|
||||
href: configure-s-mime.md
|
||||
- name: VPN technical guide
|
||||
href: vpn\vpn-guide.md
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Change history for access protection (Windows 10)
|
||||
description: This topic lists new and updated topics in the Windows 10 access protection documentation for Windows 10 and Windows 10 Mobile.
|
||||
description: This topic lists new and updated topics in the Windows 10 access protection documentation for Windows 10.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Configure S/MIME for Windows 10 and Windows 10 Mobile (Windows 10)
|
||||
title: Configure S/MIME for Windows 10
|
||||
description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, aka a certificate, can read them.
|
||||
ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05
|
||||
ms.reviewer:
|
||||
@ -19,11 +19,10 @@ ms.date: 07/27/2017
|
||||
---
|
||||
|
||||
|
||||
# Configure S/MIME for Windows 10 and Windows 10 Mobile
|
||||
# Configure S/MIME for Windows 10
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 10 Mobile
|
||||
|
||||
S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.
|
||||
|
||||
@ -44,7 +43,6 @@ A digitally signed message reassures the recipient that the message hasn't been
|
||||
|
||||
- [How to Create PFX Certificate Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/mt131410(v=technet.10))
|
||||
- [Enable access to company resources using certificate profiles with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=718216)
|
||||
- [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
|
||||
|
||||
## Choose S/MIME settings
|
||||
|
||||
|
||||
@ -105,7 +105,7 @@ Three approaches are documented here:
|
||||
|
||||
1. Update the certificate template by executing the following command:
|
||||
|
||||
certutil - dsaddtemplate \<TemplateName\>.txt
|
||||
certutil -dsaddtemplate \<TemplateName\>.txt
|
||||
|
||||
1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue**
|
||||
|
||||
@ -206,4 +206,4 @@ After adding the certificate using an approach from any of the previous sections
|
||||
|
||||
1. Open the Remote Desktop Client (%windir%\system32\mstsc.exe) on the Hybrid AAD-Joined client where the authentication certificate has been deployed.
|
||||
1. Attempt an RDP session to a target server.
|
||||
1. Use the certificate credential protected by your Windows Hello for Business gesture.
|
||||
1. Use the certificate credential protected by your Windows Hello for Business gesture.
|
||||
|
||||
@ -23,8 +23,7 @@ Learn more about identity and access management technologies in Windows 10 and
|
||||
|-|-|
|
||||
| [Technical support policy for lost or forgotten passwords](password-support-policy.md)| Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so. |
|
||||
| [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
|
||||
| [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
|
||||
| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |
|
||||
| [Configure S/MIME for Windows 10](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
|
||||
| [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard helps prevent these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
|
||||
| [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. |
|
||||
| [User Account Control](user-account-control/user-account-control-overview.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: How to use single sign on (SSO) over VPN and Wi-Fi connections (Windows 10)
|
||||
title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10)
|
||||
description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -12,31 +12,30 @@ manager: dansimp
|
||||
ms.author: dansimp
|
||||
---
|
||||
|
||||
# How to use single sign on (SSO) over VPN and Wi-Fi connections
|
||||
# How to use Single Sign-On (SSO) over VPN and Wi-Fi connections
|
||||
|
||||
This topic explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. The scenario is:
|
||||
This article explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. The following scenarios are typically used:
|
||||
|
||||
- You connect to a network using Wi-Fi or VPN.
|
||||
- You want to use the credentials that you use for the WiFi or VPN authentication to also authenticate requests to access a domain resource you are connecting to, without being prompted for your domain credentials separately.
|
||||
- Connecting to a network using Wi-Fi or VPN.
|
||||
- Use credentials for WiFi or VPN authentication to also authenticate requests to access a domain resource without being prompted for your domain credentials.
|
||||
|
||||
For example, you want to connect to a corporate network and access an internal website that requires Windows integrated authentication.
|
||||
|
||||
At a high level, the way this works is that the credentials that are used for the connection authentication are put in Credential Manager as the default credentials for the logon session.
|
||||
Credential Manager is a place where credentials in the OS are can be stored for specific domain resources based on the targetname of the resource.
|
||||
For VPN, the VPN stack saves its credential as the session default.
|
||||
For WiFi, EAP does it.
|
||||
The credentials that are used for the connection authentication are placed in Credential Manager as the default credentials for the logon session. Credential Manager stores credentials that can be used for specific domain resources. These are based on the target name of the resource:
|
||||
- For VPN, the VPN stack saves its credential as the session default.
|
||||
- For WiFi, Extensible Authentication Protocol (EAP) provides support.
|
||||
|
||||
The credentials are put in Credential Manager as a "\*Session" credential.
|
||||
The credentials are placed in Credential Manager as a "\*Session" credential.
|
||||
A "\*Session" credential implies that it is valid for the current user session.
|
||||
The credentials are also cleaned up when the WiFi or VPN connection is disconnected.
|
||||
|
||||
When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](/windows/win32/wininet/wininet-reference) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it.
|
||||
For example, if someone using Microsoft Edge tries to access a domain resource, Microsoft Edge has the right Enterprise Authentication capability. This allows [WinInet](/windows/win32/wininet/wininet-reference) to release the credentials that it gets from the Credential Manager to the SSP that is requesting it.
|
||||
For more information about the Enterprise Authentication capability, see [App capability declarations](/windows/uwp/packaging/app-capability-declarations).
|
||||
|
||||
The local security authority will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability.
|
||||
If the app is not UWP, it does not matter.
|
||||
But if it is a UWP app, it will look at the device capability for Enterprise Authentication.
|
||||
If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released.
|
||||
The local security authority will look at the device application to determine if it has the right capability. This includes items such as a Universal Windows Platform (UWP) application.
|
||||
If the app isn't a UWP, it doesn't matter.
|
||||
But if the application is a UWP app, it will evaluate at the device capability for Enterprise Authentication.
|
||||
If it does have that capability and if the resource that you're trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released.
|
||||
This behavior helps prevent credentials from being misused by untrusted third parties.
|
||||
|
||||
## Intranet zone
|
||||
@ -54,7 +53,7 @@ For multi-label names, such as http://finance.net, the ZoneMap needs to be updat
|
||||
|
||||
OMA URI example:
|
||||
|
||||
./Vendor/MSFT/Registry/HKU/S-1-5-21-2702878673-795188819-444038987-2781/Software/Microsoft/Windows/CurrentVersion/Internet%20Settings/ZoneMap/Domains/`<domain name>`/* as an Integer Value of 1 for each of the domains that you want to SSO into from your device. This adds the specified domains to the Intranet Zone of the Edge browser.
|
||||
./Vendor/MSFT/Registry/HKU/S-1-5-21-2702878673-795188819-444038987-2781/Software/Microsoft/Windows/CurrentVersion/Internet%20Settings/ZoneMap/Domains/`<domain name>`/* as an Integer Value of 1 for each of the domains that you want to SSO into from your device. This adds the specified domains to the Intranet Zone of the Microsoft Edge browser.
|
||||
|
||||
## Credential requirements
|
||||
|
||||
@ -62,8 +61,8 @@ For VPN, the following types of credentials will be added to credential manager
|
||||
|
||||
- Username and password
|
||||
- Certificate-based authentication:
|
||||
- TPM KSP Certificate
|
||||
- Software KSP Certificates
|
||||
- TPM Key Storage Provider (KSP) Certificate
|
||||
- Software Key Storage Provider (KSP) Certificates
|
||||
- Smart Card Certificate
|
||||
- Windows Hello for Business Certificate
|
||||
|
||||
@ -75,10 +74,10 @@ If the credentials are certificate-based, then the elements in the following tab
|
||||
|
||||
| Template element | Configuration |
|
||||
|------------------|---------------|
|
||||
| SubjectName | The user’s distinguished name (DN) where the domain components of the distinguished name reflects the internal DNS namespace when the SubjectAlternativeName does not have the fully qualified UPN required to find the domain controller. </br>This requirement is particularly relevant in multi-forest environments as it ensures a domain controller can be located. |
|
||||
| SubjectAlternativeName | The user’s fully qualified UPN where a domain name component of the user’s UPN matches the organizations internal domain’s DNS namespace.</br>This requirement is particularly relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. |
|
||||
| SubjectName | The user’s distinguished name (DN) where the domain components of the distinguished name reflect the internal DNS namespace when the SubjectAlternativeName does not have the fully qualified UPN required to find the domain controller. </br>This requirement is relevant in multi-forest environments as it ensures a domain controller can be located. |
|
||||
| SubjectAlternativeName | The user’s fully qualified UPN where a domain name component of the user’s UPN matches the organizations internal domain’s DNS namespace. </br>This requirement is relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. |
|
||||
| Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. |
|
||||
| EnhancedKeyUsage | One or more of the following EKUs is required: </br>- Client Authentication (for the VPN) </br>- EAP Filtering OID (for Windows Hello for Business)</br>- SmartCardLogon (for Azure AD joined devices)</br>If the domain controllers require smart card EKU either:</br>- SmartCardLogon</br>- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)</br>Otherwise:</br>- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) |
|
||||
| EnhancedKeyUsage | One or more of the following EKUs is required: </br>- Client Authentication (for the VPN) </br>- EAP Filtering OID (for Windows Hello for Business)</br>- SmartCardLogon (for Azure AD joined devices) </br>If the domain controllers require smart card EKU either:</br>- SmartCardLogon</br>- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4) <br>Otherwise:</br>- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) |
|
||||
|
||||
## NDES server configuration
|
||||
|
||||
@ -89,9 +88,9 @@ For more information, see [Configure certificate infrastructure for SCEP](/mem/i
|
||||
|
||||
You need IP connectivity to a DNS server and domain controller over the network interface so that authentication can succeed as well.
|
||||
|
||||
The domain controllers will need to have appropriate KDC certificates for the client to trust them as domain controllers, and since phones are not domain-joined, the root CA of the KDC’s certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store.
|
||||
Domain controllers must have appropriate KDC certificates for the client to trust them as domain controllers. Because phones are not domain-joined, the root CA of the KDC’s certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store.
|
||||
|
||||
The domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication.
|
||||
This is because Windows 10 Mobile requires strict KDC validation to be enabled.
|
||||
Domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication.
|
||||
This requires that all authenticating domain controllers run Windows Server 2016, or you'll need to enable strict KDC validation on domain controllers that run previous versions of Windows Server.
|
||||
|
||||
For more information, see [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382).
|
||||
@ -18,7 +18,6 @@ ms.author: dansimp
|
||||
**Applies to**
|
||||
|
||||
- Windows 10
|
||||
- Windows 10 Mobile
|
||||
|
||||
This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10.
|
||||
|
||||
|
||||
@ -156,9 +156,6 @@ Here are a few examples of responses from the Reporting CSP.
|
||||
## Collect WIP audit logs by using Windows Event Forwarding (for Windows desktop domain-joined devices only)
|
||||
Use Windows Event Forwarding to collect and aggregate your WIP audit events. You can view your audit events in the Event Viewer.
|
||||
|
||||
>[!NOTE]
|
||||
>Windows 10 Mobile requires you to use the [Reporting CSP process](#collect-wip-audit-logs-by-using-the-reporting-configuration-service-provider-csp) instead.
|
||||
|
||||
**To view the WIP events in the Event Viewer**
|
||||
1. Open Event Viewer.
|
||||
|
||||
|
||||
@ -25,8 +25,6 @@ ms.reviewer:
|
||||
|
||||
If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
|
||||
|
||||
The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](/previous-versions/technet-magazine/cc162507(v=msdn.10)) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](/previous-versions/tn-archive/cc875821(v=technet.10)).<br><br>If your DRA certificate has expired, you won't be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
|
||||
|
||||
|
||||
@ -22,7 +22,6 @@ ms.date: 01/09/2020
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10, version 1607 and later
|
||||
- Windows 10 Mobile, version 1607 and later
|
||||
- Microsoft Endpoint Configuration Manager
|
||||
|
||||
Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
|
||||
@ -96,7 +95,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap
|
||||
|
||||
5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
|
||||
|
||||
If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
|
||||
If you don't know the publisher or product name, you can find them for both desktop devices by following these steps.
|
||||
|
||||
**To find the Publisher and Product Name values for Store apps without installing them**
|
||||
|
||||
@ -129,35 +128,6 @@ If you don't know the publisher or product name, you can find them for both desk
|
||||
> }
|
||||
> ```
|
||||
|
||||
**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
|
||||
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
|
||||
|
||||
>[!NOTE]
|
||||
>Your PC and phone must be on the same wireless network.
|
||||
|
||||
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
|
||||
|
||||
3. On the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
|
||||
|
||||
4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
|
||||
|
||||
5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
|
||||
|
||||
6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
|
||||
|
||||
7. Start the app for which you're looking for the publisher and product name values.
|
||||
|
||||
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`.
|
||||
> For example:<p>
|
||||
> ```json
|
||||
> {
|
||||
> "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
|
||||
> }
|
||||
> ```
|
||||
|
||||
### Add a desktop app rule to your policy
|
||||
For this example, we're going to add Internet Explorer, a desktop app, to the **App Rules** list.
|
||||
|
||||
@ -247,19 +217,19 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
|
||||
|
||||
4. On the **Before You Begin** page, click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
|
||||
|
||||
|
||||
|
||||
|
||||
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos.
|
||||
|
||||
|
||||
|
||||
|
||||
8. On the updated **Publisher** page, click **Create**.
|
||||
|
||||
@ -466,12 +436,6 @@ After you've decided where your protected apps can access enterprise data on you
|
||||
**To set your optional settings**
|
||||
1. Choose to set any or all of the optional settings:
|
||||
|
||||
- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
|
||||
|
||||
- **Yes (recommended).** Turns on the feature and provides the additional protection.
|
||||
|
||||
- **No, or not configured.** Doesn't enable this feature.
|
||||
|
||||
- **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
|
||||
|
||||
- **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
|
||||
|
||||
@ -124,10 +124,6 @@ If you don't know the Store app publisher or product name, you can find them by
|
||||
>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<br><br>For example:<br>
|
||||
<code>{<br>"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",<br>}</code>
|
||||
|
||||
<!-- Go Kamatsu says the following info about Windows Mobile can be removed after Windows Mobile EOL at end of 2019
|
||||
-->
|
||||
|
||||
If you need to add Windows 10 mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
|
||||
|
||||
> [!NOTE]
|
||||
> Your PC and phone must be on the same wireless network.
|
||||
@ -570,12 +566,6 @@ After you've decided where your protected apps can access enterprise data on you
|
||||
|
||||
|
||||
|
||||
**Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
|
||||
|
||||
- **On.** Turns on the feature and provides the additional protection.
|
||||
|
||||
- **Off, or not configured.** Doesn't enable this feature.
|
||||
|
||||
**Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
|
||||
|
||||
- **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
|
||||
|
||||
@ -21,7 +21,6 @@ ms.localizationpriority: medium
|
||||
|
||||
**Applies to:**
|
||||
- Windows 10, version 1607 and later
|
||||
- Windows 10 Mobile, version 1607 and later
|
||||
|
||||
This table provides info about the most common problems you might encounter while running WIP in your organization.
|
||||
|
||||
|
||||
@ -22,7 +22,6 @@ ms.date: 03/05/2019
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10, version 1607 and later
|
||||
- Windows 10 Mobile, version 1607 and later
|
||||
|
||||
We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
|
||||
|
||||
@ -164,14 +163,7 @@ You can try any of the processes included in these scenarios, but you should foc
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Verify that app content is protected when a Windows 10 Mobile phone is locked.</td>
|
||||
<td>
|
||||
<ul>
|
||||
<li>Check that protected app data doesn't appear on the Lock screen of a Windows 10 Mobile phone.</li>
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</table>
|
||||
|
||||
|
||||
@ -1408,5 +1408,3 @@
|
||||
href: windows-security-configuration-framework/security-compliance-toolkit-10.md
|
||||
- name: Get support
|
||||
href: windows-security-configuration-framework/get-support-for-security-baselines.md
|
||||
- name: Windows 10 Mobile security guide
|
||||
href: windows-10-mobile-security-guide.md
|
||||
|
||||
@ -282,6 +282,7 @@ The most common values:
|
||||
| 2 | PA-ENC-TIMESTAMP | This is a normal type for standard password authentication. |
|
||||
| 11 | PA-ETYPE-INFO | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.<br>Never saw this Pre-Authentication Type in Microsoft Active Directory environment. |
|
||||
| 15 | PA-PK-AS-REP\_OLD | Used for Smart Card logon authentication. |
|
||||
| 16 | PA-PK-AS-REQ | Request sent to KDC in Smart Card authentication scenarios. |
|
||||
| 17 | PA-PK-AS-REP | This type should also be used for Smart Card authentication, but in certain Active Directory environments, it is never seen. |
|
||||
| 19 | PA-ETYPE-INFO2 | The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.<br>Never saw this Pre-Authentication Type in Microsoft Active Directory environment. |
|
||||
| 20 | PA-SVR-REFERRAL-INFO | Used in KDC Referrals tickets. |
|
||||
@ -343,4 +344,4 @@ For 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
|
||||
| **Result Code** | **0x29** (Message stream modified and checksum didn't match). The authentication data was encrypted with the wrong key for the intended server. The authentication data was modified in transit by a hardware or software error, or by an attacker. Monitor for these events because this should not happen in a standard Active Directory environment. |
|
||||
| **Result Code** | **0x3C** (Generic error). This error can help you more quickly identify problems with Kerberos authentication. |
|
||||
| **Result Code** | **0x3E** (The client trust failed or is not implemented). This error helps you identify logon attempts with revoked certificates and the situations when the root Certification Authority that issued the smart card certificate (through a chain) is not trusted by a domain controller. |
|
||||
| **Result Code** | **0x3F**, **0x40**, **0x41** errors. These errors can help you more quickly identify smart-card related problems with Kerberos authentication. |
|
||||
| **Result Code** | **0x3F**, **0x40**, **0x41** errors. These errors can help you more quickly identify smart-card related problems with Kerberos authentication. |
|
||||
|
||||
@ -18,7 +18,6 @@ ms.technology: mde
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 10 Mobile
|
||||
|
||||
Microsoft Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Microsoft Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely.
|
||||
|
||||
@ -77,7 +76,7 @@ SmartScreen uses registry-based Administrative Template policy settings.
|
||||
</table>
|
||||
|
||||
## MDM settings
|
||||
If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices. <br><br>
|
||||
If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support desktop computers running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune. <br><br>
|
||||
For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser](/windows/client-management/mdm/policy-csp-browser).
|
||||
<table>
|
||||
<tr>
|
||||
|
||||
@ -20,7 +20,6 @@ ms.technology: mde
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 10 Mobile
|
||||
- Microsoft Edge
|
||||
|
||||
Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
|
||||
|
||||
@ -19,7 +19,6 @@ ms.technology: mde
|
||||
|
||||
**Applies to:**
|
||||
- Windows 10, version 1703
|
||||
- Windows 10 Mobile
|
||||
- Microsoft Edge
|
||||
|
||||
Microsoft Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or malware websites, or if a user tries to download potentially malicious files.
|
||||
|
||||
@ -591,18 +591,7 @@ The following table presents some key items that can be reported back to MDM dep
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td align="left"><p>Windows 10 Mobile</p></td>
|
||||
<td align="left"><ul>
|
||||
<li><p>PCR0 measurement</p></li>
|
||||
<li><p>Secure Boot enabled</p></li>
|
||||
<li><p>Secure Boot db is default</p></li>
|
||||
<li><p>Secure Boot dbx is up to date</p></li>
|
||||
<li><p>Secure Boot policy GUID is default</p></li>
|
||||
<li><p>Device Encryption enabled</p></li>
|
||||
<li><p>Code Integrity revocation list timestamp/version is up to date</p></li>
|
||||
</ul></td>
|
||||
</tr>
|
||||
|
||||
<tr class="even">
|
||||
<td align="left"><p>Windows 10 for desktop editions</p></td>
|
||||
<td align="left"><ul>
|
||||
|
||||
@ -119,7 +119,7 @@ In either of the scenarios above, once these rules are added they must be delete
|
||||
|
||||
When designing a set of firewall policies for your network, it is a best practice to configure allow rules for any networked applications deployed on the host. Having these rules in place before the user first launches the application will help ensure a seamless experience.
|
||||
|
||||
The absence of these staged rules does not necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime requires user interaction.
|
||||
The absence of these staged rules does not necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime require user interaction and administrative privilege. If the device is expected to be used by non-administrative users, you should follow best practices and provide these rules before the application's first launch to avoid unexpected networking issues.
|
||||
|
||||
To determine why some applications are blocked from communicating in the network, check for the following:
|
||||
|
||||
@ -129,6 +129,8 @@ To determine why some applications are blocked from communicating in the network
|
||||
|
||||
3. Local Policy Merge is disabled, preventing the application or network service from creating local rules.
|
||||
|
||||
Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy.
|
||||
|
||||
|
||||
|
||||
*Figure 4: Dialog box to allow access*
|
||||
@ -207,4 +209,4 @@ For tasks related to creating outbound rules, see [Checklist: Creating Outbound
|
||||
|
||||
## Document your changes
|
||||
|
||||
When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall.
|
||||
When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user