Merge remote-tracking branch 'refs/remotes/origin/master' into Fixing-typos

2025-05-27 20:57:23 +00:00 · 2016-08-03 10:24:45 -07:00 · 2016-08-03 10:24:45 -07:00 · d8870c65d4
commit d8870c65d4
parent 8244358ccc 198c4a8157
16 changed files with 95 additions and 33 deletions
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@ -25,6 +25,20 @@
        "Conceptual": "Content"
      }
    },
+    {
+      "docset_name": "itpro-hololens",
+      "build_source_folder": "devices/hololens",
+      "build_output_subfolder": "devices/hololens",
+      "locale": "en-us",
+      "version": 0,
+      "open_to_public_contributors": false,
+      "type_mapping": {
+        "Conceptual": "Content",
+        "ManagedReference": "Content",
+        "RestApi": "Content"
+      },
+      "build_entry_point": "op"
+    },
    {
      "docset_name": "mdop",
      "build_source_folder": "mdop",
@ -79,20 +93,6 @@
      "type_mapping": {
        "Conceptual": "Content"
      }
-    },
-    {
-      "docset_name": "itpro-hololens",
-      "build_source_folder": "itpro/hololens",
-      "build_output_subfolder": "itpro-hololens",
-      "locale": "en-us",
-      "version": 0,
-      "open_to_public_contributors": false,
-      "type_mapping": {
-        "Conceptual": "Content",
-        "ManagedReference": "Content",
-        "RestApi": "Content"
-      },
-      "build_entry_point": "op"
    }
  ],
  "notification_subscribers": [
@ -104,4 +104,4 @@
  "git_repository_url_open_to_public_contributors": "",
  "skip_source_output_uploading": false,
  "dependent_repositories": []
-}
+}
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
--- a/devices/hololens/docfx.json
+++ b/devices/hololens/docfx.json
@ -7,7 +7,7 @@
        ],
        "exclude": [
          "**/obj/**",
-          "itpro-hololens/**",
+          "devices/hololens/**",
          "**/includes/**"
        ]
      }
@ -20,7 +20,7 @@
        ],
        "exclude": [
          "**/obj/**",
-          "itpro-hololens/**",
+          "devices/hololens/**",
          "**/includes/**"
        ]
      }
@ -32,6 +32,6 @@
    "template": [
      null
    ],
-    "dest": "itpro-hololens"
+    "dest": "devices/hololens"
  }
-}
+}
--- a/devices/hololens/index.md
+++ b/devices/hololens/index.md
--- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
+++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
@ -55,11 +55,11 @@ These properties represent the minimum configuration for a device account to wor
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Exchange mailbox (Exchange 2010 or later, or Exchange Online)</p></td>
+<td align="left"><p>Exchange mailbox (Exchange 2013 or later, or Exchange Online)</p></td>
 <td align="left"><p>Enabling the account with an Exchange mailbox gives the device account the capability to receive and send both mail and meeting requests, and to display a meetings calendar on the Surface Hub’s welcome screen. The Surface Hub mailbox must be a room mailbox.</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>Skype for Business-enabled (Lync/Skype for Business 2010 or later or Skype for Business Online)</p></td>
+<td align="left"><p>Skype for Business-enabled (Lync/Skype for Business 2013 or later or Skype for Business Online)</p></td>
 <td align="left"><p>Skype for Business must be enabled in order to use various conferencing features, like video calls, IM, and screen-sharing.</p></td>
 </tr>
 <tr class="odd">
--- a/devices/surface-hub/intro-to-surface-hub.md
+++ b/devices/surface-hub/intro-to-surface-hub.md
@ -33,7 +33,7 @@ The capabilities of your Surface Hub will depend on what other Microsoft product
 <tbody>
 <tr class="odd">
 <td align="left"><p>One-touch meeting join, meetings calendar, and email (for example, sending whiteboards)</p></td>
-<td align="left"><p>Device account with Microsoft Exchange 2010 or later, or Exchange Online and a network connection to where the account is hosted.</p></td>
+<td align="left"><p>Device account with Microsoft Exchange 2013 or later, or Exchange Online and a network connection to where the account is hosted.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Meetings using Skype for Business</p></td>
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@ -37,6 +37,7 @@
 #### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md)
 #### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
 ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
+## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
 ## [VPN profile options](vpn-profile-options.md)
 ## [Windows security baselines](windows-security-baselines.md)
 ## [Security technologies](security-technologies.md)
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@ -12,6 +12,9 @@ author: brianlic-msft
 # Change history for Keep Windows 10 secure
 This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).

+## August 2016
+- [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |New |
+
 ## RELEASE: Windows 10, version 1607

 The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@ -115,6 +115,11 @@ The PC must meet the following hardware and software requirements to use Credent
 <td align="left"><p>Virtual machine</p></td>
 <td align="left"><p>For PCs running Windows 10, version 1607, you can run Credential Guard on a Generation 2 virtual machine.</p></td>
 </tr>
+</tr>
+<tr class="even">
+<td align="left"><p>Hypervisor</p></td>
+<td align="left"><p>Only the Windows hypervisor is supported.</p></td>
+</tr>
 </tbody>
 </table>
  
--- a/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
@ -32,7 +32,7 @@ Since the stakes are higher in an enterprise environment, the potential disaster

 ##Enable PUA protection in SCCM and Intune

-The PUA feature is available for enterprise users who are running System Center Configuration Manager (SCCM) or Microsoft Intune in their infrastructure.
+The PUA feature is available for enterprise users who are running System Center Configuration Manager (SCCM) or Intune in their infrastructure.

 ###Configure PUA in SCCM

@ -53,10 +53,8 @@ You can use PowerShell to detect PUA without blocking them. In fact, you can run
    a.  Click **Start**, type **powershell**, and press **Enter**.

    b.  Click **Windows PowerShell** to open the interface.
-    
    > [!NOTE]
    > You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
-    
 2. Enter the PowerShell command:

  ```text
@ -89,15 +87,12 @@ You can find a complete list of the Microsoft antimalware event IDs, the symbol,

 ##What PUA notifications look like

-When a detection occurs, end users who enabled the PUA detection feature will see the following notification:<br>
+When a detection occurs, end users who enabled the PUA detection feature will see the following notification:

-![Image showing the potentally unwanted application detection](images/pua1.png)

-To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.<br>
+To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.

-![Image showing the potentally unwanted application detection history](images/pua2.png)
-
-##PUA threat file-naming convention
+##PUA threat naming convention

 When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.

@ -105,6 +100,5 @@ When enabled, potentially unwanted applications are identified with threat names

 PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
 *	The file is being scanned from the browser
-*	The file has [Mark of the Web](https://msdn.microsoft.com/en-us/library/ms537628%28v=vs.85%29.aspx) set
 *	The file is in the %downloads% folder
 *	Or if the file in the %temp% folder
--- a/windows/keep-secure/images/gp-process-mitigation-options-bit-flag-image.png
+++ b/windows/keep-secure/images/gp-process-mitigation-options-bit-flag-image.png
--- a/windows/keep-secure/images/gp-process-mitigation-options-show.png
+++ b/windows/keep-secure/images/gp-process-mitigation-options-show.png
--- a/windows/keep-secure/images/gp-process-mitigation-options.png
+++ b/windows/keep-secure/images/gp-process-mitigation-options.png
--- a/windows/keep-secure/index.md
+++ b/windows/keep-secure/index.md
@ -25,6 +25,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
 | [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. |
 | [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. |
 | [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
+|[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies. |
 | [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
 | [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. |
 | [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. |
--- a/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md
+++ b/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md
@ -0,0 +1,58 @@
+
+---
+title: Override Process Mitigation Options to help enforce app-related security policies (Windows 10)
+description: How to use Group Policy to override individual Process Mitigation Options settings and to help enforce specific app-related security policies.
+keywords: Process Mitigation Options, Mitigation Options, Group Policy Mitigation Options
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: security
+ms.sitesec: library
+---
+
+
+# Override Process Mitigation Options to help enforce app-related security policies
+
+**Applies to:**
+
+-   Windows 10, version 1607
+-   Windows Server 2016
+
+Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies.
+
+**To modify Process Mitigation Options**
+
+1. Open your Group Policy editor and go to the **Administrative Templates\System\Mitigation Options\Process Mitigation Options** setting.
+
+    ![Group Policy editor: Process Mitigation Options with setting enabled and Show button active](images/gp-process-mitigation-options.png)
+
+2. Click **Enabled**, and then in the **Options** area, click **Show** to open the **Show Contents** box, where you’ll be able to add your apps and the appropriate bit flag values, as shown in the [Setting the bit field](#setting-the-bit-field) and [Example](#example) sections of this topic.
+
+    **Important**<br>For each app you want to include, you must include:
+    
+    - **Value name.** The app file name, including the extension. For example, iexplore.exe.
+    - **Value.** A bit field with a series of bit flags in particular positions. Bits can be set to 0 (where the setting is forced off), 1 (where the setting is forced on), or ? (where the setting retains the previous, existing value).
+    
+        **Note**<br>Setting bit flags in positions not specified here to anything other than ? might cause undefined behavior.
+
+    ![Group Policy editor: Process Mitigation Options with Show Contents box and example text](images/gp-process-mitigation-options-show.png)
+
+## Setting the bit field
+Here’s a visual representation of the bit flag locations for the various Process Mitigation Options settings:
+
+![Visual representation of the bit flag locations for the Process Mitigation Options settings](images/gp-process-mitigation-options-bit-flag-image.png)
+
+Where the bit flags are read from right to left and are defined as:
+
+|Flag |Bit location |Setting |Details |
+|-----|--------------|--------|--------|
+|A |0 |PROCESS_CREATION_MITIGATION_<br>POLICY_DEP_ENABLE (0x00000001) |Turns on Data Execution Prevention (DEP) for child processes. |
+|B |1 |PROCESS_CREATION_MITIGATION_<br>POLICY_DEP_ATL_THUNK_ENABLE (0x00000002) |Turns on DEP-ATL thunk emulation for child processes. DEP-ATL thunk emulation lets the system intercept non-executable (NX) faults that originate from the Active Template Library (ATL) thunk layer, and then emulate and handle the instructions so the process can continue to run. |
+|C |2 |PROCESS_CREATION_MITIGATION_<br>POLICY_SEHOP_ENABLE (0x00000004) |Turns on Structured Exception Handler Overwrite Protection (SEHOP) for child processes. SEHOP helps to block exploits that use the Structured Exception Handler (SEH) overwrite technique. |
+|D |8 |PROCESS_CREATION_MITIGATION_<br>POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100) |Uses the force Address Space Layout Randomization (ASLR) setting to act as though an image base collision happened at load time, forcibly rebasing images that aren’t dynamic base compatible. Images without the base relocation section won’t be loaded if relocations are required. |
+|E |15 |PROCESS_CREATION_MITIGATION_<br>POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000) |Turns on the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
+|F |16 |PROCESS_CREATION_MITIGATION_<br>POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000) |Turns off the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
+    
+## Example
+If you want to turn on the **PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE** and **PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON** settings, turn off the **PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF** setting, and leave everything else as the default values, you’d want to type a value of `???????????????0???????1???????1`.
+
+
--- a/windows/keep-secure/protect-enterprise-data-using-wip.md
+++ b/windows/keep-secure/protect-enterprise-data-using-wip.md
@ -16,7 +16,7 @@ author: eross-msft
 -   Windows 10, version 1607
 -   Windows 10 Mobile

-With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
+With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.

 Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.