[Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)
If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free upgrade to Windows 10 Pro Education.
+
+
+Windows 8.1 deployment planning
Explore key considerations and questions that should be answered when planning for Windows 8.1 deployment.
Windows 8.1 deployment to PCs
Get an overview of Windows 8.1 deployment to PCs in an educational environment.
BYOD
Explore Bring Your Own Device (BYOD) considerations, including device types, infrastructure, and deployment models.
Deploying Windows RT 8.1
Get step-by-step instructions on how to configure and deploy Windows RT devices (like Surface and other tablets) in educational environments.
+
+Virtual Desktop Infrastructure
Learn how to address challenges related to BYOD scenarios using Virtual Desktop Infrastructure (VDI).
Windows Store apps
Explore Windows Store app deployment strategies and considerations for educational institutions running Windows 8.1.
Windows To Go
Learn about the benefits, limitations, and processes involved in deploying Windows To Go.
Packaging
-
+
All of the Office applications that you want to deploy to users must be in a single package.
In App-V 5.0 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.
-If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project).
+If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office).
Project Pro for Office 365
You must enable [shared computer activation](http://technet.microsoft.com/library/dn782860.aspx).
-You don’t use shared computer activation if you’re deploying a volume licensed product, such as:
--
-
Office Professional Plus 2016
-Visio Professional 2016
-Project Professional 2016
-
Product element
Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.
Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications. + + For more information about the product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](https://support.microsoft.com/kb/2842297) +
Product ID ="O365ProPlusRetail "
Product ID ="VisioProRetail"
Product ID ="ProjectProRetail"
Product ID ="ProPlusVolume"
Product ID ="VisioProVolume"
Product ID = "ProjectProVolume"
Language element
Version (attribute of Add element)
Optional. Specifies a build to use for the package
Defaults to latest advertised build (as defined in v32.CAB at the Office source).
15.1.2.3
16.1.2.3
SourcePath (attribute of Add element)
| Product ID | -Volume Licensing | Subscription Licensing |
|---|---|---|
Office 2016 |
-ProPlusVolume |
O365ProPlusRetail |
Office 2016 with Visio 2016 |
-ProPlusVolume -VisioProVolume |
O365ProPlusRetail VisioProRetail |
Office 2016 with Visio 2016 and Project 2016 |
-ProPlusVolume -VisioProVolume -ProjectProVolume |
O365ProPlusRetail VisioProRetail ProjectProRetail |
@@ -412,9 +400,7 @@ After you download the Office 2016 applications through the Office Deployment To
ProductID |
- Specify the type of licensing, as shown in the following examples: -
|
- -
Volume Licensing
-<Configuration>
- <Add SourcePath= "\\Server\Office2016" OfficeClientEdition="32" >
- <Product ID="ProPlusVolume">
- <Language ID="en-us" />
- </Product>
- <Product ID="VisioProVolume">
- <Language ID="en-us" />
- </Product>
- </Add>
- </Configuration>In this example, the following changes were made to create a package with Volume licensing:
-SourcePath |
- is the path, which was changed to point to the Office applications that were downloaded earlier. |
-
Product ID |
- for Office was changed to |
-
Product ID |
- for Visio was changed to |
-
-
ExcludeApp (optional)
Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.
PACKAGEGUID (optional)
By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.
An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.
-
- Note
-
- Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
-
-
-
/packager
creates the Office 2016 App-V package with Volume Licensing as specified in the customConfig.xml file.
creates the Office 2016 App-V package with the type of licensing specified in the customConfig.xml file.
\\server\Office2016\Customconfig.xml
-
+
- An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool. +
- A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package. +
How do I package and publish Visio 2016 and Project 2016 with Office?
You must include Visio 2016 and Project 2016 in the same package with Office.
-If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow [Deploying Microsoft Office 2010 by Using App-V](../appv-v5/deploying-microsoft-office-2010-by-using-app-v.md).
If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the packaging, publishing, and deployment requirements described in this topic.
How can I deploy Visio 2016 and Project 2016 to specific users?
[Planning for Using App-V with Office](planning-for-using-app-v-with-office51.md#bkmk-office-vers-supp-appv)
[Supported versions of Microsoft Office](planning-for-using-app-v-with-office.md#bkmk-office-vers-supp-appv)
Supported versions of Office
Supported deployment types (for example, desktop, personal Virtual Desktop Infrastructure (VDI), pooled VDI)
@@ -55,13 +55,14 @@ Use the following table to get information about supported versions of Office an
[Planning for Using App-V with Office](planning-for-using-app-v-with-office51.md#bkmk-plan-coexisting)
[Planning for Using App-V with coexsiting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)
Considerations for installing different versions of Office on the same computer
Packaging
-
+
All of the Office applications that you want to deploy to users must be in a single package.
In App-V 5.1 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.
-If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project).
+If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office).
Project Pro for Office 365
You must enable [shared computer activation](http://technet.microsoft.com/library/dn782860.aspx).
-You don’t use shared computer activation if you’re deploying a volume licensed product, such as:
--
-
Office Professional Plus 2016
-Visio Professional 2016
-Project Professional 2016
-
Supported operating systems
64-bit version of Windows 10
-64-bit version of Windows 8 or later
+64-bit version of Windows 8 or 8.1
64-bit version of Windows 7
Product element |
- Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications. |
-
| Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications. + + For more information about the product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](https://support.microsoft.com/kb/2842297) + |
+
|
+
Language element |
@@ -298,21 +285,19 @@ The XML file that is included in the Office Deployment Tool specifies the produc
||||
SourcePath (attribute of Add element) |
Specifies the location in which the applications will be saved to. |
-
|
+
|
|
Branch (attribute of Add element) |
- Optional. Specifies the update branch for the product that you want to download or install. For more information about update branches, see Overview of update branches for Office 365 ProPlus. |
+ Optional. Specifies the update branch for the product that you want to download or install. For more information about update branches, see Overview of update branches for Office 365 ProPlus. |
|
| Product ID | -Volume Licensing | Subscription Licensing |
|---|---|---|
Office 2016 |
-ProPlusVolume |
O365ProPlusRetail |
Office 2016 with Visio 2016 |
-ProPlusVolume -VisioProVolume |
O365ProPlusRetail VisioProRetail |
Office 2016 with Visio 2016 and Project 2016 |
-ProPlusVolume -VisioProVolume -ProjectProVolume |
O365ProPlusRetail VisioProRetail ProjectProRetail |
@@ -421,9 +400,7 @@ After you download the Office 2016 applications through the Office Deployment To
ProductID |
- Specify the type of licensing, as shown in the following examples: -
|
- -
Volume Licensing
-<Configuration>
- <Add SourcePath= "\\Server\Office2016" OfficeClientEdition="32" >
- <Product ID="ProPlusVolume">
- <Language ID="en-us" />
- </Product>
- <Product ID="VisioProVolume">
- <Language ID="en-us" />
- </Product>
- </Add>
- </Configuration>In this example, the following changes were made to create a package with Volume licensing:
-SourcePath |
- is the path, which was changed to point to the Office applications that were downloaded earlier. |
-
Product ID |
- for Office was changed to |
-
Product ID |
- for Visio was changed to |
-
-
ExcludeApp (optional)
Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access.
Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.
PACKAGEGUID (optional)
By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.
An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.
-
- Note
-
- Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
-
-
-
/packager
creates the Office 2016 App-V package with Volume Licensing as specified in the customConfig.xml file.
creates the Office 2016 App-V package with the type of licensing specified in the customConfig.xml file.
\\server\Office2016\Customconfig.xml
-
+
- An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool. +
- A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package. +
64-bit
Microsoft System Center 2012 R2 Configuration Manager
64-bit
Microsoft System Center 2012 Configuration Manager
SP1
Microsoft System Center Configuration Manager 2007 R2 or later
SP1 or later
64-bit
-
-Note
-
-Although Configuration Manager 2007 R2 is 32 bit, you must install it and SQL Server on a 64-bit operating system in order to match the 64-bit MBAM software.
-
-
-
Standard, Enterprise, or Datacenter
SP1
64-bit
Microsoft SQL Server 2014
Standard, Enterprise, or Datacenter
64-bit
Microsoft SQL Server 2012
Standard, Enterprise, or Datacenter
SP2
64-bit
Microsoft SQL Server 2012
Standard, Enterprise, or Datacenter
SP1
SP3
64-bit
Microsoft SQL Server 2008 R2
Standard or Enterprise
SP1, SP2, SP3
SP3
64-bit
diff --git a/windows/deploy/windows-10-poc-mdt.md b/windows/deploy/windows-10-poc-mdt.md
index 057d16d9f6..54eb632a5f 100644
--- a/windows/deploy/windows-10-poc-mdt.md
+++ b/windows/deploy/windows-10-poc-mdt.md
@@ -306,7 +306,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
```
[Settings]
Priority=Default
-
+
[Default]
_SMSTSORGNAME=Contoso
OSInstall=YES
@@ -362,7 +362,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
```
[Settings]
Priority=Default
-
+
[Default]
DeployRoot=\\SRV1\MDTProd$
UserDomain=CONTOSO
@@ -417,12 +417,16 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
Disable-NetAdapter "Ethernet 2" -Confirm:$false
```
+ >Wait until the disable-netadapter command completes before proceeding.
+
+
2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt:
```
New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20
```
+
>Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle.
3. Start the new VM and connect to it:
@@ -452,24 +456,24 @@ This completes the demonstration of how to deploy a reference image to the netwo
This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md).
-If the PC1 VM is not already running, then start and connect to it:
-
+1. If the PC1 VM is not already running, then start and connect to it:
+
```
Start-VM PC1
vmconnect localhost PC1
```
-1. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```
Checkpoint-VM -Name PC1 -SnapshotName BeginState
```
-2. Sign on to PC1 using the CONTOSO\Administrator account.
+3. Sign on to PC1 using the CONTOSO\Administrator account.
>Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
-3. Open an elevated command prompt on PC1 and type the following:
+4. Open an elevated command prompt on PC1 and type the following:
```
cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
@@ -477,13 +481,13 @@ If the PC1 VM is not already running, then start and connect to it:
**Note**: Litetouch.vbs must be able to create the C:\MININT directory on the local computer.
-4. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
+5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
-5. Choose **Do not back up the existing computer** and click **Next**.
+6. Choose **Do not back up the existing computer** and click **Next**.
**Note**: The USMT will still back up the computer.
-6. Lite Touch Installation will perform the following actions:
+7. Lite Touch Installation will perform the following actions:
- Back up user settings and data using USMT.
- Install the Windows 10 Enterprise X64 operating system.
- Update the operating system via Windows Update.
@@ -491,15 +495,15 @@ If the PC1 VM is not already running, then start and connect to it:
You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings.
-7. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share).
+8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share).
-8. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```
Checkpoint-VM -Name PC1 -SnapshotName RefreshState
```
-9. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+10. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```
Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false
@@ -507,7 +511,7 @@ If the PC1 VM is not already running, then start and connect to it:
vmconnect localhost PC1
```
-10. Sign in to PC1 using the contoso\administrator account.
+11. Sign in to PC1 using the contoso\administrator account.
## Replace a computer with Windows 10
@@ -557,10 +561,10 @@ At a high level, the computer replace process consists of:
``` 3. Complete the deployment wizard using the following: - **Task Sequence**: Backup Only Task Sequence - - **User Data**: Specify a location: **\\SRV1\MigData$\PC1** + - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1** - **Computer Backup**: Do not back up the existing computer. 4. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. -5. Verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. +5. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. 6. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: ``` @@ -585,18 +589,24 @@ At a high level, the computer replace process consists of:
``` Disable-NetAdapter "Ethernet 2" -Confirm:$false ``` + + >As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding. + + 3. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ``` Start-VM PC3 vmconnect localhost PC3 ``` + 4. When prompted, press ENTER for network boot. -6. On PC3, ue the following settings for the Windows Deployment Wizard: +6. On PC3, use the following settings for the Windows Deployment Wizard: - **Task Sequence**: Windows 10 Enterprise x64 Custom Image - **Move Data and Settings**: Do not move user data and settings - - **User Data (Restore)**: Specify a location: **\\SRV1\MigData$\PC1** + - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1** + 5. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1: ``` @@ -606,7 +616,9 @@ At a high level, the computer replace process consists of:
8. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**. -9. Verify that settings have been migrated from PC1, and then shut down PC3 in preparation for the next procedure. +9. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure. + +10. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure. ## Troubleshooting logs, events, and utilities diff --git a/windows/deploy/windows-10-poc-sc-config-mgr.md b/windows/deploy/windows-10-poc-sc-config-mgr.md index d9278a15c5..ff0b497b45 100644 --- a/windows/deploy/windows-10-poc-sc-config-mgr.md +++ b/windows/deploy/windows-10-poc-sc-config-mgr.md @@ -163,8 +163,8 @@ Topics and procedures in this guide are summarized in the following table. An es adsiedit.msc ``` -6. Right-click **ADSI Edit**, click **Connect to**, select **Default** under **Computer** and then click **OK**. -7. Expand **Default naming context**>**DC=contoso,DC=com**, right-click **CN=System**, point to **New**, and then click **Object**. +6. Right-click **ADSI Edit**, click **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then click **OK**. +7. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then click **Object**. 8. Click **container** and then click **Next**. 9. Next to **Value**, type **System Management**, click **Next**, and then click **Finish**. 10. Right-click **CN=system Management** and then click **Properties**. @@ -194,7 +194,7 @@ Topics and procedures in this guide are summarized in the following table. An es - **Settings Summary**: Review settings and click **Next**. - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**. - >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored. + >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment. Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete. @@ -207,7 +207,7 @@ Topics and procedures in this guide are summarized in the following table. An es ## Download MDOP and install DaRT -1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/en-us/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso) to the C:\VHD directory on the Hyper-V host. +1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/en-us/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host. 2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: @@ -292,19 +292,19 @@ This section contains several procedures to support Zero Touch installation with 2. In the System Center Configuration Manager console, in the **Administration** workspace, click **Distribution Points**. 3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**. 4. On the PXE tab, select the following settings: - - Enable PXE support for clients. Click **Yes** in the popup that appears. - - Allow this distribution point to respond to incoming PXE requests - - Enable unknown computer support. Click **OK** in the popup that appears. - - Require a password when computers use PXE - - Password and Confirm password: pass@word1 - - Respond to PXE requests on specific network interfaces: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. + - **Enable PXE support for clients**. Click **Yes** in the popup that appears. + - **Allow this distribution point to respond to incoming PXE requests** + - **Enable unknown computer support**. Click **OK** in the popup that appears. + - **Require a password when computers use PXE** + - **Password** and **Confirm password**: pass@word1 + - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. See the following example:
5. Click **OK**.
-6. Type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
+6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
```
cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
@@ -340,7 +340,7 @@ This section contains several procedures to support Zero Touch installation with
>You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image.
-## Create a boot image for Configuration Manager
+### Create a boot image for Configuration Manager
1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**.
2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**.
@@ -357,13 +357,15 @@ This section contains several procedures to support Zero Touch installation with
```
Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
```
- >In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
+
+ In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
- ```
- STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003" SMS_DISTRIBUTION_MANAGER 9/14/2016 3:11:09 PM 4636 (0x121C)
- ```
-11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Doublt-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
-12. In the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab.
+ ```
+ STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003" SMS_DISTRIBUTION_MANAGER 9/14/2016 3:11:09 PM 4636 (0x121C)
+ ```
+
+11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
+12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab.
13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**.
14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
@@ -380,7 +382,7 @@ This section contains several procedures to support Zero Touch installation with
>The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT.
-## Create a Windows 10 reference image
+### Create a Windows 10 reference image
If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section.
@@ -534,7 +536,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**.
-## Add a Windows 10 operating system image
+### Add a Windows 10 operating system image
1. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
@@ -553,11 +555,11 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**.
-7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar, click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes.
+7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar (be sure there is no space at the end of the location or you will get an error), click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes.
>If content distribution is not successful, verify that sufficient disk space is available.
-## Create a task sequence
+### Create a task sequence
>Complete this section slowly. There are a large number of similar settings from which to choose.
@@ -567,37 +569,37 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**.
-4. On the Details page, enter the following settings:
- - Join a domain: contoso.com
- - Account: click **Set**
- - User name: contoso\CM_JD
- - Password: pass@word1
- - Confirm password: pass@word1
- - Click **OK**
- - Windows Settings
- - User name: Contoso
- - Organization name: Contoso
- - Product key: \
- - Administrator Account: Enable the account and specify the local administrator password
- - Password: pass@word1
- - Confirm password: pass@word1
- - Click Next
+4. On the Details page, enter the following settings: + - Join a domain: **contoso.com** + - Account: click **Set** + - User name: **contoso\CM_JD** + - Password: **pass@word1** + - Confirm password: **pass@word1** + - Click **OK** + - Windows Settings + - User name: **Contoso** + - Organization name: **Contoso** + - Product key: \
+ - Administrator Account: **Enable the account and specify the local administrator password**
+ - Password: **pass@word1**
+ - Confirm password: **pass@word1**
+ - Click **Next**
5. On the Capture Settings page, accept the default settings and click **Next**.
-6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package and then click **Next**.
+6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, click **OK**, and then click **Next**.
-7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT 2013**, and then click **Next**.
+7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then click **Next**.
-8. On the MDT Details page, next to **Name:** type **MDT 2013** and then click **Next**.
+8. On the MDT Details page, next to **Name:** type **MDT** and then click **Next**.
-9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, and then click **Next**.
+9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, click **OK**, and then click **Next**.
10. On the Deployment Method page, accept the default settings for **Zero Touch Installation** and click **Next**.
-11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package** and then click **Next**.
+11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package**, click **OK**, and then click **Next**.
-12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 8 10.0.14393.0** package, and then click **Next**.
+12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, click **OK**, and then click **Next**.
13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then click **Next**.
@@ -640,7 +642,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
- Click **OK**
. -## Finalize the operating system configuration +### Finalize the operating system configuration >If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini. @@ -670,7 +672,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi [Settings] Priority=Default Properties=OSDMigrateConfigFiles,OSDMigrateMode - + [Default] DoCapture=NO ComputerBackupLocation=NONE @@ -681,6 +683,14 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi EventService=http://SRV1:9800 ApplyGPOPack=NO ``` + + >As noted previously, if you wish to migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts: + + ``` + OSDMigrateAdditionalCaptureOptions=/all + ``` + + 7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears. 8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**. @@ -705,6 +715,8 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi ## Deploy Windows 10 using PXE and Configuration Manager +In this first deployment scenario, we will deploy Windows 10 using PXE. This scenario creates a new computer that does not have any migrated users or settings. + 1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ``` @@ -718,7 +730,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi 3. In the Task Sequence Wizard, provide the password: **pass@word1**, and then click **Next**. -4. Before you click Next in the Task Sequence Wizard, press the **F8** key. A command prompt will open. +4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open. 5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. @@ -745,6 +757,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi - Join the computer to the contoso.com domain - Install any applications that were specified in the reference image + 12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account. 13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click Turn Windows features on or off, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image. @@ -927,7 +940,7 @@ vmconnect localhost PC1 - Task sequence comments: **USMT backup only** 4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue. -5. On the MDT Package page, browse and select the **MDT 2013** package. Click **OK** and then click **Next** to continue. +5. On the MDT Package page, browse and select the **MDT** package. Click **OK** and then click **Next** to continue. 6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue. 7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue. 8. On the Summary page, review the details and then click **Next**. diff --git a/windows/keep-secure/bcd-settings-and-bitlocker.md b/windows/keep-secure/bcd-settings-and-bitlocker.md index 66ca07b626..ccd9afd831 100644 --- a/windows/keep-secure/bcd-settings-and-bitlocker.md +++ b/windows/keep-secure/bcd-settings-and-bitlocker.md @@ -131,7 +131,6 @@ This following is a full list of BCD settings with friendly names which are igno | 0x15000052 | all| graphicsresolution| | 0x15000065 | all| displaymessage| | 0x15000066| all| displaymessageoverride| -| 0x15000081 | all| logcontrol| | 0x16000009 | all| recoveryenabled| | 0x1600000b | all| badmemoryaccess| | 0x1600000f | all| traditionalkseg| diff --git a/windows/keep-secure/bitlocker-countermeasures.md b/windows/keep-secure/bitlocker-countermeasures.md index 89261d666c..5cf31239ce 100644 --- a/windows/keep-secure/bitlocker-countermeasures.md +++ b/windows/keep-secure/bitlocker-countermeasures.md @@ -115,7 +115,11 @@ Windows 10 uses Trusted Boot on any hardware platform: It requires neither UEFI Because UEFI-based Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel or other Windows startup components, the next opportunity for malware to start is by infecting a non-Microsoft boot-related driver. Traditional antimalware apps don’t start until after the boot-related drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work. -The purpose of ELAM is to load an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software. +Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. ELAM checks the integrity of non-Microsoft drivers to determine whether the drivers are trustworthy. Because Windows needs to start as fast as possible, ELAM cannot be a complicated process of checking the driver files against known malware signatures. Instead, ELAM has the simple task of examining every boot driver and determining whether it is on the list of trusted drivers. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits. ELAM also allows the registered antimalware provider to scan drivers that are loaded after the boot process is complete. + +Windows Defender in Windows 10 supports ELAM, as do Microsoft System Center 2012 Endpoint Protection and non-Microsoft antimalware apps. + +To do this, ELAM loads an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software. With this solution in place, boot drivers are initialized based on the classification that the ELAM driver returns according to an initialization policy. IT pros have the ability to change this policy through Group Policy. ELAM classifies drivers as follows: diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md index 26cadf522b..c0112dcf47 100644 --- a/windows/keep-secure/bitlocker-group-policy-settings.md +++ b/windows/keep-secure/bitlocker-group-policy-settings.md @@ -32,6 +32,7 @@ The following sections provide a comprehensive list of BitLocker Group Policy se The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked. +- [Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN](#bkmk-hstioptout) - [Allow network unlock at startup](#bkmk-netunlock) - [Require additional authentication at startup](#bkmk-unlockpol1) - [Allow enhanced PINs for startup](#bkmk-unlockpol2) @@ -85,6 +86,55 @@ The following policies are used to support customized deployment scenarios in yo - [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4) - [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5) +### Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN + +This policy setting allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication. + +
+
+
+**Reference**
+
+The preboot authentication option Require startup PIN with TPM of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support InstantGo.
+But visually impaired users have no audible way to know when to enter a PIN.
+This setting enables an exception to the PIN-required policy on secure hardware.
+
### Allow network unlock at startup
This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.
diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 8b193b46c6..33563eea6f 100644
--- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -45,14 +45,14 @@ You can use System Center Configuration Manager’s existing functionality to cr
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
-3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682112.aspx#BKMK_Import) topic.
+3. Onboard your devices using SCCM by following the steps in the [Onboard devices to Windows Defender ATP](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/windows-defender-advanced-threat-protection#onboard-devices-for-windows-defender-atp) topic.
4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.
> [!NOTE]
-> Onboarding couldn't be completed during Out-Of-Box Experience (OOBE). Make sure users pass OOBE after running Windows installation or upgrading.
+> Windows Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading.
### Configure sample collection settings
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 9d3a33d12c..8c70f3782d 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -85,7 +85,7 @@ Applications may cause performance issues when they attempt to hook the isolated
The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
> [!NOTE]
-> For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
+> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. This requirement is not restated in the tables that follow.
> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
> Starting in Widows 10, 1607, TPM 2.0 is required. @@ -94,11 +94,11 @@ The following tables provide more information about the hardware, firmware, and |Baseline Protections | Description | |---------------------------------------------|----------------------------------------------------| | Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | -| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
- VT-x (Intel) or
- AMD-V
And:
- Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | +| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | | Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | > [!IMPORTANT] > The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security to significantly strengthen the level of security that Credential Guard can provide. @@ -108,8 +108,8 @@ The following tables provide more information about the hardware, firmware, and | Protections for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| | Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU
**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). | -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- BIOS password or stronger authentication must be supported.
- In the BIOS configuration, BIOS authentication must be set.
- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | -| Firmware: **Secure MOR implementation** | **Requirement**: Secure MOR implementation
**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | +| Firmware: **Secure MOR, revision 2 implementation** | **Requirement**: Secure MOR, revision 2 implementation
**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
@@ -120,17 +120,20 @@ The following tables provide more information about the hardware, firmware, and | Protections for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
- HSTI provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
• The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI provides additional security assurance for correctly secured silicon and platform. | | Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.
**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. | -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
- Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
- Enterprises can choose to allow proprietary EFI drivers/applications to run.
- Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
• Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
-#### 2017 Additional Security Recommendations (starting with the next major release of Windows 10) +#### 2017 Additional security requirements starting with Windows 10, version 1703 + +The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements. | Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
• UEFI runtime service must meet these requirements:
- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
- PE sections need to be page-aligned in memory (not required for in non-volitile storage).
- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
- No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.
Please also note the following:
• Do not use sections that are both writeable and exceutable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code
**Security benefits**:
• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | +| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. | ## Manage Credential Guard @@ -178,11 +181,11 @@ You can do this by using either the Control Panel or the Deployment Image Servic 1. Open an elevated command prompt. 2. Add the Hyper-V Hypervisor by running the following command: - ``` syntax + ``` dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
```
3. Add the Isolated User Mode feature by running the following command:
- ``` syntax
+ ```
dism /image: /Enable-Feature /FeatureName:IsolatedUserMode
```
@@ -211,7 +214,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic
You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
-DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot
+DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot
```
#### Credential Guard deployment in virtual machines
@@ -280,7 +283,7 @@ For more info on virtualization-based security and Device Guard, see [Device Gua
You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
-DG_Readiness_Tool_v2.0.ps1 -Disable -AutoReboot
+DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot
```
### Check that Credential Guard is running
@@ -298,7 +301,7 @@ You can use System Information to ensure that Credential Guard is running on a P
You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
-DG_Readiness_Tool_v2.0.ps1 -Ready
+DG_Readiness_Tool_v3.0.ps1 -Ready
```
## Considerations when using Credential Guard
@@ -314,7 +317,7 @@ DG_Readiness_Tool_v2.0.ps1 -Ready
- **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
-- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, Microsoft Passport, or Microsoft Passport for Work.
+- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malwar efrom taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
diff --git a/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md b/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md
index e61e798a6f..e1046621fc 100644
--- a/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md
+++ b/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md
@@ -14,7 +14,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-Code integrity policies maintain the standards by which a computer running Windows 10 determines whether an application is trustworthy and can be run. For an overview of code integrity, see:
+Code integrity policies provide control over a computer running Windows 10 by specifying whether a driver or application is trusted and can be run. For an overview of code integrity, see:
- [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats) in "Introduction to Device Guard: virtualization-based security and code integrity policies."
- [Code integrity policy formats and signing](requirements-and-deployment-planning-guidelines-for-device-guard.md#code-integrity-policy-formats-and-signing) in "Requirements and deployment planning guidelines for Device Guard."
@@ -23,7 +23,7 @@ If you already understand the basics of code integrity policy and want procedure
This topic includes the following sections:
- [Overview of the process of creating code integrity policies](#overview-of-the-process-of-creating-code-integrity-policies): Helps familiarize you with the process described in this and related topics.
-- [Code integrity policy rules](#code-integrity-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether UMCI is enabled in a code integrity policy.
+- [Code integrity policy rules](#code-integrity-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether user mode code integrity (UMCI) is enabled in a code integrity policy.
- [Code integrity file rule levels](#code-integrity-file-rule-levels): Describes the other key element you specify in a policy, the *file rules* (or *file rule levels*), which specify the level at which applications will be identified and trusted.
- [Example of file rule levels in use](#example-of-file-rule-levels-in-use): Gives an example of how file rule levels can be applied.
@@ -31,7 +31,7 @@ This topic includes the following sections:
A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the planning steps in [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
-> **Note** Each computer can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to C:\\Windows\\System32\\CodeIntegrity. Keep this in mind when you create your code integrity policies.
+> **Note** Each computer can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to **C:\\Windows\\System32\\CodeIntegrity** and, for UEFI computers, **<EFI System Partition>\\Microsoft\\Boot**. Keep this in mind when you create your code integrity policies.
Optionally, code integrity policies can align with your software catalog as well as any IT department–approved applications. One straightforward method to implement code integrity policies is to use existing images to create one master code integrity policy. You do so by creating a code integrity policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed.
@@ -43,10 +43,12 @@ Code integrity policies include *policy rules*, which control options such as au
To modify the policy rule options of an existing code integrity policy, use the [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) Windows PowerShell cmdlet. Note the following examples of how to use this cmdlet to add and remove a rule option on an existing code integrity policy:
-- To enable UMCI, add rule option 0 to an existing policy by running the following command:
+- To ensure that UMCI is enabled for a code integrity policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command:
` Set-RuleOption -FilePath -Option 0`
+ Note that a policy that was created without the `-UserPEs` option is empty of user mode executables, that is, applications. If you enable UMCI (Option 0) for such a policy and then attempt to run an application, Device Guard will see that the application is not on its list (which is empty of applications), and respond. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. To create a policy that includes user mode executables (applications), when you run `New-CIPolicy`, include the `-UserPEs` option.
+
- To disable UMCI on an existing code integrity policy, delete rule option 0 by running the following command:
` Set-RuleOption -FilePath -Option 0 -Delete`
diff --git a/windows/keep-secure/deploy-code-integrity-policies-steps.md b/windows/keep-secure/deploy-code-integrity-policies-steps.md
index 2febd90862..19608b040d 100644
--- a/windows/keep-secure/deploy-code-integrity-policies-steps.md
+++ b/windows/keep-secure/deploy-code-integrity-policies-steps.md
@@ -38,11 +38,11 @@ To create a code integrity policy, copy each of the following commands into an e
> **Notes**
- > - By specifying the *–UserPEs* parameter, rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. If you do not specify this parameter, to enable UMCI, use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) as shown in the following command:
**Set-RuleOption -FilePath $InitialCIPolicy -Option 0** + > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. + + > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.” - > - You can add the *–Fallback* parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.” - - > - To specify that the code integrity policy scan only a specific drive, include the *–ScanPath* parameter followed by a path. Without this parameter, the entire system is scanned. + > - To specify that the code integrity policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned. > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md index 9f7be87cbb..b03c8c1332 100644 --- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md +++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md @@ -30,10 +30,10 @@ For information about enabling Credential Guard, see [Protect derived domain cre In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must confirm that certain operating system features are enabled before you can enable VBS: -- With Windows 10, version 1607 or Windows Server 2016:
+- Beginning with Windows 10, version 1607 or Windows Server 2016:
Hyper-V Hypervisor, which is enabled automatically. No further action is needed. -- With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
+- With an earlier version of Windows 10:
Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1). > **Note** You can configure these features by using Group Policy or Deployment Image Servicing and Management, or manually by using Windows PowerShell or the Windows Features dialog box. @@ -42,12 +42,8 @@ Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1). **Figure 1. Enable operating system features for VBS, Windows 10, version 1511** -After you enable the feature or features, you can enable VBS for Device Guard, as described in the following sections. - ## Enable Virtualization Based Security (VBS) and Device Guard -Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard). - There are multiple ways to configure VBS features for Device Guard: - You can use the [readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) rather than the procedures in this topic. @@ -68,7 +64,7 @@ There are multiple ways to configure VBS features for Device Guard: 3. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**. -4. Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**. +4. Within the selected GPO, navigate to Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.  @@ -91,7 +87,7 @@ There are multiple ways to configure VBS features for Device Guard: - With Windows 10, version 1607 or Windows Server 2016, choose an appropriate option:
For an initial deployment or test deployment, we recommend **Enabled without lock**.
When your deployment is stable in your environment, we recommend changing to **Enabled with lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person. - - With earlier versions of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
Select the **Enable Virtualization Based Protection of Code Integrity** check box. + - With earlier versions of Windows 10:
Select the **Enable Virtualization Based Protection of Code Integrity** check box.  @@ -183,7 +179,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformS reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f -reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f +reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f ``` If you want to customize the preceding recommended settings, use the following settings. @@ -211,7 +207,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforc **To enable virtualization-based protection of Code Integrity policies without UEFI lock** ``` command -reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f +reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f ``` ### Validate enabled Device Guard hardware-based security features diff --git a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md index 10001b50e6..9ef4617e9f 100644 --- a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md +++ b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md @@ -22,9 +22,9 @@ This policy setting determines whether the Lightweight Directory Access Protocol Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, this means that a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower the risk of a malicious user accomplishing this in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks extremely difficult. -This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL. +This setting does not have any impact on LDAP simple bind through SSL (LDAP TCP/636). -If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected. +If signing is required, then LDAP simple binds not using SSL are rejected (LDAP TCP/389). >**Caution:** If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server. diff --git a/windows/keep-secure/hello-errors-during-pin-creation.md b/windows/keep-secure/hello-errors-during-pin-creation.md index a362e1f253..3d85f75565 100644 --- a/windows/keep-secure/hello-errors-during-pin-creation.md +++ b/windows/keep-secure/hello-errors-during-pin-creation.md @@ -89,7 +89,7 @@ If the error occurs again, check the error code against the following table to s
0x80090035
Policy requires TPM and the device does not have TPM.
-Change the Passport policy to not require a TPM.
+Change the Windows Hello for Business policy to not require a TPM.
0x801C0003
@@ -149,7 +149,7 @@ If the error occurs again, check the error code against the following table to s
0x801C03EA
Server failed to authorize user or device.
-Check if the token is valid and user has permission to register Passport keys.
+Check if the token is valid and user has permission to register Windows Hello for Business keys.
0x801C03EB
diff --git a/windows/keep-secure/hello-identity-verification.md b/windows/keep-secure/hello-identity-verification.md
index a1e391508f..3806b27b42 100644
--- a/windows/keep-secure/hello-identity-verification.md
+++ b/windows/keep-secure/hello-identity-verification.md
@@ -113,9 +113,7 @@ Windows Hello for Business can use either keys (hardware or software) or certifi
[Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891)
-[Authenticating identities without passwords through Microsoft Passport](https://go.microsoft.com/fwlink/p/?LinkId=616778)
-
-[Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928)
+[Authenticating identities without passwords through Windows Hello for Business](https://go.microsoft.com/fwlink/p/?LinkId=616778)
## Related topics
diff --git a/windows/keep-secure/hello-manage-in-organization.md b/windows/keep-secure/hello-manage-in-organization.md
index f2a43b7df1..806905c587 100644
--- a/windows/keep-secure/hello-manage-in-organization.md
+++ b/windows/keep-secure/hello-manage-in-organization.md
@@ -352,7 +352,7 @@ You’ll need this software to set Windows Hello for Business policies in your e
Azure AD subscription
[Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)
AD CS with NDES
-Configuration Manager for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work
+Configuration Manager for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Windows Hello for Business
diff --git a/windows/keep-secure/hello-why-pin-is-better-than-password.md b/windows/keep-secure/hello-why-pin-is-better-than-password.md
index a7606f0264..55dfd73fff 100644
--- a/windows/keep-secure/hello-why-pin-is-better-than-password.md
+++ b/windows/keep-secure/hello-why-pin-is-better-than-password.md
@@ -32,7 +32,7 @@ A password is transmitted to the server -- it can be intercepted in transmission
When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
>[!NOTE]
->For details on how Hello uses asymetric key pairs for authentication, see [Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928).
+>For details on how Hello uses asymetric key pairs for authentication, see [Windows Hello for Business](hello-identity-verification.md#benefits-of-windows-hello).
## PIN is backed by hardware
diff --git a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index c3595ae774..cbe59766be 100644
--- a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -61,7 +61,7 @@ For VPN, the following types of credentials will be added to credential manager
- TPM KSP Certificate
- Software KSP Certificates
- Smart Card Certificate
- - Passport for Work Certificate
+ - Windows Hello for Business Certificate
The username should also include a domain that can be reached over the connection (VPN or WiFi).
diff --git a/windows/keep-secure/images/device-guard-gp.png b/windows/keep-secure/images/device-guard-gp.png
index 169d2f245b..6d265509ea 100644
Binary files a/windows/keep-secure/images/device-guard-gp.png and b/windows/keep-secure/images/device-guard-gp.png differ
diff --git a/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png b/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png
index ddc2158a8a..34c1565f67 100644
Binary files a/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png and b/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png differ
diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
index fad266b5ee..49742f17e8 100644
--- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -42,19 +42,19 @@ You can deploy Device Guard in phases, and plan these phases in relation to the
The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
> **Notes**
-> - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
-> - For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
+> • To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
+> • Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. ## Device Guard requirements for baseline protections |Baseline Protections - requirement | Description | |---------------------------------------------|----------------------------------------------------| | Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | -| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
- VT-x (Intel) or
- AMD-V
And:
- Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | +| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. | | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | | Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).
**Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | > **Important** The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide. @@ -62,32 +62,34 @@ The following tables provide more information about the hardware, firmware, and The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met. -### 2015 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4) +### Additional Qualification Requirements starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4 | Protections for Improved Security - requirement | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- BIOS password or stronger authentication must be supported.
- In the BIOS configuration, BIOS authentication must be set.
- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
-### 2016 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1607, and Windows Server 2016) +### Additional Qualification Requirements starting with Windows 10, version 1607, and Windows Server 2016 > **Important** The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Device Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them. | Protections for Improved Security - requirement | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
- HSTI provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332.aspx).
**Security benefits**:
• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. | | Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.
**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. | -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
- Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
- Enterprises can choose to allow proprietary EFI drivers/applications to run.
- Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
• Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
-### 2017 Additional Qualification Requirements for Device Guard (announced as options for future Windows operating systems for 2017) +### Additional Qualification Requirements starting with Windows 10, version 1703 -| Protections for Improved Security - requirement | Description | +The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements. + +| Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **UEFI NX Protections** | **Requirements**:
- All UEFI memory that is marked executable must be read only. Memory marked writable must not be executable.
UEFI Runtime Services:
- Must implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table.
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.
- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware. | -| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
• UEFI runtime service must meet these requirements:
• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
• PE sections need to be page-aligned in memory (not required for in non-volitile storage).
• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
• No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.
Please also note the following:
• Do not use sections that are both writeable and exceutable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code
**Security benefits**:
• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | +| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. | ## Device Guard deployment in different scenarios: types of devices @@ -95,9 +97,9 @@ Typically, deployment of Device Guard happens best in phases, rather than being | **Type of device** | **How Device Guard relates to this type of device** | **Device Guard components that you can use to protect this kind of device** | |------------------------------------|------------------------------------------------------|--------------------------------------------------------------------------------| -| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.
- Code integrity policies in enforced mode, with UMCI enabled. | -| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request additional software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog.
Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.
- Code integrity policies in enforced mode, with UMCI enabled. | -| **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.
- Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. | +| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.
• Code integrity policies in enforced mode, with UMCI enabled. | +| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request additional software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog.
Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.
• Code integrity policies in enforced mode, with UMCI enabled. | +| **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.
• Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. | | **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A | ## Device Guard deployment in virtual machines diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md index c2f45e90ed..088a82e8d9 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md @@ -26,8 +26,8 @@ This section addresses issues that might arise as you use the Windows Defender A If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings. Configure your browser to allow cookies. -### Data is missing on the portal -If data is missing on the Windows Defender ATP portal it’s possible that proxy settings are blocking it. +### Elements or data missing on the portal +If some UI elements or data is missing on the Windows Defender ATP portal it’s possible that proxy settings are blocking it. Make sure that `*.securitycenter.windows.com` is included the proxy whitelist. diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index f5417ba0f7..70f2e9290f 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -162,6 +162,7 @@ ### [Troubleshooting App-V](appv-troubleshooting.md) ### [Technical Reference for App-V](appv-technical-reference.md) #### [Performance Guidance for Application Virtualization](appv-performance-guidance.md) + #### [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md) #### [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md) #### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md) @@ -221,4 +222,5 @@ #### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md) #### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md) ### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md) +## [Windows Libraries](windows-libraries.md) ## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index dcbdb109c3..13a0de7e4f 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -18,6 +18,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | New or changed topic | Description | | --- | --- | +| [Windows Libraries](windows-libraries.md) | New | | [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | New | | [Get started with Update Compliance](update-compliance-get-started.md) | New | | [Use Update Compliance to monitor Windows Updates](update-compliance-using.md) | New | @@ -185,4 +186,4 @@ The topics in this library have been updated for Windows 10, version 1607 (also [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md) - \ No newline at end of file + diff --git a/windows/manage/cortana-at-work-o365.md b/windows/manage/cortana-at-work-o365.md index d58663dc00..764b5638e0 100644 --- a/windows/manage/cortana-at-work-o365.md +++ b/windows/manage/cortana-at-work-o365.md @@ -57,7 +57,7 @@ Cortana can only access data in your Office 365 org when it’s turned on. If yo **To turn off Cortana with Office 365** 1. [Sign in to Office 365](http://www.office.com/signin) using your Azure AD account. -2. Go to the [Office 365 admin center](https://support.office.com/en-us/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547). +2. Go to the [Office 365 admin center](https://support.office.com/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547). 3. Expand **Service Settings**, and select **Cortana**. diff --git a/windows/manage/cortana-at-work-overview.md b/windows/manage/cortana-at-work-overview.md index 96064364c3..29a9ab3bba 100644 --- a/windows/manage/cortana-at-work-overview.md +++ b/windows/manage/cortana-at-work-overview.md @@ -59,6 +59,6 @@ Cortana is covered under the [Microsoft Privacy Statement](https://privacy.micro - [Cortana and Windows](http://go.microsoft.com/fwlink/?LinkId=717384) -- [Known issues for Windows Desktop Search and Cortana in Windows 10](http://support.microsoft.com/kb/3206883/EN-US) +- [Known issues for Windows Desktop Search and Cortana in Windows 10](https://support.microsoft.com/help/3206883/known-issues-for-windows-desktop-search-and-cortana-in-windows-10) - [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385) diff --git a/windows/manage/cortana-at-work-powerbi.md b/windows/manage/cortana-at-work-powerbi.md index 98b90f572f..979cde3b57 100644 --- a/windows/manage/cortana-at-work-powerbi.md +++ b/windows/manage/cortana-at-work-powerbi.md @@ -19,7 +19,7 @@ localizationpriority: high Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop. >[!Note] ->Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/). +>Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/). ## Before you begin To use this walkthrough, you’ll need: @@ -135,4 +135,4 @@ Now that you’ve set up your device, you can use Cortana to show your info from  >[!NOTE] ->For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/). +>For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/). diff --git a/windows/manage/cortana-at-work-voice-commands.md b/windows/manage/cortana-at-work-voice-commands.md index 766a5914ad..2e2743fa61 100644 --- a/windows/manage/cortana-at-work-voice-commands.md +++ b/windows/manage/cortana-at-work-voice-commands.md @@ -19,7 +19,7 @@ localizationpriority: high Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions. >[!NOTE] ->For more info about how your developer can extend your current apps to work directly with Cortana, see [Cortana interactions in UWP apps](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/cortana-interactions). +>For more info about how your developer can extend your current apps to work directly with Cortana, see [The Cortana Skills Kit](https://docs.microsoft.com/cortana/getstarted). ## High-level process Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be very simple to very complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent. @@ -30,9 +30,9 @@ To enable voice commands in Cortana Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it’s best for that to happen in the foreground. However, if the app only uses basic commands and doesn’t require interaction, it can happen in the background. - - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-foreground-app-with-voice-commands-in-cortana). + - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-foreground-app-with-voice-commands-in-cortana). - - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-background-app-with-voice-commands-in-cortana). + - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-background-app-with-voice-commands-in-cortana). 2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization. diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md index 40c5250e62..0eb86b635e 100644 --- a/windows/manage/group-policies-for-enterprise-and-education-editions.md +++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md @@ -28,7 +28,7 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W | **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) | | **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application
User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). | | **Only display the private store within the Windows Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app
User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app | For more info, see [Manage access to private store](manage-access-to-private-store.md) | -| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](manage-cortana-in-enterprise.md) | +| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](cortana-at-work-overview.md) | diff --git a/windows/manage/index.md b/windows/manage/index.md index 61fd0bf61e..bdb730b559 100644 --- a/windows/manage/index.md +++ b/windows/manage/index.md @@ -72,6 +72,10 @@ Learn about managing and updating Windows 10.
+
+ **Setting Description**: Configuring commercial id for Windows Analytics solutions
+ **Data Type**: String
+ **OMA-URI (case sensitive)**: ./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID
+ **Value**: \
``` 3. Complete the deployment wizard using the following: - **Task Sequence**: Backup Only Task Sequence - - **User Data**: Specify a location: **\\SRV1\MigData$\PC1** + - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1** - **Computer Backup**: Do not back up the existing computer. 4. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. -5. Verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. +5. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. 6. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: ``` @@ -585,18 +589,24 @@ At a high level, the computer replace process consists of:
``` Disable-NetAdapter "Ethernet 2" -Confirm:$false ``` + + >As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding. + + 3. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ``` Start-VM PC3 vmconnect localhost PC3 ``` + 4. When prompted, press ENTER for network boot. -6. On PC3, ue the following settings for the Windows Deployment Wizard: +6. On PC3, use the following settings for the Windows Deployment Wizard: - **Task Sequence**: Windows 10 Enterprise x64 Custom Image - **Move Data and Settings**: Do not move user data and settings - - **User Data (Restore)**: Specify a location: **\\SRV1\MigData$\PC1** + - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1** + 5. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1: ``` @@ -606,7 +616,9 @@ At a high level, the computer replace process consists of:
8. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**. -9. Verify that settings have been migrated from PC1, and then shut down PC3 in preparation for the next procedure. +9. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure. + +10. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure. ## Troubleshooting logs, events, and utilities diff --git a/windows/deploy/windows-10-poc-sc-config-mgr.md b/windows/deploy/windows-10-poc-sc-config-mgr.md index d9278a15c5..ff0b497b45 100644 --- a/windows/deploy/windows-10-poc-sc-config-mgr.md +++ b/windows/deploy/windows-10-poc-sc-config-mgr.md @@ -163,8 +163,8 @@ Topics and procedures in this guide are summarized in the following table. An es adsiedit.msc ``` -6. Right-click **ADSI Edit**, click **Connect to**, select **Default** under **Computer** and then click **OK**. -7. Expand **Default naming context**>**DC=contoso,DC=com**, right-click **CN=System**, point to **New**, and then click **Object**. +6. Right-click **ADSI Edit**, click **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then click **OK**. +7. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then click **Object**. 8. Click **container** and then click **Next**. 9. Next to **Value**, type **System Management**, click **Next**, and then click **Finish**. 10. Right-click **CN=system Management** and then click **Properties**. @@ -194,7 +194,7 @@ Topics and procedures in this guide are summarized in the following table. An es - **Settings Summary**: Review settings and click **Next**. - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**. - >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored. + >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment. Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete. @@ -207,7 +207,7 @@ Topics and procedures in this guide are summarized in the following table. An es ## Download MDOP and install DaRT -1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/en-us/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso) to the C:\VHD directory on the Hyper-V host. +1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/en-us/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host. 2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: @@ -292,19 +292,19 @@ This section contains several procedures to support Zero Touch installation with 2. In the System Center Configuration Manager console, in the **Administration** workspace, click **Distribution Points**. 3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**. 4. On the PXE tab, select the following settings: - - Enable PXE support for clients. Click **Yes** in the popup that appears. - - Allow this distribution point to respond to incoming PXE requests - - Enable unknown computer support. Click **OK** in the popup that appears. - - Require a password when computers use PXE - - Password and Confirm password: pass@word1 - - Respond to PXE requests on specific network interfaces: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. + - **Enable PXE support for clients**. Click **Yes** in the popup that appears. + - **Allow this distribution point to respond to incoming PXE requests** + - **Enable unknown computer support**. Click **OK** in the popup that appears. + - **Require a password when computers use PXE** + - **Password** and **Confirm password**: pass@word1 + - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. See the following example:
5. Click **OK**.
-6. Type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
+6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
```
cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
@@ -340,7 +340,7 @@ This section contains several procedures to support Zero Touch installation with
>You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image.
-## Create a boot image for Configuration Manager
+### Create a boot image for Configuration Manager
1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**.
2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**.
@@ -357,13 +357,15 @@ This section contains several procedures to support Zero Touch installation with
```
Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
```
- >In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
+
+ In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
- ```
- STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003" SMS_DISTRIBUTION_MANAGER 9/14/2016 3:11:09 PM 4636 (0x121C)
- ```
-11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Doublt-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
-12. In the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab.
+ ```
+ STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003" SMS_DISTRIBUTION_MANAGER 9/14/2016 3:11:09 PM 4636 (0x121C)
+ ```
+
+11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
+12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab.
13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**.
14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
@@ -380,7 +382,7 @@ This section contains several procedures to support Zero Touch installation with
>The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT.
-## Create a Windows 10 reference image
+### Create a Windows 10 reference image
If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section.
@@ -534,7 +536,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**.
-## Add a Windows 10 operating system image
+### Add a Windows 10 operating system image
1. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
@@ -553,11 +555,11 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**.
-7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar, click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes.
+7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar (be sure there is no space at the end of the location or you will get an error), click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes.
>If content distribution is not successful, verify that sufficient disk space is available.
-## Create a task sequence
+### Create a task sequence
>Complete this section slowly. There are a large number of similar settings from which to choose.
@@ -567,37 +569,37 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**.
-4. On the Details page, enter the following settings:- - Join a domain: contoso.com
- - Account: click **Set**
- - User name: contoso\CM_JD
- - Password: pass@word1
- - Confirm password: pass@word1
- - Click **OK**
- - Windows Settings
- - User name: Contoso
- - Organization name: Contoso
- - Product key: \
- - Administrator Account: Enable the account and specify the local administrator password
- - Password: pass@word1
- - Confirm password: pass@word1
- - Click Next
+4. On the Details page, enter the following settings: + - Join a domain: **contoso.com** + - Account: click **Set** + - User name: **contoso\CM_JD** + - Password: **pass@word1** + - Confirm password: **pass@word1** + - Click **OK** + - Windows Settings + - User name: **Contoso** + - Organization name: **Contoso** + - Product key: \
. -## Finalize the operating system configuration +### Finalize the operating system configuration >If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini. @@ -670,7 +672,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi [Settings] Priority=Default Properties=OSDMigrateConfigFiles,OSDMigrateMode - + [Default] DoCapture=NO ComputerBackupLocation=NONE @@ -681,6 +683,14 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi EventService=http://SRV1:9800 ApplyGPOPack=NO ``` + + >As noted previously, if you wish to migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts: + + ``` + OSDMigrateAdditionalCaptureOptions=/all + ``` + + 7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears. 8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**. @@ -705,6 +715,8 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi ## Deploy Windows 10 using PXE and Configuration Manager +In this first deployment scenario, we will deploy Windows 10 using PXE. This scenario creates a new computer that does not have any migrated users or settings. + 1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ``` @@ -718,7 +730,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi 3. In the Task Sequence Wizard, provide the password: **pass@word1**, and then click **Next**. -4. Before you click Next in the Task Sequence Wizard, press the **F8** key. A command prompt will open. +4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open. 5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. @@ -745,6 +757,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi - Join the computer to the contoso.com domain - Install any applications that were specified in the reference image + 12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account. 13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click Turn Windows features on or off, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image. @@ -927,7 +940,7 @@ vmconnect localhost PC1 - Task sequence comments: **USMT backup only** 4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue. -5. On the MDT Package page, browse and select the **MDT 2013** package. Click **OK** and then click **Next** to continue. +5. On the MDT Package page, browse and select the **MDT** package. Click **OK** and then click **Next** to continue. 6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue. 7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue. 8. On the Summary page, review the details and then click **Next**. diff --git a/windows/keep-secure/bcd-settings-and-bitlocker.md b/windows/keep-secure/bcd-settings-and-bitlocker.md index 66ca07b626..ccd9afd831 100644 --- a/windows/keep-secure/bcd-settings-and-bitlocker.md +++ b/windows/keep-secure/bcd-settings-and-bitlocker.md @@ -131,7 +131,6 @@ This following is a full list of BCD settings with friendly names which are igno | 0x15000052 | all| graphicsresolution| | 0x15000065 | all| displaymessage| | 0x15000066| all| displaymessageoverride| -| 0x15000081 | all| logcontrol| | 0x16000009 | all| recoveryenabled| | 0x1600000b | all| badmemoryaccess| | 0x1600000f | all| traditionalkseg| diff --git a/windows/keep-secure/bitlocker-countermeasures.md b/windows/keep-secure/bitlocker-countermeasures.md index 89261d666c..5cf31239ce 100644 --- a/windows/keep-secure/bitlocker-countermeasures.md +++ b/windows/keep-secure/bitlocker-countermeasures.md @@ -115,7 +115,11 @@ Windows 10 uses Trusted Boot on any hardware platform: It requires neither UEFI Because UEFI-based Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel or other Windows startup components, the next opportunity for malware to start is by infecting a non-Microsoft boot-related driver. Traditional antimalware apps don’t start until after the boot-related drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work. -The purpose of ELAM is to load an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software. +Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. ELAM checks the integrity of non-Microsoft drivers to determine whether the drivers are trustworthy. Because Windows needs to start as fast as possible, ELAM cannot be a complicated process of checking the driver files against known malware signatures. Instead, ELAM has the simple task of examining every boot driver and determining whether it is on the list of trusted drivers. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits. ELAM also allows the registered antimalware provider to scan drivers that are loaded after the boot process is complete. + +Windows Defender in Windows 10 supports ELAM, as do Microsoft System Center 2012 Endpoint Protection and non-Microsoft antimalware apps. + +To do this, ELAM loads an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software. With this solution in place, boot drivers are initialized based on the classification that the ELAM driver returns according to an initialization policy. IT pros have the ability to change this policy through Group Policy. ELAM classifies drivers as follows: diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md index 26cadf522b..c0112dcf47 100644 --- a/windows/keep-secure/bitlocker-group-policy-settings.md +++ b/windows/keep-secure/bitlocker-group-policy-settings.md @@ -32,6 +32,7 @@ The following sections provide a comprehensive list of BitLocker Group Policy se The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked. +- [Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN](#bkmk-hstioptout) - [Allow network unlock at startup](#bkmk-netunlock) - [Require additional authentication at startup](#bkmk-unlockpol1) - [Allow enhanced PINs for startup](#bkmk-unlockpol2) @@ -85,6 +86,55 @@ The following policies are used to support customized deployment scenarios in yo - [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4) - [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5) +### Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN + +This policy setting allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication. + +
Policy description |
+With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support InstantGo or HSTI, while requiring PIN on older devices. |
+
Introduced |
+Windows 10, version 1703 |
+
Drive type |
+Operating system drives |
+
Policy path |
+Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
+
Conflicts |
+This setting overrides the Require startup PIN with TPM option of the [Require additional authentication at startup](#bkmk-unlockpol1) policy on compliant hardware. + + |
+
When enabled |
+Users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication. |
+
When disabled or not configured |
+The options of the [Require additional authentication at startup](#bkmk-unlockpol1) policy apply. |
+
+> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. This requirement is not restated in the tables that follow.
> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
> Starting in Widows 10, 1607, TPM 2.0 is required. @@ -94,11 +94,11 @@ The following tables provide more information about the hardware, firmware, and |Baseline Protections | Description | |---------------------------------------------|----------------------------------------------------| | Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | -| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
- VT-x (Intel) or
- AMD-V
And:
- Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | +| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | | Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | > [!IMPORTANT] > The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security to significantly strengthen the level of security that Credential Guard can provide. @@ -108,8 +108,8 @@ The following tables provide more information about the hardware, firmware, and | Protections for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| | Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU
**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). | -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- BIOS password or stronger authentication must be supported.
- In the BIOS configuration, BIOS authentication must be set.
- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | -| Firmware: **Secure MOR implementation** | **Requirement**: Secure MOR implementation
**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | +| Firmware: **Secure MOR, revision 2 implementation** | **Requirement**: Secure MOR, revision 2 implementation
**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
@@ -120,17 +120,20 @@ The following tables provide more information about the hardware, firmware, and | Protections for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
- HSTI provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
• The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI provides additional security assurance for correctly secured silicon and platform. | | Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.
**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. | -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
- Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
- Enterprises can choose to allow proprietary EFI drivers/applications to run.
- Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
• Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
-#### 2017 Additional Security Recommendations (starting with the next major release of Windows 10) +#### 2017 Additional security requirements starting with Windows 10, version 1703 + +The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements. | Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
• UEFI runtime service must meet these requirements:
- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
- PE sections need to be page-aligned in memory (not required for in non-volitile storage).
- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
- No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and exceutable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code
**Security benefits**:
• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | +| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. | ## Manage Credential Guard @@ -178,11 +181,11 @@ You can do this by using either the Control Panel or the Deployment Image Servic 1. Open an elevated command prompt. 2. Add the Hyper-V Hypervisor by running the following command: - ``` syntax + ``` dism /image:
**Set-RuleOption -FilePath $InitialCIPolicy -Option 0** + > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. + + > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.” - > - You can add the *–Fallback* parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.” - - > - To specify that the code integrity policy scan only a specific drive, include the *–ScanPath* parameter followed by a path. Without this parameter, the entire system is scanned. + > - To specify that the code integrity policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned. > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md index 9f7be87cbb..b03c8c1332 100644 --- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md +++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md @@ -30,10 +30,10 @@ For information about enabling Credential Guard, see [Protect derived domain cre In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must confirm that certain operating system features are enabled before you can enable VBS: -- With Windows 10, version 1607 or Windows Server 2016:
+- Beginning with Windows 10, version 1607 or Windows Server 2016:
Hyper-V Hypervisor, which is enabled automatically. No further action is needed. -- With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
+- With an earlier version of Windows 10:
Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1). > **Note** You can configure these features by using Group Policy or Deployment Image Servicing and Management, or manually by using Windows PowerShell or the Windows Features dialog box. @@ -42,12 +42,8 @@ Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1). **Figure 1. Enable operating system features for VBS, Windows 10, version 1511** -After you enable the feature or features, you can enable VBS for Device Guard, as described in the following sections. - ## Enable Virtualization Based Security (VBS) and Device Guard -Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard). - There are multiple ways to configure VBS features for Device Guard: - You can use the [readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) rather than the procedures in this topic. @@ -68,7 +64,7 @@ There are multiple ways to configure VBS features for Device Guard: 3. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**. -4. Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**. +4. Within the selected GPO, navigate to Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.  @@ -91,7 +87,7 @@ There are multiple ways to configure VBS features for Device Guard: - With Windows 10, version 1607 or Windows Server 2016, choose an appropriate option:
For an initial deployment or test deployment, we recommend **Enabled without lock**.
When your deployment is stable in your environment, we recommend changing to **Enabled with lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person. - - With earlier versions of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
Select the **Enable Virtualization Based Protection of Code Integrity** check box. + - With earlier versions of Windows 10:
Select the **Enable Virtualization Based Protection of Code Integrity** check box.  @@ -183,7 +179,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformS reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f -reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f +reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f ``` If you want to customize the preceding recommended settings, use the following settings. @@ -211,7 +207,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforc **To enable virtualization-based protection of Code Integrity policies without UEFI lock** ``` command -reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f +reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f ``` ### Validate enabled Device Guard hardware-based security features diff --git a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md index 10001b50e6..9ef4617e9f 100644 --- a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md +++ b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md @@ -22,9 +22,9 @@ This policy setting determines whether the Lightweight Directory Access Protocol Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, this means that a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower the risk of a malicious user accomplishing this in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks extremely difficult. -This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL. +This setting does not have any impact on LDAP simple bind through SSL (LDAP TCP/636). -If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected. +If signing is required, then LDAP simple binds not using SSL are rejected (LDAP TCP/389). >**Caution:** If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server. diff --git a/windows/keep-secure/hello-errors-during-pin-creation.md b/windows/keep-secure/hello-errors-during-pin-creation.md index a362e1f253..3d85f75565 100644 --- a/windows/keep-secure/hello-errors-during-pin-creation.md +++ b/windows/keep-secure/hello-errors-during-pin-creation.md @@ -89,7 +89,7 @@ If the error occurs again, check the error code against the following table to s
+> • Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. ## Device Guard requirements for baseline protections |Baseline Protections - requirement | Description | |---------------------------------------------|----------------------------------------------------| | Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | -| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
- VT-x (Intel) or
- AMD-V
And:
- Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | +| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. | | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | | Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).
**Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | > **Important** The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide. @@ -62,32 +62,34 @@ The following tables provide more information about the hardware, firmware, and The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met. -### 2015 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4) +### Additional Qualification Requirements starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4 | Protections for Improved Security - requirement | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- BIOS password or stronger authentication must be supported.
- In the BIOS configuration, BIOS authentication must be set.
- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
-### 2016 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1607, and Windows Server 2016) +### Additional Qualification Requirements starting with Windows 10, version 1607, and Windows Server 2016 > **Important** The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Device Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them. | Protections for Improved Security - requirement | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
- HSTI provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332.aspx).
**Security benefits**:
• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. | | Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.
**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. | -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
- Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
- Enterprises can choose to allow proprietary EFI drivers/applications to run.
- Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
• Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
-### 2017 Additional Qualification Requirements for Device Guard (announced as options for future Windows operating systems for 2017) +### Additional Qualification Requirements starting with Windows 10, version 1703 -| Protections for Improved Security - requirement | Description | +The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements. + +| Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **UEFI NX Protections** | **Requirements**:
- All UEFI memory that is marked executable must be read only. Memory marked writable must not be executable.
UEFI Runtime Services:
- Must implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table.
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.
- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware. | -| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
• UEFI runtime service must meet these requirements:
• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
• PE sections need to be page-aligned in memory (not required for in non-volitile storage).
• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
• No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and exceutable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code
**Security benefits**:
• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | +| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. | ## Device Guard deployment in different scenarios: types of devices @@ -95,9 +97,9 @@ Typically, deployment of Device Guard happens best in phases, rather than being | **Type of device** | **How Device Guard relates to this type of device** | **Device Guard components that you can use to protect this kind of device** | |------------------------------------|------------------------------------------------------|--------------------------------------------------------------------------------| -| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.
- Code integrity policies in enforced mode, with UMCI enabled. | -| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request additional software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog.
Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.
- Code integrity policies in enforced mode, with UMCI enabled. | -| **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.
- Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. | +| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.
• Code integrity policies in enforced mode, with UMCI enabled. | +| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request additional software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog.
Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.
• Code integrity policies in enforced mode, with UMCI enabled. | +| **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.
• Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. | | **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A | ## Device Guard deployment in virtual machines diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md index c2f45e90ed..088a82e8d9 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md @@ -26,8 +26,8 @@ This section addresses issues that might arise as you use the Windows Defender A If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings. Configure your browser to allow cookies. -### Data is missing on the portal -If data is missing on the Windows Defender ATP portal it’s possible that proxy settings are blocking it. +### Elements or data missing on the portal +If some UI elements or data is missing on the Windows Defender ATP portal it’s possible that proxy settings are blocking it. Make sure that `*.securitycenter.windows.com` is included the proxy whitelist. diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index f5417ba0f7..70f2e9290f 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -162,6 +162,7 @@ ### [Troubleshooting App-V](appv-troubleshooting.md) ### [Technical Reference for App-V](appv-technical-reference.md) #### [Performance Guidance for Application Virtualization](appv-performance-guidance.md) + #### [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md) #### [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md) #### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md) @@ -221,4 +222,5 @@ #### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md) #### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md) ### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md) +## [Windows Libraries](windows-libraries.md) ## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index dcbdb109c3..13a0de7e4f 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -18,6 +18,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | New or changed topic | Description | | --- | --- | +| [Windows Libraries](windows-libraries.md) | New | | [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | New | | [Get started with Update Compliance](update-compliance-get-started.md) | New | | [Use Update Compliance to monitor Windows Updates](update-compliance-using.md) | New | @@ -185,4 +186,4 @@ The topics in this library have been updated for Windows 10, version 1607 (also [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md) - \ No newline at end of file + diff --git a/windows/manage/cortana-at-work-o365.md b/windows/manage/cortana-at-work-o365.md index d58663dc00..764b5638e0 100644 --- a/windows/manage/cortana-at-work-o365.md +++ b/windows/manage/cortana-at-work-o365.md @@ -57,7 +57,7 @@ Cortana can only access data in your Office 365 org when it’s turned on. If yo **To turn off Cortana with Office 365** 1. [Sign in to Office 365](http://www.office.com/signin) using your Azure AD account. -2. Go to the [Office 365 admin center](https://support.office.com/en-us/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547). +2. Go to the [Office 365 admin center](https://support.office.com/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547). 3. Expand **Service Settings**, and select **Cortana**. diff --git a/windows/manage/cortana-at-work-overview.md b/windows/manage/cortana-at-work-overview.md index 96064364c3..29a9ab3bba 100644 --- a/windows/manage/cortana-at-work-overview.md +++ b/windows/manage/cortana-at-work-overview.md @@ -59,6 +59,6 @@ Cortana is covered under the [Microsoft Privacy Statement](https://privacy.micro - [Cortana and Windows](http://go.microsoft.com/fwlink/?LinkId=717384) -- [Known issues for Windows Desktop Search and Cortana in Windows 10](http://support.microsoft.com/kb/3206883/EN-US) +- [Known issues for Windows Desktop Search and Cortana in Windows 10](https://support.microsoft.com/help/3206883/known-issues-for-windows-desktop-search-and-cortana-in-windows-10) - [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385) diff --git a/windows/manage/cortana-at-work-powerbi.md b/windows/manage/cortana-at-work-powerbi.md index 98b90f572f..979cde3b57 100644 --- a/windows/manage/cortana-at-work-powerbi.md +++ b/windows/manage/cortana-at-work-powerbi.md @@ -19,7 +19,7 @@ localizationpriority: high Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop. >[!Note] ->Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/). +>Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/). ## Before you begin To use this walkthrough, you’ll need: @@ -135,4 +135,4 @@ Now that you’ve set up your device, you can use Cortana to show your info from  >[!NOTE] ->For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/). +>For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/). diff --git a/windows/manage/cortana-at-work-voice-commands.md b/windows/manage/cortana-at-work-voice-commands.md index 766a5914ad..2e2743fa61 100644 --- a/windows/manage/cortana-at-work-voice-commands.md +++ b/windows/manage/cortana-at-work-voice-commands.md @@ -19,7 +19,7 @@ localizationpriority: high Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions. >[!NOTE] ->For more info about how your developer can extend your current apps to work directly with Cortana, see [Cortana interactions in UWP apps](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/cortana-interactions). +>For more info about how your developer can extend your current apps to work directly with Cortana, see [The Cortana Skills Kit](https://docs.microsoft.com/cortana/getstarted). ## High-level process Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be very simple to very complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent. @@ -30,9 +30,9 @@ To enable voice commands in Cortana Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it’s best for that to happen in the foreground. However, if the app only uses basic commands and doesn’t require interaction, it can happen in the background. - - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-foreground-app-with-voice-commands-in-cortana). + - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-foreground-app-with-voice-commands-in-cortana). - - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-background-app-with-voice-commands-in-cortana). + - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-background-app-with-voice-commands-in-cortana). 2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization. diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md index 40c5250e62..0eb86b635e 100644 --- a/windows/manage/group-policies-for-enterprise-and-education-editions.md +++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md @@ -28,7 +28,7 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W | **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) | | **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application
User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). | | **Only display the private store within the Windows Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app
User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app | For more info, see [Manage access to private store](manage-access-to-private-store.md) | -| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](manage-cortana-in-enterprise.md) | +| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](cortana-at-work-overview.md) | diff --git a/windows/manage/index.md b/windows/manage/index.md index 61fd0bf61e..bdb730b559 100644 --- a/windows/manage/index.md +++ b/windows/manage/index.md @@ -72,6 +72,10 @@ Learn about managing and updating Windows 10.
[Windows Store for Business](windows-store-for-business.md)
Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization.
[Windows Libraries](windows-libraries.md)
Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music).
[Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)
This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).
- Using Microsoft Mobile Device Management (MDM)
- Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. More information on deployment using MDM can be found [here](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp).
+ Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. More information on deployment using MDM can be found [here](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp).
+
+ For information on how to use MDM configuration CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/en-us/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
+
+ When using the Intune console, you can use the OMA-URI settings of a [custom policy](https://go.microsoft.com/fwlink/p/?LinkID=616316) to configure the commercial ID. The OMA-URI (case sensitive) path for configuring the commerical ID is:
./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID+ + For example, you can use the following values in **Add or edit OMA-URI Setting**: + + **Setting Name**: Windows Analytics Commercial ID
+ **Setting Description**: Configuring commercial id for Windows Analytics solutions
+ **Data Type**: String
+ **OMA-URI (case sensitive)**: ./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID
+ **Value**: \