deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into jd-sandbox

Browse Source
This commit is contained in:
jdeckerMS 2016-05-10 06:46:34 -07:00
commit db75be9ff0
20 changed files with 3088 additions and 2542 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

318
mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
View File

@ -57,268 +57,66 @@ This topic explains how to enable BitLocker on an end user's computer by using M
<a href="" id="mbam-machine-wmi-class"></a>**MBAM\_Machine WMI Class**
**PrepareTpmAndEscrowOwnerAuth:** Reads the TPM OwnerAuth and sends it to the MBAM recovery database by using the MBAM recovery service. If the TPM is not owned and auto-provisioning is not on, it generates a TPM OwnerAuth and takes ownership. If it fails, an error code is returned for troubleshooting.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>RecoveryServiceEndPoint</p></td>
<td align="left"><p>A string specifying the MBAM recovery service endpoint.</p></td>
</tr>
</tbody>
</table>
| Parameter | Description |
| -------- | ----------- |
| RecoveryServiceEndPoint | A string specifying the MBAM recovery service endpoint. |
 
Here are a list of common error messages:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Common return values</th>
<th align="left">Error message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p><strong>S_OK</strong></p>
<p>0 (0x0)</p></td>
<td align="left"><p>The method was successful</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>MBAM_E_TPM_NOT_PRESENT</strong></p>
<p>2147746304 (0x80040200)</p></td>
<td align="left"><p>TPM is not present in the computer or is disabled in the BIOS configuration.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>MBAM_E_TPM_INCORRECT_STATE</strong></p>
<p>2147746305 (0x80040201)</p></td>
<td align="left"><p>TPM is not in the correct state (enabled, activated and owner installation allowed).</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>MBAM_E_TPM_AUTO_PROVISIONING_PENDING</strong></p>
<p>2147746306 (0x80040202)</p></td>
<td align="left"><p>MBAM cannot take ownership of TPM because auto-provisioning is pending. Try again after auto-provisioning is completed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>MBAM_E_TPM_OWNERAUTH_READFAIL</strong></p>
<p>2147746307 (0x80040203)</p></td>
<td align="left"><p>MBAM cannot read the TPM owner authorization value. The value might have been removed after a successful escrow. On Windows 7, MBAM cannot read the value if the TPM is owned by others.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>MBAM_E_REBOOT_REQUIRED</strong></p>
<p>2147746308 (0x80040204)</p></td>
<td align="left"><p>The computer must be restarted to set TPM to the correct state. You might need to manually reboot the computer.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>MBAM_E_SHUTDOWN_REQUIRED</strong></p>
<p>2147746309 (0x80040205)</p></td>
<td align="left"><p>The computer must be shut down and turned back on to set TPM to the correct state. You might need to manually reboot the computer.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>WS_E_ENDPOINT_ACCESS_DENIED</strong></p>
<p>2151481349 (0x803D0005)</p></td>
<td align="left"><p>Access was denied by the remote endpoint.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>WS_E_ENDPOINT_NOT_FOUND</strong></p>
<p>2151481357 (0x803D000D)</p></td>
<td align="left"><p>The remote endpoint does not exist or could not be located.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>WS_E_ENDPOINT_FAILURE</strong></p>
<p>2151481357 (0x803D000F)</p></td>
<td align="left"><p>The remote endpoint could not process the request.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>WS_E_ENDPOINT_UNREACHABLE</strong></p>
<p>2151481360 (0x803D0010)</p></td>
<td align="left"><p>The remote endpoint was not reachable.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>WS_E_ENDPOINT_FAULT_RECEIVED</strong></p>
<p>2151481363 (0x803D0013)</p></td>
<td align="left"><p>A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>WS_E_INVALID_ENDPOINT_URL</strong></p>
<p>2151481376 (0x803D0020)</p></td>
<td align="left"><p>The endpoint address URL is not valid. The URL must start with “http” or “https”.</p></td>
</tr>
</tbody>
</table>
 
| Common return values | Error message |
| -------------------- | ------------- |
| **S_OK**<br />0 (0x0) | The method was successful. |
| **MBAM_E_TPM_NOT_PRESENT**<br />2147746304 (0x80040200) | TPM is not present in the computer or is disabled in the BIOS configuration. |
| **MBAM_E_TPM_INCORRECT_STATE**<br />2147746305 (0x80040201) | TPM is not in the correct state (enabled, activated and owner installation allowed). |
| **MBAM_E_TPM_AUTO_PROVISIONING_PENDING**<br />2147746306 (0x80040202) | MBAM cannot take ownership of TPM because auto-provisioning is pending. Try again after auto-provisioning is completed. |
| **MBAM_E_TPM_OWNERAUTH_READFAIL**<br />2147746307 (0x80040203) | MBAM cannot read the TPM owner authorization value. The value might have been removed after a successful escrow. On Windows 7, MBAM cannot read the value if the TPM is owned by others. |
| **MBAM_E_REBOOT_REQUIRED**<br />2147746308 (0x80040204) | The computer must be restarted to set TPM to the correct state. You might need to manually reboot the computer. |
| **MBAM_E_SHUTDOWN_REQUIRED**<br />2147746309 (0x80040205) | The computer must be shut down and turned back on to set TPM to the correct state. You might need to manually reboot the computer. |
| **WS_E_ENDPOINT_ACCESS_DENIED**<br />2151481349 (0x803D0005) | Access was denied by the remote endpoint. |
| **WS_E_ENDPOINT_NOT_FOUND**<br />2151481357 (0x803D000D) | The remote endpoint does not exist or could not be located. |
| **WS_E_ENDPOINT_FAILURE<br />2151481357 (0x803D000F) | The remote endpoint could not process the request. |
| **WS_E_ENDPOINT_UNREACHABLE**<br />2151481360 (0x803D0010) | The remote endpoint was not reachable. |
| **WS_E_ENDPOINT_FAULT_RECEIVED**<br />2151481363 (0x803D0013) | A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint. |
| **WS_E_INVALID_ENDPOINT_URL** 2151481376 (0x803D0020) | The endpoint address URL is not valid. The URL must start with “http” or “https”. |
**ReportStatus:** Reads the compliance status of the volume and sends it to the MBAM compliance status database by using the MBAM status reporting service. The status includes cipher strength, protector type, protector state and encryption state. If it fails, an error code is returned for troubleshooting.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>ReportingServiceEndPoint</p></td>
<td align="left"><p>A string specifying the MBAM status reporting service endpoint.</p></td>
</tr>
</tbody>
</table>
| Parameter | Description |
| --------- | ----------- |
| ReportingServiceEndPoint | A string specifying the MBAM status reporting service endpoint. |
 
Here are a list of common error messages:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Common return values</th>
<th align="left">Error message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p><strong>S_OK</strong></p>
<p>0 (0x0)</p></td>
<td align="left"><p>The method was successful</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>WS_E_ENDPOINT_ACCESS_DENIED</strong></p>
<p>2151481349 (0x803D0005)</p></td>
<td align="left"><p>Access was denied by the remote endpoint.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>WS_E_ENDPOINT_NOT_FOUND</strong></p>
<p>2151481357 (0x803D000D)</p></td>
<td align="left"><p>The remote endpoint does not exist or could not be located.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>WS_E_ENDPOINT_FAILURE</strong></p>
<p>2151481357 (0x803D000F)</p></td>
<td align="left"><p>The remote endpoint could not process the request.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>WS_E_ENDPOINT_UNREACHABLE</strong></p>
<p>2151481360 (0x803D0010)</p></td>
<td align="left"><p>The remote endpoint was not reachable.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>WS_E_ENDPOINT_FAULT_RECEIVED</strong></p>
<p>2151481363 (0x803D0013)</p></td>
<td align="left"><p>A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>WS_E_INVALID_ENDPOINT_URL</strong></p>
<p>2151481376 (0x803D0020)</p></td>
<td align="left"><p>The endpoint address URL is not valid. The URL must start with “http” or “https”.</p></td>
</tr>
</tbody>
</table>
 
| Common return values | Error message |
| -------------------- | ------------- |
| **S_OK**<br /> 0 (0x0) | The method was successful |
| **WS_E_ENDPOINT_ACCESS_DENIED**<br />2151481349 (0x803D0005) | Access was denied by the remote endpoint.|
| **WS_E_ENDPOINT_NOT_FOUND**<br />2151481357 (0x803D000D) | The remote endpoint does not exist or could not be located. |
| **WS_E_ENDPOINT_FAILURE**<br /> 2151481357 (0x803D000F) | The remote endpoint could not process the request. |
| **WS_E_ENDPOINT_UNREACHABLE**<br />2151481360 (0x803D0010) | The remote endpoint was not reachable. |
| **WS_E_ENDPOINT_FAULT_RECEIVED**<br />2151481363 (0x803D0013) | A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint. |
| **WS_E_INVALID_ENDPOINT_URL**<br />2151481376 (0x803D0020) | The endpoint address URL is not valid. The URL must start with “http” or “https”. |
<a href="" id="mbam-volume-wmi-class"></a>**MBAM\_Volume WMI Class**
**EscrowRecoveryKey:** Reads the recovery numerical password and key package of the volume and sends them to the MBAM recovery database by using the MBAM recovery service. If it fails, an error code is returned for troubleshooting.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>RecoveryServiceEndPoint</p></td>
<td align="left"><p>A string specifying the MBAM recovery service endpoint.</p></td>
</tr>
</tbody>
</table>
| Parameter | Description |
| --------- | ----------- |
| RecoveryServiceEndPoint | A string specifying the MBAM recovery service endpoint. |
 
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Common return values</th>
<th align="left">Error message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p><strong>S_OK</strong></p>
<p>0 (0x0)</p></td>
<td align="left"><p>The method was successful</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>FVE_E_LOCKED_VOLUME</strong></p>
<p>2150694912 (0x80310000)</p></td>
<td align="left"><p>The volume is locked.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>FVE_E_PROTECTOR_NOT_FOUND</strong></p>
<p>2150694963 (0x80310033)</p></td>
<td align="left"><p>A Numerical Password protector was not found for the volume.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>WS_E_ENDPOINT_ACCESS_DENIED</strong></p>
<p>2151481349 (0x803D0005)</p></td>
<td align="left"><p>Access was denied by the remote endpoint.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>WS_E_ENDPOINT_NOT_FOUND</strong></p>
<p>2151481357 (0x803D000D)</p></td>
<td align="left"><p>The remote endpoint does not exist or could not be located.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>WS_E_ENDPOINT_FAILURE</strong></p>
<p>2151481357 (0x803D000F)</p></td>
<td align="left"><p>The remote endpoint could not process the request.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>WS_E_ENDPOINT_UNREACHABLE</strong></p>
<p>2151481360 (0x803D0010)</p></td>
<td align="left"><p>The remote endpoint was not reachable.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>WS_E_ENDPOINT_FAULT_RECEIVED</strong></p>
<p>2151481363 (0x803D0013)</p></td>
<td align="left"><p>A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>WS_E_INVALID_ENDPOINT_URL</strong></p>
<p>2151481376 (0x803D0020)</p></td>
<td align="left"><p>The endpoint address URL is not valid. The URL must start with “http” or “https”.</p></td>
</tr>
</tbody>
</table>
Here are a list of common error messages:
| Common return values | Error message |
| -------------------- | ------------- |
| **S_OK**<br />0 (0x0) | The method was successful |
| **FVE_E_LOCKED_VOLUME**<br />2150694912 (0x80310000) | The volume is locked. |
| **FVE_E_PROTECTOR_NOT_FOUND**<br />2150694963 (0x80310033) | A Numerical Password protector was not found for the volume. |
| **WS_E_ENDPOINT_ACCESS_DENIED**<br />2151481349 (0x803D0005) | Access was denied by the remote endpoint. |
| **WS_E_ENDPOINT_NOT_FOUND**<br />2151481357 (0x803D000D) | The remote endpoint does not exist or could not be located. |
| **WS_E_ENDPOINT_FAILURE**<br />2151481357 (0x803D000F) | The remote endpoint could not process the request. |
| **WS_E_ENDPOINT_UNREACHABLE**<br />2151481360 (0x803D0010) | The remote endpoint was not reachable. |
| **WS_E_ENDPOINT_FAULT_RECEIVED**<br />2151481363 (0x803D0013) | A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint. |
| **WS_E_INVALID_ENDPOINT_URL**<br />2151481376 (0x803D0020) | The endpoint address URL is not valid. The URL must start with “http” or “https”. |
 
2. **Deploy MBAM by using Microsoft Deployment Toolkit (MDT) and PowerShell**
@ -328,13 +126,9 @@ This topic explains how to enable BitLocker on an end user's computer by using M
**Note**  
The `Invoke-MbamClientDeployment.ps1` PowerShell script can be used with any imaging process or tool. This section shows how to integrate it by using MDT, but the steps are similar to integrating it with any other process or tool.
 
**Caution**  
If you are using BitLocker pre-provisioning (WinPE) and want to maintain the TPM owner authorization value, you must add the `SaveWinPETpmOwnerAuth.wsf` script in WinPE immediately before the installation reboots into the full operating system. **If you do not use this script, you will lose the TPM owner authorization value on reboot.**
 
2. Copy `Invoke-MbamClientDeployment.ps1` to **&lt;DeploymentShare&gt;\\Scripts**. If you are using pre-provisioning, copy the `SaveWinPETpmOwnerAuth.wsf` file into **&lt;DeploymentShare&gt;\\Scripts**.
3. Add the MBAM 2.5 SP1 client application to the Applications node in the deployment share.
@ -467,8 +261,6 @@ This topic explains how to enable BitLocker on an end user's computer by using M
**Caution**  
This step describes how to modify the Windows registry. Using Registry Editor incorrectly can cause serious issues that can require you to reinstall Windows. We cannot guarantee that issues resulting from the incorrect use of Registry Editor can be resolved. Use Registry Editor at your own risk.
 
1. Set the TPM for **Operating system only encryption**, run Regedit.exe, and then import the registry key template from C:\\Program Files\\Microsoft\\MDOP MBAM\\MBAMDeploymentKeyTemplate.reg.
2. In Regedit.exe, go to HKLM\\SOFTWARE\\Microsoft\\MBAM, and configure the settings that are listed in the following table.
@ -476,10 +268,7 @@ This topic explains how to enable BitLocker on an end user's computer by using M
**Note**  
You can set Group Policy settings or registry values related to MBAM here. These settings will override previously set values.
 
Registry entry
Configuration settings
DeploymentTime
@ -506,7 +295,6 @@ This topic explains how to enable BitLocker on an end user's computer by using M
Set this value to the URL for the server running the Key Recovery service, for example, http://&lt;computer name&gt;/MBAMRecoveryAndHardwareService/CoreService.svc.
 
6. The MBAM Client will restart the system during the MBAM Client deployment. When you are ready for this restart, run the following command at a command prompt as an administrator:
@ -522,20 +310,8 @@ This topic explains how to enable BitLocker on an end user's computer by using M
9. To delete the bypass registry values, run Regedit.exe, and go to the HKLM\\SOFTWARE\\Microsoft registry entry. Right-click the **MBAM** node, and then click **Delete**.
**Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopmbam).
## Related topics
[Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md)
[Planning for MBAM 2.5 Client Deployment](planning-for-mbam-25-client-deployment.md)
 
 

4
windows/keep-secure/bitlocker-how-to-enable-network-unlock.md
View File

@ -196,7 +196,11 @@ To create a self-signed certificate, do the following:
Exportable=true
RequestType=Cert
KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG"
KeyLength=2048
Keyspec="AT_KEYEXCHANGE"
SMIME=FALSE
HashAlgorithm=sha512
[Extensions]
1.3.6.1.4.1.311.21.10 = "{text}"

322
windows/keep-secure/device-guard-deployment-guide.md
View File

@ -2,7 +2,7 @@
title: Device Guard deployment guide (Windows 10)
description: Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating systems security.
ms.assetid: 4BA52AA9-64D3-41F3-94B2-B87EC2717486
keywords: ["virtualization", "security", "malware"]
keywords: virtualization, security, malware
ms.prod: W10
ms.mktglfcycl: deploy
author: challum
@ -10,7 +10,6 @@ author: challum
# Device Guard deployment guide
**Applies to**
- Windows 10
@ -19,7 +18,6 @@ Microsoft Device Guard is a feature set that consists of both hardware and softw
## Introduction to Device Guard
Todays security threat landscape is more aggressive than ever before. Modern malicious attacks are focused on revenue generation, intellectual property theft, and targeted system degradation, which results in financial loss. Many of these modern attackers are sponsored by nation states with unknown motives and large cyber terrorism budgets. These threats can enter a company through something as simple as an email message and can permanently damage its reputation for securing its software assets, as well as having significant financial impact. Windows 10 introduces several new security features that help mitigate a large percentage of todays known threats.
It is estimated that more than 300,000 new malware variants are discovered daily. Unfortunately, companies currently use an ancient method to discover this infectious software and prevent its use. In fact, current PCs trust everything that runs until malware signatures determine whether a threat exists; then, the antimalware software attempts to clean the PC, often after the malicious softwares effect has already been noticed. This signature-based system focuses on reacting to an infection and ensuring that the particular infection does not happen again. In this model, the system that drives malware detection relies on the discovery of malicious software; only then can a signature be provided to the client to remediate it, which implies that a computer must be infected first. The time between the detection of the malware and a client being issued a signature could mean the difference between losing data and staying safe.
@ -32,15 +30,12 @@ Device Guard's features revolutionize the Windows operating systems security
## Device Guard overview
Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features revolutionize the Windows operating systems security by taking advantage of new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called *configurable code integrity*, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines—exactly what has made mobile phone security so successful. In addition, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing provides organizations with a way to trust individual third-party applications. Device Guard—with configurable code integrity, Credential Guard, and AppLocker—is the most complete security defense that any Microsoft product has ever been able to offer a Windows client.
Advanced hardware features such as CPU virtualization extensions, IOMMUs, and SLAT, drive these new client security offerings. By integrating these hardware features further into the core operating system, Windows 10 leverages them in new ways. For example, the same type 1 hypervisor technology that is used to run virtual machines in Microsoft Hyper-V is used to isolate core Windows services into a virtualization-based, protected container. This is just one example of how Windows 10 integrates advanced hardware features deeper into the operating system to offer comprehensive modern security to its users. These hardware features are now available in consumer and enterprise PC markets and are discussed in detail in the [Hardware considerations](#hardware) section.
Advanced hardware features such as CPU virtualization extensions, IOMMUs, and SLAT, drive these new client security offerings. By integrating these hardware features further into the core operating system, Windows 10 leverages them in new ways. For example, the same type 1 hypervisor technology that is used to run virtual machines in Microsoft Hyper-V is used to isolate core Windows services into a virtualization-based, protected container. This is just one example of how Windows 10 integrates advanced hardware features deeper into the operating system to offer comprehensive modern security to its users. These hardware features are now available in consumer and enterprise PC markets and are discussed in detail in the [Hardware considerations](#hardware-considerations) section.
Along with these new features, some components of Device Guard are existing tools or technologies that have been included in this strategic security offering to provide customers with the most secure Windows operating system possible. Device Guard is intended as a set of client security features to be used in conjunction with the other threat-resistance features available in the Windows operating system, some of which are mentioned in this guide. In addition to an overview of each feature, this guide walks you through the configuration and deployment of them.
### <a href="" id="config-code"></a>
**Configurable code integrity**
The Windows operating system consists of two operating modes: user mode and kernel mode. The base of the operating system runs within the kernel mode, which is where the Windows operating system directly interfaces with hardware resources. User mode is primarily responsible for running applications and brokering information to and from the kernel mode for hardware resource requests. For example, when an application that is running in user mode needs additional memory, the user mode process must request the resources from kernel mode, not directly from RAM.
@ -53,9 +48,7 @@ Historically, most malware has been unsigned. By simply deploying code integrity
The Device Guard core functionality and protection start at the hardware level. Devices that have processors equipped with SLAT technologies and virtualization extensions, such as Intel Virtualization Technology (VT-x) and AMD-V, will be able to take advantage of virtualization-based security (VBS) features that enhance Windows security. Device Guard leverages VBS to isolate core Windows services that are critical to the security and integrity of the operating system. This isolation removes the vulnerability of these services from both the user and kernel modes and acts as an impenetrable barrier for most malware used today. One of these isolated services, called the Windows Code Integrity service, drives the Device Guard kernel mode configurable code integrity feature. This prevents code that has penetrated the kernel mode operations from compromising the code integrity service.
Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the virtualization container that hosts the Windows security services, such as code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#dg-with-cg) section. For information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-cg) section.
### <a href="" id="dg-with-applocker"></a>
Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the virtualization container that hosts the Windows security services, such as code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#device-guard-with-credential-guard) section. For information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-credential-guard) section.
**Device Guard with AppLocker**
@ -63,12 +56,8 @@ Although AppLocker is not considered a new Device Guard feature, it complements
**Note**  One example in which Device Guard functionality needs AppLocker supplementation is when your organization would like to limit universal applications. Universal applications have already been validated by Microsoft to be trustworthy to run, but an organization may not want to allow specific universal applications to run in their environment. You can accomplish this enforcement by using an AppLocker rule.
 
AppLocker and Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, Microsoft recommends that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
### <a href="" id="dg-with-cg"></a>
**Device Guard with Credential Guard**
Although Credential Guard is not a feature within Device Guard, many organizations will likely deploy Credential Guard alongside Device Guard for additional protection against credential theft. Similar to virtualization-based protection of kernel mode code integrity, Credential Guard leverages hypervisor technology to protect domain credentials. This mitigation is targeted at resisting the use of pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats. For information about how to deploy Credential Guard to your Windows 10 Enterprise clients, see the [Enable Credential Guard](#enable-cg) section. In addition to the client-side enablement of Credential Guard, organizations can deploy mitigations at both the CA and domain controller level to help prevent credential theft. Microsoft will be releasing details about these additional mitigations in the future.
@ -86,42 +75,40 @@ You can easily manage Device Guard features by using the familiar enterprise and
- **Windows PowerShell**. Windows PowerShell is primarily used to create and service code integrity policies. These policies represent the most powerful component of Device Guard. For a step-by-step walkthrough of how to create, audit, service, enforce, and deploy code integrity policies, see the [Code integrity policies](#code-integrity-policies) section.
These options provide the same experience you are used to in order to manage your existing enterprise management solutions. For more information about how to manage and deploy Device Guard hardware and code integrity features in your organization, see the [Device Guard deployment](#dg-deployment) section.
## Plan for Device Guard
## Plan for Device Guard
In this section, you will learn about the following topics:
- [Approach enterprise code integrity deployment](#approach-enterprise). Device Guard deployment in your organization requires a planned approach. In this section, you get high-level recommendations for how to approach enterprise code integrity deployment in your organization.
- [Approach enterprise code integrity deployment](#approach-enterprise-code-integrity-deployment). Device Guard deployment in your organization requires a planned approach. In this section, you get high-level recommendations for how to approach enterprise code integrity deployment in your organization.
- [Device Guard deployment scenarios](#device-guard-deployment). When you plan for Device Guard deployment, Microsoft recommends that you categorize each device in your organization into a deployment scenario. These scenarios will provide a roadmap for your Device Guard deployment.
- [Device Guard deployment scenarios](#device-guard-deployment-scenarios). When you plan for Device Guard deployment, Microsoft recommends that you categorize each device in your organization into a deployment scenario. These scenarios will provide a roadmap for your Device Guard deployment.
- [Code signing adoption](#code-signing-adoption). Code signing is important to the security that Device Guard provides. This section outlines the options for code signing and the benefits and disadvantages of each method.
- [Hardware considerations](#hardware). Several Device Guard features require advanced hardware. This section outlines the requirements for each of those features and what to look for during your next hardware refresh.
## <a href="" id="approach-enterprise"></a>Approach enterprise code integrity deployment
- [Hardware considerations](#hardware-considerations). Several Device Guard features require advanced hardware. This section outlines the requirements for each of those features and what to look for during your next hardware refresh.
## Approach enterprise code integrity deployment
Enterprises that want to consider Device Guard should not expect deployment to their entire organization overnight. Device Guard implementation requires that you plan for both end-user and IT pro impact. In addition, the deployment of Device Guard features to your enterprise requires a planned, phased approach to ensure that end-user systems are fully capable and ready to enforce these new security restrictions. Perform the following high-level tasks to approach the deployment of Device Guard to your enterprise:
1. **Group devices into similar functions**. Categorize machines into the groups described in the [Device Guard deployment scenarios](#device-guard-deployment) section. This begins the roadmap for your Device Guard deployment and provides groups of easier and more difficult implementations. From there, assess the quantity of necessary Device Guard policies. The easiest solution is to lock down your entire enterprise, but it might not fit your individual departments needs.
1. **Group devices into similar functions**. Categorize machines into the groups described in the [Device Guard deployment scenarios](#device-guard-deployment-scenarios) section. This begins the roadmap for your Device Guard deployment and provides groups of easier and more difficult implementations. From there, assess the quantity of necessary Device Guard policies. The easiest solution is to lock down your entire enterprise, but it might not fit your individual departments needs.
To discover an appropriate number of policies for your organization, try to separate the defined groups into departments or roles. Then ask some questions: What software does each department or role need to do their job? Should they be able to install and run other departments software? Do we need to create a base code integrity policy that aligns with our application catalog? Should users be able to install any application or only choose from an “allowed” list? Do we allow users to use their own peripheral devices? These questions will help you discover the number of necessary policies for your organization. Finally, try to focus on which people or departments would require an additional level of privileges. For example, should department x be able to install and run application xyz, even though no other department does? If the answer is yes and justifiable, you will need a secondary code integrity policy for that group. If not, you will likely be able to merge several policies to simplify management. For more information about configurable code integrity policies, see the [Code integrity policies](#code-integrity-policies) section.
2. **Create code integrity policies from “golden” PCs**. After you create the groups of devices, you can create code integrity policies to align with those groups, similar to the way you would manage corporate images. When you have separated these groups and set up golden PCs that mimic the software and hardware those individual groups require, create code integrity policies from each of them. After you create these, you can merge these code integrity policies to create a master policy, or you can manage and deploy them individually. For step-by-step instructions about how to create code integrity policies, see the [Create code integrity policies from golden PCs](#create-code-golden) section.
2. **Create code integrity policies from “golden” PCs**. After you create the groups of devices, you can create code integrity policies to align with those groups, similar to the way you would manage corporate images. When you have separated these groups and set up golden PCs that mimic the software and hardware those individual groups require, create code integrity policies from each of them. After you create these, you can merge these code integrity policies to create a master policy, or you can manage and deploy them individually. For step-by-step instructions about how to create code integrity policies, see the [Create code integrity policies from golden PCs](#create-code-integrity-policies-from-golden-pcs) section.
3. **Audit and merge code integrity policies**. Microsoft recommends that you test code integrity policies in audit mode before you enforce them. Audit mode allows administrators to run the code integrity policy on a system but not actually block anything. Rather than not allowing applications to run, events are logged with each exception to the policy. This way, you can easily highlight any issues that were not discovered during the initial scan. You can create additional code integrity policies by using the audit events and merge them into the existing policy. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity) section.
3. **Audit and merge code integrity policies**. Microsoft recommends that you test code integrity policies in audit mode before you enforce them. Audit mode allows administrators to run the code integrity policy on a system but not actually block anything. Rather than not allowing applications to run, events are logged with each exception to the policy. This way, you can easily highlight any issues that were not discovered during the initial scan. You can create additional code integrity policies by using the audit events and merge them into the existing policy. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies) section.
4. **Assess LOB applications that are currently unsigned, and create a catalog file for them**. Catalog files allow organizations to sign applications that do not currently possess digitally signed binaries or applications that a customer would want to add a secondary signature to. These applications can be in-house applications or from third parties, and the process does not require any repackaging of the application. When you create code integrity policies at a rule level above hash values, you will not discover unsigned applications. To include these applications in your code integrity policies, simply create, sign, and deploy a catalog file. For information about catalog files, see the [Catalog files](#catalog-files) section.
5. **Enable desired hardware security features**. Each type of device found in the [Device Guard deployment scenarios](#device-guard-deployment) section takes advantage of different software and hardware integrity configurations. You should assess hardware-based security features separately from code integrity policies because they provide complementary functionality. For information about how to configure Device Guard hardware-based security features, see the [Configure hardware-based security features](#configure-hardware) section.
5. **Enable desired hardware security features**. Each type of device found in the [Device Guard deployment scenarios](#device-guard-deployment-scenarios) section takes advantage of different software and hardware integrity configurations. You should assess hardware-based security features separately from code integrity policies because they provide complementary functionality. For information about how to configure Device Guard hardware-based security features, see the [Configure hardware-based security features](#configure-hardware-based-security-features) section.
6. **Deploy code integrity policies and catalog files**. After you have created and signed the necessary catalog files and created and audited code integrity policies, you are ready to deploy them in phases. Microsoft strongly recommends that you deploy these components to a test group of users, even after your IT organization has tested and vetted them. This provides a final quality control validation before you deploy the catalog files and policies more broadly. For information about how to deploy catalog files with Group Policy, see the [Deploy catalog files with Group Policy](#deploy-cat-gp) section. For additional information about how to deploy code integrity policies, see the [Deploy code integrity policies with Group Policy](#deploy-manage-code-gp) section.
6. **Deploy code integrity policies and catalog files**. After you have created and signed the necessary catalog files and created and audited code integrity policies, you are ready to deploy them in phases. Microsoft strongly recommends that you deploy these components to a test group of users, even after your IT organization has tested and vetted them. This provides a final quality control validation before you deploy the catalog files and policies more broadly. For information about how to deploy catalog files with Group Policy, see the [Deploy catalog files with Group Policy](#deploy-catalog-files-with-group-policy) section. For additional information about how to deploy code integrity policies, see the [Deploy code integrity policies with Group Policy](#deploy-code-integrity-policies-with-group-policy) section.
## <a href="" id="device-guard-deployment"></a>Device Guard deployment scenarios
## Device Guard deployment scenarios
To help simplify the deployment of Device Guard to your organization, Microsoft recommends that you group devices into the deployment scenarios described in this section. Device Guard is not a feature that organizations will just simply “turn on”; rather, it typically requires a phased implementation approach. To see where these scenarios fit into an overall Device Guard deployment approach, see the [Approach to enterprise code integrity deployment](#approach-enterprise) section.
To help simplify the deployment of Device Guard to your organization, Microsoft recommends that you group devices into the deployment scenarios described in this section. Device Guard is not a feature that organizations will just simply “turn on”; rather, it typically requires a phased implementation approach. To see where these scenarios fit into an overall Device Guard deployment approach, see the [Approach to enterprise code integrity deployment](#approach-to-enterprise-code-integrity-deployment) section.
**Fixed-workload devices**
@ -131,8 +118,6 @@ Device Guard components that are applicable to fixed-workload devices include:
- KMCI VBS protection
<!-- -->
- Enforced UMCI policy
**Fully managed devices**
@ -163,14 +148,11 @@ Device Guard is not a good way to manage devices in a Bring Your Own Device (BYO
## Code signing adoption
Code signing is crucial to the successful implementation of configurable code integrity policies. These policies can trust the signing certificates from both independent software vendors and customers. In Windows 10, all Windows Store applications are signed. Also, you can easily trust any other signed application by adding the signing certificate to the code integrity policy.
For unsigned applications, customers have multiple options for signing them so that code integrity policies can trust them. The first option is traditional embedded code signing. Organizations that have in-house development teams can incorporate binary code signing into their application development process, and then simply add the signing certificate to their code integrity policies. The second option for signing unsigned applications is to use catalog files. In Windows 10, customers have the ability to create catalog files as they monitor the installation and initial run of an application. For more information about signing existing unsigned LOB applications or third-party applications, see the [Existing line-of-business applications](#existing-lob) section.
For unsigned applications, customers have multiple options for signing them so that code integrity policies can trust them. The first option is traditional embedded code signing. Organizations that have in-house development teams can incorporate binary code signing into their application development process, and then simply add the signing certificate to their code integrity policies. The second option for signing unsigned applications is to use catalog files. In Windows 10, customers have the ability to create catalog files as they monitor the installation and initial run of an application. For more information about signing existing unsigned LOB applications or third-party applications, see the [Existing line-of-business applications](#existing-line-of-business-applications) section.
### <a href="" id="existing-lob"></a>
**Existing line-of-business applications**
### Existing line-of-business applications
Until now, existing LOB applications were difficult to trust if they were signed by a source other than the Windows Store or not signed at all. With Windows 10, signing your existing LOB and third-party unsigned applications is simplified. This new signing method does not require that applications be repackaged in any way. With catalog files, administrators can sign these unsigned applications simply by monitoring for an installation and initial startup. By using this monitoring information, an administrator can generate a catalog file. Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries hash values are updated every time an application is updated and therefore require an updated catalog file. For simplified administration, consider incorporating embedded code signing into your application development process. For more information about how to generate catalog files, see the [Catalog files](#catalog-files) section.
@ -178,17 +160,16 @@ Until now, existing LOB applications were difficult to trust if they were signed
Catalog files are lists of individual binaries hash values. If the scanned application is updated, you will need to create a new catalog file. That said, binary signing is still highly recommended for any future applications so that no catalog files are needed.
 
When you create a catalog file, you must sign it by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. When signed, code integrity policies can trust the signer or signing certificate of those files. For information about catalog file signing, see the [Catalog files](#catalog-files) section.
**Application development**
Although in-house applications can be signed after packaging by using catalog files, Microsoft strongly recommends that embedded code signing be incorporated into your application development process. When signing applications, simply add the code signing certificate used to sign your applications to your code integrity policy. This ensures that your code integrity policy will trust any future application that is signed with that certificate. Embedding code signing into any in-house application development process is beneficial to your IT organization as you implement code integrity policies.
## <a href="" id="hardware"></a>Hardware considerations
## Hardware considerations
Careful consideration about which hardware vendor and specific models to purchase during your next hardware refresh is vitally important to the success of your organizations Device Guard implementation efforts. In alignment with your current hardware life cycle, consider the process that is discussed in the [Approach enterprise code integrity deployment](#approach-enterprise) section when you determine the appropriate order of hardware replacement in your organization. Device Guard should be deployed in phases; therefore, you have time to methodically plan for its implementation.
Careful consideration about which hardware vendor and specific models to purchase during your next hardware refresh is vitally important to the success of your organizations Device Guard implementation efforts. In alignment with your current hardware life cycle, consider the process that is discussed in the [Approach enterprise code integrity deployment](#approach-enterprise-code-integrity-deployment) section when you determine the appropriate order of hardware replacement in your organization. Device Guard should be deployed in phases; therefore, you have time to methodically plan for its implementation.
Different hardware features are required to implement the various features of Device Guard. There will likely be some individual features that you will be able to enable with your current hardware and some that you will not. However, for organizations that want to implement Device Guard in its entirety, several advanced hardware features will be required. For additional details about the hardware features that are required for Device Guard components, see the following table.
@ -251,57 +232,47 @@ Different hardware features are required to implement the various features of De
</tbody>
</table>
 
## <a href="" id="dg-deployment"></a>Device Guard deployment
## Device Guard deployment
In this section, you learn about the following topics:
- [Configure hardware-based security features](#configure-hardware). This section explains how to enable the hardware-based security features in Device Guard. Also, you verify that the features are enabled by using both Windows Management Infrastructure (WMI) and Msinfo32.exe.
- [Configure hardware-based security features](#configure-hardware-based-security-features). This section explains how to enable the hardware-based security features in Device Guard. Also, you verify that the features are enabled by using both Windows Management Infrastructure (WMI) and Msinfo32.exe.
- [Catalog files](#catalog-files). In this section, you create, sign, and deploy catalog files. You deploy the catalog files by using both Group Policy and System Center Configuration Manager. Also, you use System Center Configuration Manager to inventory the deployed catalog files for reporting purposes.
- [Code integrity policies](#code-integrity-policies). This section provides information on how to create, audit, service, merge, deploy, and remove signed and unsigned configurable code integrity policies.
## <a href="" id="configure-hardware"></a>Configure hardware-based security features
## Configure hardware-based security features
Hardware-based security features make up a large part of Device Guard security offerings. VBS reinforces the most important feature of Device Guard: configurable code integrity. There are three steps to configure hardware-based security features in Device Guard:
1. **Verify that hardware requirements are met and enabled**. Verify that your client machines possess the necessary hardware to run these features. A list of hardware requirements for the hardware-based security features is available in the [Hardware considerations](#hardware) section.
1. **Verify that hardware requirements are met and enabled**. Verify that your client machines possess the necessary hardware to run these features. A list of hardware requirements for the hardware-based security features is available in the [Hardware considerations](#hardware-considerations) section.
2. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. For details on which Windows features are needed, see the [Windows feature requirements for virtualization-based security](#vb-security) section.
2. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. For details on which Windows features are needed, see the [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security) section.
3. **Enable desired features**. When the necessary hardware and Windows features have been enabled, you are ready to enable the desired hardware-based security features. For UEFI Secure Boot, see the [Enable UEFI Secure Boot](#enable-secureboot) section. For information about how to enable VBS protection of the KMCI service, see the [Enable virtualization-based protection of kernel mode code integrity](#enable-virtualbased) section. Finally, for information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-cg) section.
3. **Enable desired features**. When the necessary hardware and Windows features have been enabled, you are ready to enable the desired hardware-based security features. For UEFI Secure Boot, see the [Enable UEFI Secure Boot](#enable-unified-extensible-interface-secure-boot) section. For information about how to enable VBS protection of the KMCI service, see the [Enable virtualization-based protection of kernel mode code integrity](#enable-virtualbased) section. Finally, for information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-credential-guard) section.
### <a href="" id="vb-security"></a>
### Windows feature requirements for virtualization-based security
**Windows feature requirements for virtualization-based security**
In addition to the hardware requirements found in the [Hardware considerations](#hardware) section, you must enable certain operating system features before you can enable VBS: Microsoft Hyper-V and isolated user mode (shown in Figure 1).
In addition to the hardware requirements found in the [Hardware considerations](#hardware-considerations) section, you must enable certain operating system features before you can enable VBS: Microsoft Hyper-V and isolated user mode (shown in Figure 1).
**Note**  
You can configure these features manually by using Windows PowerShell or Deployment Image Servicing and Management. For specific information about these methods, refer to the [Credential Guard documentation](http://go.microsoft.com/fwlink/p/?LinkId=624529).
 
![figure 1](images/dg-fig1-enableos.png)
Figure 1. Enable operating system features for VBS
After you enable these features, you can configure any hardware-based security features you want. For information about how to enable virtualization-based protection of kernel-mode code integrity, see the [Enable virtualization-based protection of kernel-mode code integrity](#enable-virtualbased) section. For information about how to enable UEFI Secure Boot, see the [Enable Unified Extensible Firmware Interface Secure Boot](#enable-secureboot) section. Finally, for additional information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-cg) section.
After you enable these features, you can configure any hardware-based security features you want. For information about how to enable virtualization-based protection of kernel-mode code integrity, see the [Enable virtualization-based protection of kernel-mode code integrity](#enable-virtualization-based-protection-of-kernel-mode-code-integrity) section. For information about how to enable UEFI Secure Boot, see the [Enable UEFI Secure Boot](#enable-unified-extensible-interface-secure-boot) section. Finally, for additional information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-credential-guard) section.
### <a href="" id="enable-secureboot"></a>
### Enable Unified Extensible Firmware Interface Secure Boot
**Enable Unified Extensible Firmware Interface Secure Boot**
Before you begin this process, verify that the target device meets the hardware requirements for UEFI Secure Boot that are laid out in the [Hardware considerations](#hardware) section. There are two options to configure UEFI Secure Boot: manual configuration of the appropriate registry keys and Group Policy deployment. Complete the following steps to manually configure UEFI Secure Boot on a computer running Windows 10:
Before you begin this process, verify that the target device meets the hardware requirements for UEFI Secure Boot that are laid out in the [Hardware considerations](#hardware-considerations) section. There are two options to configure UEFI Secure Boot: manual configuration of the appropriate registry keys and Group Policy deployment. Complete the following steps to manually configure UEFI Secure Boot on a computer running Windows 10:
**Note**  
There are two platform security levels for Secure Boot: stand-alone Secure Boot and Secure Boot with DMA protection. DMA protection provides additional memory protection but will be enabled only on systems whose processors include DMA protection (IOMMU) technologies. Without the presence of IOMMUs and with DMA protection disabled, customers will lose protection from driver-based attacks.
 
1. Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
@ -320,8 +291,6 @@ Unfortunately, it would be time consuming to perform these steps manually on eve
**Note**  
Microsoft recommends that you test-enable this feature on a group of test machines before you deploy it to machines that are currently deployed to users.
 
**Use Group Policy to deploy Secure Boot**
<a href="" id="bkmk-depsecureboot"></a>
@ -358,17 +327,13 @@ Microsoft recommends that you test-enable this feature on a group of test machin
Processed Device Guard policies are logged in event viewer at Application and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational. When the **Turn On Virtualization Based Security** policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.
### <a href="" id="enable-virtualbased"></a>
### Enable virtualization-based security of kernel-mode code integrity
**Enable virtualization-based security of kernel-mode code integrity**
Before you begin this process, verify that the desired computer meets the hardware requirements for VBS found in the [Hardware considerations](#hardware) section, and enable the Windows features discussed in the [Virtualization-based security Windows feature requirements](#vb-security) section. When validated, you can enable virtualization-based protection of KMCI in one of two ways: manual configuration of the appropriate registry subkeys and Group Policy deployment.
Before you begin this process, verify that the desired computer meets the hardware requirements for VBS found in the [Hardware considerations](#hardware-considerations) section, and enable the Windows features discussed in the [Virtualization-based security Windows feature requirements](#virtualization-based-security-windows-featurerrequirements) section. When validated, you can enable virtualization-based protection of KMCI in one of two ways: manual configuration of the appropriate registry subkeys and Group Policy deployment.
**Note**  
All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. Microsoft recommends that you enable this feature on a group of test machines before you enable it on deployed machines.
 
To configure virtualization-based protection of KMCI manually:
1. Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
@ -382,8 +347,6 @@ It would be time consuming to perform these steps manually on every protected ma
**Note**  
Microsoft recommends that you test-enable this feature on a group of test computers before you deploy it to machines that are currently deployed to users. If untested, there is a possibility that this feature can cause system instability and ultimately cause the client operating system to fail.
 
To use Group Policy to configure VBS of KMCI:
1. Create a new GPO: Right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.
@ -416,13 +379,11 @@ To use Group Policy to configure VBS of KMCI:
Processed Device Guard policies are logged in event viewer under Application and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational. When the **Turn On Virtualization Based Security** policy has been successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.
### <a href="" id="enable-cg"></a>
**Enable Credential Guard**
### Enable Credential Guard
Credential Guard provides an additional layer of credential protection specifically for domain users by storing the credentials within the virtualized container, away from both the kernel and user mode operating system. This makes it difficult for even a compromised system to obtain access to the credentials. In addition to the client-side enablement of Credential Guard, you can deploy additional mitigations at both the Certification Authority and domain controller level to prevent credential theft. Microsoft will be releasing details about these additional mitigations in the future.
Before you begin this process, verify that the desired system meets the hardware requirements for VBS found in the [Hardware considerations](#hardware) section, and that you have enabled the Windows features laid out in the [Virtualization-based security Windows feature requirements](#vb-security) section. When validated, you can enable Credential Guard manually, by configuring the appropriate registry subkeys, or through Group Policy deployment.
Before you begin this process, verify that the desired system meets the hardware requirements for VBS found in the [Hardware considerations](#hardware) section, and that you have enabled the Windows features laid out in the [Virtualization-based security Windows feature requirements](#virtualization-based-security-windows-feature-requirements) section. When validated, you can enable Credential Guard manually, by configuring the appropriate registry subkeys, or through Group Policy deployment.
To configure VBS of Credential Guard manually:
@ -437,8 +398,6 @@ To avoid spending an unnecessary amount of time in manual deployments, use Group
**Note**  
Microsoft recommends that you enable Credential Guard before you join a machine to the domain to ensure that all credentials are properly protected. Setting the appropriate registry subkeys during your imaging process would be ideal to achieve this protection.
 
To use Group Policy to enable Credential Guard:
1. Create a new GPO: right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here** .
@ -470,8 +429,6 @@ To use Group Policy to enable Credential Guard:
**Note**  
The default platform security level is **Secure Boot**. If IOMMUs are available within the protected machines, it is recommended that you select **Secure Boot and DMA Protection** to maximize the mitigations that are available through Credential Guard.
 
7. Check the test client event log for Device Guard GPOs.
**Note**  
@ -575,8 +532,6 @@ Table 1. Win32\_DeviceGuard properties
</tbody>
</table>
 
Another method to determine the available and enabled Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Device Guard properties are displayed at the bottom of the **System Summary** section, as shown in Figure 11.
![figure 11](images/dg-fig11-dgproperties.png)
@ -590,35 +545,29 @@ Enforcement of Device Guard on a system requires that every trusted application
**Note**  
The Enterprise edition of Windows 10 or Windows Server 2016 is required to create and use catalog files.
### <a href="" id="create-catalog-files"></a>
**Create catalog files**
### Create catalog files
The creation of catalog files is the first step to add an unsigned application to a code integrity policy. To create a catalog file, copy each of the following commands into an elevated Windows PowerShell session, and then complete the steps:
**Note**  
When you establish a naming convention it makes it easier to detect deployed catalog files in the future. In this guide, you will use *\*-Contoso.cat* as the naming convention. For more information about why this practice is helpful to inventory or detect catalog files, see the [Inventory catalog files with System Center Configuration Manager](#inventory-cat-sccm) section.
When you establish a naming convention it makes it easier to detect deployed catalog files in the future. In this guide, you will use *\*-Contoso.cat* as the naming convention. For more information about why this practice is helpful to inventory or detect catalog files, see the [Inventory catalog files with System Center Configuration Manager](#inventory-catalog-files-with-system-center-configuration-manager) section.
 
1. Be sure that a code integrity policy is currently running in audit mode.
Package Inspector does not always detect installation files that have been removed from the machine during the installation process. To ensure that these binaries are also trusted, the code integrity policy that you created and audited in the [Create code integrity policies from golden PCs](#create-code-golden) and [Audit code integrity policies](#audit-code-integrity) sections should be deployed, in audit mode, to the system on which you are running Package Inspector.
Package Inspector does not always detect installation files that have been removed from the machine during the installation process. To ensure that these binaries are also trusted, the code integrity policy that you created and audited in the [Create code integrity policies from golden PCs](#create-code-integrity-policies-from-golden-pcs) and [Audit code integrity policies](#audit-code-integrity-policies) sections should be deployed, in audit mode, to the system on which you are running Package Inspector.
**Note**  
This process should **not** be performed on a system running an enforced Device Guard policy, only with a policy running in audit mode. If a policy is currently being enforced, you will not be able to install and run the application.
 
2. Start Package Inspector, and then scan drive C:
`PackageInspector.exe Start C:`
**Note**  
Package inspector can monitor installations on any local drive. In this example, we install the application on drive C, but any other drive can be used.
 
3. Copy the installation media to drive C.
By copying the installation media to drive C, you ensure that Package Inspector detects and catalogs the actual installer. If you skip this step, the future code integrity policy may trust the application to run but not be installed.
@ -645,11 +594,9 @@ When you establish a naming convention it makes it easier to detect deployed cat
**Note**  
This scan catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries hash values.
When finished, the files will be saved to your desktop. To trust this catalog file within a code integrity policy, the catalog must first be signed. Then, the signing certificate can be included in the code integrity policy, and the catalog file can be distributed to the individual client machines. Catalog files can be signed by using a certificate and SignTool.exe, a free tool available in the Windows SDK. For more information about signing catalog files with SignTool.exe, see the [Catalog signing with SignTool.exe](#catsign-signtool) section.
When finished, the files will be saved to your desktop. To trust this catalog file within a code integrity policy, the catalog must first be signed. Then, the signing certificate can be included in the code integrity policy, and the catalog file can be distributed to the individual client machines. Catalog files can be signed by using a certificate and SignTool.exe, a free tool available in the Windows SDK. For more information about signing catalog files with SignTool.exe, see the [Catalog signing with SignTool.exe](#catalog-signing-with-signtool.exe) section.
### <a href="" id="catsign-signtool"></a>
**Catalog signing with SignTool.exe**
### Catalog signing with SignTool.exe
Device Guard makes it easy for organizations to sign and trust existing unsigned LOB applications. In this section, you sign a catalog file you generated in a previous section by using PackageInspector.exe. For information about how to create catalog files, see the [Create catalog files](#create-catalog-files) section. In this example, you need the following:
@ -659,7 +606,7 @@ Device Guard makes it easy for organizations to sign and trust existing unsigned
- Internal certification authority (CA) code signing certificate or purchased code signing certificate
If you do not have a code signing certificate, please see the [Create a Device Guard code signing certificate](#create-dg-code) section for a walkthrough of how to create one. In addition to using the certificate you create in the Create a Device Guard code signing certificate section, this example signs the catalog file that you created in the [Create catalog files](#create-catalog-files) section. If you are using an alternate certificate or catalog file, update the following steps with the appropriate variables and certificate. To sign the existing catalog file, copy each of the following commands into an elevated Windows PowerShell session:
If you do not have a code signing certificate, please see the [Create a Device Guard code signing certificate](#create-a-device-guard-code-signing-certificate) section for a walkthrough of how to create one. In addition to using the certificate you create in the Create a Device Guard code signing certificate section, this example signs the catalog file that you created in the [Create catalog files](#create-catalog-files) section. If you are using an alternate certificate or catalog file, update the following steps with the appropriate variables and certificate. To sign the existing catalog file, copy each of the following commands into an elevated Windows PowerShell session:
1. Initialize the variables that will be used:
@ -670,27 +617,15 @@ If you do not have a code signing certificate, please see the [Create a Device G
**Note**  
In this example, you use the catalog file you created in the [Create catalog files](#create-catalog-files) section. If you are signing another catalog file, be sure to update the *$ExamplePath* and *$CatFileName* variables with the correct information.
2. Import the code signing certificate. Import the code signing certificate that will be used to sign the catalog file to the signing users personal store. In this example, you use the certificate that you created in the [Create a Device Guard code signing certificate](#create-dg-code) section.
2. Import the code signing certificate. Import the code signing certificate that will be used to sign the catalog file to the signing users personal store. In this example, you use the certificate that you created in the [Create a Device Guard code signing certificate](#create-a-device-guard-code-signing-certificate) section.
3. Sign the catalog file with Signtool.exe:
<span codelanguage=""></span>
<table>
<colgroup>
<col width="100%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><pre><code>&lt;Path to signtool.exe&gt; sign /n &quot;ContosoDGSigningCert&quot; /fd sha256 /v $CatFileName</code></pre></td>
</tr>
</tbody>
</table>
`<path to signtool.exe> sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName`
**Note**  
The *&lt;Path to signtool.exe&gt;* variable should be the full path to the Signtool.exe utility. *ContosoDGSigningCert* is the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the machine on which you are attempting to sign the catalog file.
 
**Note**  
For additional information about Signtool.exe and all additional switches, visit [MSDN Sign Tool page](http://go.microsoft.com/fwlink/p/?LinkId=624163).
@ -706,17 +641,13 @@ If you do not have a code signing certificate, please see the [Create a Device G
For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, Microsoft recommends that you use Group Policy File Preferences to copy the appropriate catalog files to all desired machines or an enterprise systems management product such as System Center Configuration Manager. Doing this simplifies the management of catalog versions, as well.
### <a href="" id="deploy-cat-gp"></a>
**Deploy catalog files with Group Policy**
### Deploy catalog files with Group Policy
To simplify the management of catalog files, you can use Group Policy preferences to deploy catalog files to the appropriate PCs in your organization. The following process walks you through the deployment of a signed catalog file called LOBApp-Contoso.cat to a test OU called DG Enabled PCs with a GPO called **Contoso DG Catalog File GPO Test**.
**Note**  
This walkthrough requires that you have previously created a signed catalog file and have a Windows 10 client PC on which to test a Group Policy deployment. For more information about how to create and sign a catalog file, see the [Catalog files](#catalog-files) section.
 
To deploy a catalog file with Group Policy:
1. From either a domain controller or a client PC that has Remote Server Administration Tools (RSAT) installed, open the Group Policy Management Console (GPMC) by running **GPMC.MSC** or by searching for Group Policy Management.
@ -724,7 +655,7 @@ To deploy a catalog file with Group Policy:
2. Create a new GPO: right-click the DG Enabled PCs OU, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 13.
**Note**  
The DG Enabled PCs OU is just an example of where to link the test GPO that you created in this section. You can use any OU name. Also, security group filtering is an option when you consider policy partitioning options based on the strategy discussed in the [Approach enterprise code integrity deployment](#approach-enterprise) section.
The DG Enabled PCs OU is just an example of where to link the test GPO that you created in this section. You can use any OU name. Also, security group filtering is an option when you consider policy partitioning options based on the strategy discussed in the [Approach enterprise code integrity deployment](#approach-enterprise-code-integrity-deployment) section.
![figure 13](images/dg-fig13-createnewgpo.png)
@ -767,17 +698,13 @@ To deploy a catalog file with Group Policy:
12. Close the Group Policy Management Editor, and then update the policy on the test Windows 10 machine by running GPUpdate.exe. When the policy has been updated, verify that the catalog file exists in C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} on the Windows 10 machine.
### <a href="" id="deploy-cat-sccm"></a>
**Deploy catalog files with System Center Configuration Manager**
### Deploy catalog files with System Center Configuration Manager
As an alternative to Group Policy, you can use System Center Configuration Manager to deploy catalog files to the managed machines in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, System Center Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files:
**Note**  
The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization.
 
1. Open the Configuration Manager console, and select the Software Library workspace.
2. Navigate to Overview\\Application Management, right-click **Packages**, and then click **Create Package**.
@ -844,17 +771,13 @@ After you create the deployment package, deploy it to a collection so that the c
11. Close the wizard.
### <a href="" id="inventory-cat-sccm"></a>
**Inventory catalog files with System Center Configuration Manager**
### Inventory catalog files with System Center Configuration Manager
When catalog files have been deployed to the machines within your environment, whether by using Group Policy or System Center Configuration Manager, you can inventory them with the software inventory feature of System Center Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy.
**Note**  
A standard naming convention for your catalog files will significantly simplify the catalog file software inventory process. In this example, *-Contoso* has been added to all catalog file names.
 
1. Open the Configuration Manager console, and select the Administration workspace.
2. Navigate to **Overview\\Client Settings**, right-click **Client Settings**, and then click **Create Custom Client Device Settings**.
@ -908,25 +831,19 @@ If nothing is displayed in this view, navigate to Software\\Last Software Scan i
## Code integrity policies
Code integrity policies maintain the standards by which a computer running Windows 10 determines whether an application is trustworthy and can be run. For an overview of code integrity, see the [Configurable code integrity](#config-code) section.
Code integrity policies maintain the standards by which a computer running Windows 10 determines whether an application is trustworthy and can be run. For an overview of code integrity, see the [Configurable code integrity](#configurable-code-integrity) section.
A common system imaging practice in todays IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden PC. Like when imaging, you can have multiple golden PCs based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom.
**Note**  
Each machine can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to C:\\Windows\\System32\\CodeIntegrity. Keep this in mind when you create your code integrity policies.
 
Optionally, code integrity policies can align with your software catalog as well as any IT departmentapproved applications. One simple method to implement code integrity policies is to use existing images to create one master code integrity policy. You do so by creating a code integrity policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, should the applications be installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computers role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed.
**Note**  
The following section assumes that you will deploy code integrity policies as part of your Device Guard deployment. Alternatively, configurable code integrity is available without the enablement of Device Guard.
 
### <a href="" id="code-integrity-policy-rules"></a>
**Code integrity policy rules**
### Code integrity policy rules
Code integrity policies consist of several components. The two major components, which are configurable, are called *policy rules* and *file rules*, respectively. Code integrity policy rules are options that the code integrity policy creator can specify on the policy. These options include the enablement of audit mode, UMCI, and so on. You can modify these options in a new or existing code integrity policy. File rules are the level to which the code integrity policy scan ties each binary trust. For example, the hash level is going to itemize each discovered hash on the system within the generated code integrity policy. This way, when a binary prepares to run, the code integrity service will validate its hash value against the trusted hashes found in the code integrity policy. Based on that result, the binary will or will not be allowed to run.
@ -944,8 +861,8 @@ You can set several rule options within a code integrity policy. Table 2 lists e
Table 2. Code integrity policy - policy rule options
| **Rule option** | **Description** |
|----------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Rule option | Description |
|------------ | ----------- |
| **0 Enabled:UMCI** | Code integrity policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. |
| **1 Enabled:Boot Menu Protection** | This option is not currently supported. |
| **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10compatible driver must be WHQL certified. |
@ -958,14 +875,12 @@ Table 2. Code integrity policy - policy rule options
| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all code integrity policies. Setting this rule option allows the F8 menu to appear to physically present users. |
| **10 Enabled:Boot Audit on Failure** | Used when the code integrity policy is in enforcement mode. When a driver fails during startup, the code integrity policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
 
File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as low as the hash of each binary and as high as a PCA certificate. File rule levels are specified both when you create a new code integrity policy from a scan and when you create a policy from audit events. In addition, to combine rule levels found in multiple policies, you can merge the policies. When merged, code integrity policies combine their file rules. Each file rule level has its benefit and disadvantage. Use Table 3 to select the appropriate protection level for your available administrative resources and Device Guard deployment scenario.
Table 3. Code integrity policy - file rule levels
| **Rule level** | **Description** |
|-----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Rule level | Description |
|----------- | ----------- |
| **Hash** | Specifies individual hash values for each discovered binary. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
| **FileName** | Specifies individual binary file names. Although the hash values for an application are modified when updated, the file names are typically not. This offers less specific security than the hash level but does not typically require a policy update when any binary is modified. |
| **SignedVersion** | This combines the publisher rule with a file version number. This option allows anything from the specified publisher, with a file version at or above the specified version number, to run. |
@ -978,24 +893,16 @@ Table 3. Code integrity policy - file rule levels
| **WHQLPublisher** | This is a combination of the WHQL and the CN on the leaf certificate and is primarily for kernel binaries. |
| **WHQLFilePublisher** | Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This is primarily for kernel binaries. |
 
**Note**  
When you create code integrity policies with the **New-CIPolicy** cmdlet, you can specify a primary file rule level by including the **Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
 
### <a href="" id="create-code-golden"></a>
**Create code integrity policies from golden PCs**
### Create code integrity policies from golden PCs
The process to create a golden code integrity policy from a reference system is straightforward. This section outlines the process that is required to successfully create a code integrity policy with Windows PowerShell. First, for this example, you must initiate variables to be used during the creation process. Rather than using variables, you can simply use the full file paths in the command. Next, you create the code integrity policy by scanning the system for installed applications. When created, the policy file is converted to binary format so that Windows can consume its contents.
**Note**  
Before you begin this procedure, ensure that the reference PC is clean of viruses or malware. Each piece of installed software should be validated as trustworthy before you create this policy. Also, be sure that any software that you would like to be scanned is installed on the system before you create the code integrity policy.
 
To create a code integrity policy, copy each of the following commands into an elevated Windows PowerShell session, in order:
1. Initialize variables that you will use:
@ -1015,18 +922,12 @@ To create a code integrity policy, copy each of the following commands into an e
`Set-RuleOption -Option 0 -FilePath $InitialCIPolicy`
 
**Note**  
You can add the *Fallback* parameter to catch any applications not discovered using the primary file rule level specified by the *Level* parameter. For more information about file rule level options, see the [Code integrity policy rules](#code-integrity-policy-rules) section.
 
**Note**  
If you would like to specify the code integrity policy scan to look only at a specific drive, you can do so by using the *ScanPath* parameter. Without this parameter, as shown in the example, the entire system is scanned.
 
3. Convert the code integrity policy to a binary format:
`ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
@ -1034,26 +935,20 @@ To create a code integrity policy, copy each of the following commands into an e
After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security.
**Note**  
Microsoft recommends that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see the [Merge code integrity policies](#merge-code-integrity) section.
Microsoft recommends that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see the [Merge code integrity policies](#merge-code-integrity-policies) section.
 
Microsoft recommends that every code integrity policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error message dialog boxes. For information about how to audit a code integrity policy, see the [Audit code integrity policies](#audit-code-integrity-policies) section.
Microsoft recommends that every code integrity policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error message dialog boxes. For information about how to audit a code integrity policy, see the [Audit code integrity policies](#audit-code-integrity) section.
### <a href="" id="audit-code-integrity"></a>
**Audit code integrity policies**
### Audit code integrity policies
When code integrity policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a code integrity policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the Applications and Services Logs\\Microsoft\\CodeIntegrity\\Operational event log. When these logged binaries have been validated, they can easily be added to a new code integrity policy. When the new exception policy is created, you can merge it with your existing code integrity policies.
**Note**  
Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see the [Create a code integrity policy](#create-code-golden) section for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format.
 
Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see the [Create a code integrity policy](#create-a-code-integrity-policy) section for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format.
To audit a code integrity policy with local policy:
1. Copy the DeviceGuardPolicy.bin file that you created in the [Create code integrity policies from golden PCs](#create-code-golden) section to C:\\Windows\\System32\\CodeIntegrity.
1. Copy the DeviceGuardPolicy.bin file that you created in the [Create code integrity policies from golden PCs](#create-code-integrity-policies-from-golden-pcs) section to C:\\Windows\\System32\\CodeIntegrity.
2. On the system you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**.
@ -1062,13 +957,9 @@ To audit a code integrity policy with local policy:
**Note**  
*DeviceGuardPolicy.bin* is not a required policy name. This name was simply used in the [Create code integrity policies from golden PCs](#create-code-golden) section and so was used here. Also, this policy file does not need to be copied to every system. Alternatively, you can copy the code integrity policies to a file share to which all computer accounts have access.
 
**Note**  
Any policy you select here is converted to SIPolicy.p7b when it is deployed to the individual computers.
 
![figure 22](images/dg-fig22-deploycode.png)
Figure 22. Deploy your code integrity policy
@ -1076,8 +967,6 @@ To audit a code integrity policy with local policy:
**Note**  
You may have noticed that the GPO setting references a .p7b file and this policy uses a .bin file. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the Windows 10 computers. Microsoft recommends that you make your code integrity policies friendly and allow the system to convert the policy names for you. By doing this, it ensures that the policies are easily distinguishable when viewed in a share or any other central repository.
 
4. Restart reference system for the code integrity policy to take effect.
5. Monitor the CodeIntegrity event log. While in audit mode, any exception to the deployed code integrity policy will be logged in the Applications and Services Logs\\Microsoft\\CodeIntegrity\\Operational event log, as shown in Figure 23.
@ -1097,11 +986,7 @@ To audit a code integrity policy with local policy:
**Note**  
An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it with the local machine policy.
 
### <a href="" id="create-audit-code"></a>
**Create an audit code integrity policy**
### Create an audit code integrity policy
When you run code integrity policies in audit mode, validate any exceptions and determine whether you will need to add them to the code integrity policy you want to audit. Use the system as you normally would to ensure that any use exceptions are logged. When you are ready to create a code integrity policy from the auditing events, complete the following steps in an elevated Windows PowerShell session:
@ -1113,7 +998,7 @@ When you run code integrity policies in audit mode, validate any exceptions and
2. Analyze audit results.
Before you create a code integrity policy from audit events, Microsoft recommends that each exception be analyzed, as discussed in steps 5 and 6 of the [Audit code integrity policies](#audit-code-integrity) section.
Before you create a code integrity policy from audit events, Microsoft recommends that each exception be analyzed, as discussed in steps 5 and 6 of the [Audit code integrity policies](#audit-code-integrity-policies) section.
3. Generate a new code integrity policy from logged audit events:
@ -1122,25 +1007,17 @@ When you run code integrity policies in audit mode, validate any exceptions and
**Note**  
When you create policies from audit events, you should carefully consider the file rule level that you select to trust. In this example, you use the Hash rule level, which should be used as a last resort.
 
After you complete these steps, the Device Guard audit policy .xml file (DeviceGuardAuditPolicy.xml) will be available on your desktop. You can now use this file to update the existing code integrity policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing code integrity policy, see the [Merge code integrity policies](#merge-code-integrity) section.
After you complete these steps, the Device Guard audit policy .xml file (DeviceGuardAuditPolicy.xml) will be available on your desktop. You can now use this file to update the existing code integrity policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing code integrity policy, see the [Merge code integrity policies](#merge-code-integrity-policies) section.
**Note**  
You may have noticed that you did not generate a binary version of this policy as you did in the [Create code integrity policies from golden PCs](#create-code-golden) section. This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies.
You may have noticed that you did not generate a binary version of this policy as you did in the [Create code integrity policies from golden PCs](#create-code-integrity-policies-from-golden-pcs) section. This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies.
 
### <a href="" id="merge-code-integrity"></a>
**Merge code integrity policies**
### Merge code integrity policies
When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from golden PCs. Because each Windows 10 machine can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy.
**Note**  
The following example uses the code integrity policy .xml files that you created in the [Create code integrity policies from golden PCs](#create-code-golden) and [Audit code integrity policies](#audit-code-integrity) sections. You can follow this process, however, with any two code integrity policies you would like to combine.
 
The following example uses the code integrity policy .xml files that you created in the [Create code integrity policies from golden PCs](#create-code-integrity-policies-from-golden-pcs) and [Audit code integrity policies](#audit-code-integrity-policies) sections. You can follow this process, however, with any two code integrity policies you would like to combine.
To merge two code integrity policies, complete the following steps in an elevated Windows PowerShell session:
@ -1178,8 +1055,6 @@ Every code integrity policy is created with audit mode enabled. After you have s
**Note**  
Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity) section.
 
1. Initialize the variables that will be used:
`$CIPolicyPath=$env:userprofile+"\Desktop\"`
@ -1217,13 +1092,13 @@ Every code integrity policy should be tested in audit mode first. For informatio
 
Now that this policy has been enforced, you can deploy it to your test machines. Rename the policy to SIPolicy.p7b and copy it to C:\\Windows\\System32\\CodeIntegrity for testing, or deploy the policy through Group Policy by following the instructions in the [Deploy and manage code integrity policies with Group Policy](#deploy-manage-code-gp) section, or through client management software by following the instructions in the section “Deploying and managing code integrity policies by using Microsoft client management solutions.”
Now that this policy has been enforced, you can deploy it to your test machines. Rename the policy to SIPolicy.p7b and copy it to C:\\Windows\\System32\\CodeIntegrity for testing, or deploy the policy through Group Policy by following the instructions in the [Deploy and manage code integrity policies with Group Policy](#deploy-and-manage-code-integrity-policies-with-group-policy) section, or through client management software by following the instructions in the section “Deploying and managing code integrity policies by using Microsoft client management solutions.”
**Signing code integrity policies with SignTool.exe**
Signed code integrity policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the machine. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed code integrity policies than unsigned ones. Before you sign and deploy a signed code integrity policy, Microsoft recommends that you audit the policy to discover any blocked applications that should be allowed to run. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity) section.
Signed code integrity policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the machine. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed code integrity policies than unsigned ones. Before you sign and deploy a signed code integrity policy, Microsoft recommends that you audit the policy to discover any blocked applications that should be allowed to run. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies) section.
Signing code integrity policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Create a Device Guard code signing certificate](#create-dg-code) to create one with your on-premises CA. Before signing code integrity policies for the first time, be sure to enable rule options 9 and 10 to leave troubleshooting options available to test administrators. When validated and ready for enterprise deployment, you can remove these options. For information about how to add rule options, see the [Code integrity policy rules](#code-integrity-policy-rules) section.
Signing code integrity policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Create a Device Guard code signing certificate](#create-a-device-guard-code-signing-certificate) to create one with your on-premises CA. Before signing code integrity policies for the first time, be sure to enable rule options 9 and 10 to leave troubleshooting options available to test administrators. When validated and ready for enterprise deployment, you can remove these options. For information about how to add rule options, see the [Code integrity policy rules](#code-integrity-policy-rules) section.
**Note**  
Signing code integrity policies is the last step in a code integrity deployment. It is much more difficult to remove a signed code integrity policy than an unsigned one. Before you deploy a signed code integrity policy to deployed client computers, be sure to test its effect on a subset of machines.
@ -1236,8 +1111,6 @@ To sign a code integrity policy with SignTool.exe, you need the following compon
- An internal CA code signing certificate or a purchased code signing certificate
 
If you do not have a code signing certificate, see the [Create a Device Guard code signing certificate](#create-dg-code) section for instructions on how to create one. If you use an alternate certificate or code integrity policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing code integrity policy, copy each of the following commands into an elevated Windows PowerShell session:
1. Initialize the variables that will be used:
@ -1247,8 +1120,6 @@ If you do not have a code signing certificate, see the [Create a Device Guard co
**Note**  
This example uses the code integrity policy that you created in the [Create code integrity policies from golden PCs](#create-code-golden) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
 
2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the code integrity policy into the signing users personal store on the machine that will be doing the signing. In this example, you use the certificate that was created in the [Create a Device Guard code signing certificate](#create-dg-code) section.
3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
@ -1264,13 +1135,9 @@ If you do not have a code signing certificate, see the [Create a Device Guard co
**Note**  
*&lt;Path to exported .cer certificate&gt;* should be the full path to the certificate that you exported in step 3.
 
**Note**  
Adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable-signed-code) section.
 
6. Remove the unsigned policy rule option:
`Set-RuleOption -Option 6 -FilePath $InitialCIPolicy -Delete`
@ -1286,13 +1153,9 @@ If you do not have a code signing certificate, see the [Create a Device Guard co
**Note**  
The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the code integrity policy. You should import this certificate to your personal certificate store on the machine you use to sign the policy.
 
9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy code integrity policies, see the [Deploy and manage code integrity policies with Group Policy](#deploy-and-manage-code-integrity-policies-with-group-policy) section.
9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy code integrity policies, see the [Deploy and manage code integrity policies with Group Policy](#deploy-manage-code-gp) section.
### <a href="" id="disable-unsigned-code"></a>
**Disable unsigned code integrity policies**
### Disable unsigned code integrity policies
There may come a time when an administrator wants to disable a code integrity policy. For unsigned code integrity policies, this process is simple. Depending on how the code integrity policy was deployed, unsigned policies can be disabled in one of two ways. If a code integrity policy was manually enabled and copied to the code integrity folder location, simply delete the file and restart the machine. The following locations can contain executing code integrity policies:
@ -1302,9 +1165,7 @@ There may come a time when an administrator wants to disable a code integrity po
If the code integrity policy was deployed by using Group Policy, the GPO that is currently enabling and deploying the policy must be set to disabled. Then, the code integrity policy will be disabled on the next computer restart.
### <a href="" id="disable-signed-code"></a>
**Disable signed code integrity policies within Windows**
### Disable signed code integrity policies within Windows
Signed policies protect Windows from administrative manipulation as well as malware that has gained administrative-level access to the system. For this reason, signed code integrity policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed code integrity policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps:
@ -1315,15 +1176,12 @@ For reference, signed code integrity policies should be replaced and removed fro
- &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
 
1. Replace the existing policy with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
**Note**  
To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
 
2. Restart the client computer.
3. Verify that the new signed policy exists on the client.
@ -1331,8 +1189,6 @@ For reference, signed code integrity policies should be replaced and removed fro
**Note**  
If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
 
4. Delete the new policy.
5. Restart the client computer.
@ -1353,17 +1209,13 @@ If the signed code integrity policy has been deployed using by using Group Polic
**Note**  
If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
 
4. Set the GPO to disabled.
5. Delete the new policy.
6. Restart the client computer.
### <a href="" id="disable-signed-code-bios"></a>
**Disable signed code integrity policies within the BIOS**
### Disable signed code integrity policies within the BIOS
There may be a time when signed code integrity policies cause a boot failure. Because code integrity policies enforce kernel mode drivers, it is important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed code integrity policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows:
@ -1378,15 +1230,11 @@ There may be a time when signed code integrity policies cause a boot failure. Be
Code integrity policies can easily be deployed and managed with Group Policy. A Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
**Note**  
This walkthrough requires that you have previously created a code integrity policy and have a Windows 10 client PC on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see the [Create code integrity polices from golden PCs](#create-code-golden) section.
 
This walkthrough requires that you have previously created a code integrity policy and have a Windows 10 client PC on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see the [Create code integrity polices from golden PCs](#create-code-integrity-polices-from-golden-pcs) section.
**Note**  
Signed code integrity policies can cause boot failures when deployed. Microsoft recommends that signed code integrity policies be thoroughly tested on each hardware platform before enterprise deployment.
 
To deploy and manage a code integrity policy with Group Policy:
1. On a domain controller on a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC** or searching for “Group Policy Management” in Windows Search.
@ -1396,8 +1244,6 @@ To deploy and manage a code integrity policy with Group Policy:
**Note**  
The DG Enabled PCs OU is just an example of where to link the test GPO created in this section. Any OU name can be used. Also, security group filtering is an option when considering policy partitioning options based on the strategy discussed in the [Approach enterprise code integrity deployment](#approach-enterprise) section.
 
![figure 24](images/dg-fig24-creategpo.png)
Figure 24. Create a GPO
@ -1426,12 +1272,9 @@ To deploy and manage a code integrity policy with Group Policy:
**Note**  
You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the Windows 10 client computers. Make your code integrity policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
 
7. Close the Group Policy Management Editor, and then restart the Windows 10 test machine. Restarting the client computer updates the code integrity policy. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity)section.
## <a href="" id="create-dg-code"></a>Create a Device Guard code signing certificate
7. Close the Group Policy Management Editor, and then restart the Windows 10 test machine. Restarting the client computer updates the code integrity policy. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies)section.
## Create a Device Guard code signing certificate
To sign catalog files or code integrity policies internally, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip these steps and proceed to the sections that outline the steps to sign catalog files and code integrity policies. If you have not purchased a certificate but have an internal CA, complete these steps to create a code signing certificate:
@ -1500,8 +1343,6 @@ Now that the template is available to be issued, you must request one from the W
**Note**  
If a certificate manager is required to approve any issued certificates and you selected to require management approval on the template, the request will need to be approved in the CA before it will be issued to the client.
 
This certificate must be installed in the users personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the machine on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps:
1. Right-click the certificate, point to **All Tasks**, and then click **Export**.
@ -1517,23 +1358,12 @@ When the certificate has been exported, import it into the personal store for th
## Related topics
[AppLocker overview](http://go.microsoft.com/fwlink/p/?LinkId=624172)
[AppLocker overview](applocker-overview.md)
[Code integrity](http://go.microsoft.com/fwlink/p/?LinkId=624173)
[Credential guard](http://go.microsoft.com/fwlink/p/?LinkId=624529)
[Device Guard certification and compliance](http://go.microsoft.com/fwlink/p/?LinkId=624840)
[Credential guard](credential-guard.md)
[Driver compatibility with Device Guard in Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=624843)
[Dropping the Hammer Down on Malware Threats with Windows 10s Device Guard](http://go.microsoft.com/fwlink/p/?LinkId=624844)
 
 

3
windows/manage/TOC.md
View File

@ -17,7 +17,8 @@
#### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
#### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
### [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md)
### [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md)
### [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
### [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)
### [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
### [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)

159
windows/manage/change-history-for-manage-and-update-windows-10.md
View File

@ -10,145 +10,54 @@ author: jdeckerMS
# Change history for Manage and update Windows 10
This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## May 2016
New or changed topic | Description |
---|---|
[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher |
| New or changed topic | Description |
| ---|---|
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher |
| [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md) | Added section on how to turn off Live Tiles |
| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | New telemetry content |
## April 2016
<table>
<thead>
<tr class="header">
<th align="left">New or changed topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody><tr class="odd">
<td align="left">[Administrative tools in Windows 10](administrative-tools-in-windows-10.md)</td>
<td align="left"><p>Added screenshots of Control Panel and the administrative tools folder.</p></td>
</tr>
<tr class="odd">
<td align="left">[Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md)</td>
<td align="left"><p>Added the font streaming section.</p></td>
</tr>
<tr class="odd">
<td align="left">[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)</td>
<td align="left"><p>Made corrections to script and instructions for Shell Launcher.</p></td>
</tr>
</tbody>
</table>
 
| New or changed topic | Description |
| ---|---|
| [Administrative tools in Windows 10](administrative-tools-in-windows-10.md) | Added screenshots of Control Panel and the administrative tools folder. |
| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Added the font streaming section. |
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Made corrections to script and instructions for Shell Launcher. |
## March 2016
<table>
<thead>
<tr class="header">
<th align="left">New or changed topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">[Application development for Windows as a service](application-development-for-windows-as-a-service.md)</td>
<td align="left">New</td>
</tr>
<tr class="even">
<td align="left">[Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)</td>
<td align="left"><p>New</p></td>
</tr>
<tr class="odd">
<td align="left">[Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)</td>
<td align="left"><p>Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration.</p></td>
</tr>
</tbody>
</table>
 
| New or changed topic | Description |
| ---|---|
| [Application development for Windows as a service](application-development-for-windows-as-a-service.md) | New |
| [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) | New |
| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) | Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration. |
## February 2016
<table>
<thead>
<tr class="header">
<th align="left">New or changed topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">[Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md)</td>
<td align="left"><p>Added call history and email to the Settings &gt; Privacy section.</p>
<p>Added the Turn off Windows Mail application Group Policy to the Mail synchronization section.</p></td>
</tr>
<tr class="even">
<td align="left">[Customize and export Start layout](customize-and-export-start-layout.md)</td>
<td align="left">Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later</td>
</tr>
<tr class="odd">
<td align="left">[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)</td>
<td align="left">Added instructions for replacing markup characters with escape characters in Start layout XML</td>
</tr>
<tr class="even">
<td align="left">[Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md)</td>
<td align="left">New</td>
</tr>
<tr class="odd">
<td align="left">[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)</td>
<td align="left">New</td>
</tr>
<tr class="even">
<td align="left">[Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md)</td>
<td align="left">Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core).</td>
</tr>
</tbody>
</table>
| New or changed topic | Description |
| ---|---|
| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Added call history and email to the Settings &gt; Privacy section.<br />Added the Turn off Windows Mail application Group Policy to the Mail synchronization section. |
| [Customize and export Start layout](customize-and-export-start-layout.md) | Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later |
| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | Added instructions for replacing markup characters with escape characters in Start layout XML |
| [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) | New |
| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | New |
| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). |
 
## December 2015
<table>
<thead>
<tr class="header">
<th align="left">New or changed topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">[Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)</td>
<td align="left">New</td>
</tr>
<tr class="even">
<td align="left">[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)</td>
<td align="left">New</td>
</tr>
<tr class="odd">
<td align="left">[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)</td>
<td align="left"></td>
</tr>
</tbody>
</table>
 
| New or changed topic | Description |
| ---|---|
| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) | New |
| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | New |
|[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | New |
## November 2015
| New or changed topic | Description |
|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) | New |
@ -166,11 +75,8 @@ New or changed topic | Description |
| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Updated |
| [New policies for Windows 10](new-policies-for-windows-10.md) | Updated |
 
## Related topics
[Change history for What's new in Windows 10](../whats-new/change-history-for-what-s-new-in-windows-10.md)
[Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
@ -180,10 +86,3 @@ New or changed topic | Description |
[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
 
 

1271
windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md Normal file
View File

File diff suppressed because it is too large Load Diff

295
windows/manage/configure-windows-telemetry-in-your-organization.md Normal file
View File

@ -0,0 +1,295 @@
---
description: Use this article to make informed decisions about how you can configure telemetry in your organization.
title: Configure Windows telemetry in your organization (Windows 10)
keywords: privacy
---
# Configure Windows telemetry in your organization
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows Server 2016 Technical Preview
Use this article to make informed decisions about how you can configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services.
**Note**  
This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those components use a different telemetry service than Windows and Windows Server.
It describes the types of telemetry we gather and the ways you can manage its telemetry. This article also lists some examples of how telemetry can provide you with valuable insights into your enterprise deployments, and how Microsoft uses the data to quickly identify and address issues affecting its customers.
We understand that the privacy and security of our customers information is important and we have taken a thoughtful and comprehensive approach to customer privacy and the protection of their data with Windows 10, Windows Server 2016 Technical Preview, and System Center 2016.
## Overview
In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC) on Windows Server, and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using Settings &gt; Privacy, Group Policy, or MDM.
Microsoft is committed to improving customer experiences in a mobile-first and cloud-first world, and it all starts with our customers. Telemetry is one critical way Microsoft is using data to improve our products and services. Telemetry gives every enterprise customer a voice that helps us shape future versions of Windows, Windows Server and System Center, allowing us to respond quickly to your feedback and providing new features and improved quality to our customers.
Our goal is to leverage the aggregated data to drive changes in the product and ecosystem to improve our customer experiences. We are also partnering with enterprises to provide added value from the telemetry information shared by their devices. Some examples include identifying outdated patches and downloading the latest antimalware signatures to help keep their devices secure, identifying application compatibility issues prior to upgrades, and gaining insights into driver reliability issues affecting other customers.
For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for youcr organization.
## How is telemetry data handled by Microsoft?
### Data collection
Windows 10 and Windows Server 2016 Technical Preview includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology to gather and store telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
2. Events are gathered using public operating system event logging and tracing APIs.
3. You can configure the telemetry level by using an MDM policy, Group Policy, or registry settings.
4. The Connected User Experience and Telemetry component transmits telemetry data over HTTPS to Microsoft and uses certificate pinning.
Info collected at the Enhanced and Full levels of telemetry is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
### Data transmission
All telemetry data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
### Endpoints
The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
The Connected User Experience and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com.
The Connected User Experience and Telemetry component also connects to settings-win.data.microsoft.com to download configuration information.
[Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) connects to watson.telemetry.microsoft.com.
[Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) connects to oca.telemetry.microsoft.com.
### Data use and access
Data gathered from telemetry is used by Microsoft teams primarily to improve our customer experiences, and for security, health, quality, and performance analysis. The principle of least privileged guides access to telemetry data. Only Microsoft personnel with a valid business need are permitted access to the telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customers discretion or for the limited purposes described in the Privacy Statement. We do share business reports with OEMs and third party partners that include aggregated, anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
### Retention
Microsoft believes in and practices information minimization. We strive to gather only the info we need, and store it for as long as its needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Store purchase history.
## Telemetry levels
This section explains the different telemetry levels in Windows 10, Windows Server 2016 Technical Preview, and System Center. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the **Security** level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016 Technical Preview.
The telemetry data is categorized into four levels:
- **Security**. Information thats required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
- **Basic**. Basic device info, including: quality-related data, app compat, app usage data, and data from the **Security** level.
- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels.
The levels are cumulative and are illustrated in the following diagram. These levels apply to all editions of Windows Server 2016 Technical Preview.
![breakdown of telemetry levels and types of administrative controls](images/priv-telemetry-levels.png)
### Security level
The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests secure with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions.
**Note**  
If your organization relies on Windows Update for updates, you shouldnt use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center gathered.
 
The data gathered at this level includes:
- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsofts servers. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
**Note**  
You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
 
- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
**Note**  
This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](disconnect-your-organization-from-microsoft.md#windows-defender).
Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
 
For servers with default telemetry settings and no Internet connectivity, you should set the telemetry level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
No user content, such as user files or communications, is gathered at the **Security** telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computers registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
### Basic level
The Basic level gathers a limited set of data thats critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
The data gathered at this level includes:
- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Previewinstances in the ecosystem, including:
- Device attributes, such as camera resolution and display type
- Internet Explorer version
- Battery attributes, such as capacity and type
- Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number
- Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware
- Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system
- Operating system attributes, such as Windows edition and virtualization state
- Storage attributes, such as number of drives, type, and size
- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems.
- **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade.This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
- **App usage data**. Includes how an app is used, including how long an app is used for, when the app has focus, and when the app is started
- **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
- **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS.
- **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
- **Driver data**. Includes specific driver usage thats meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
- **Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
### Enhanced level
The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experiencewith the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
This is the default level, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
The data gathered at this level includes:
- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps.
If the Connected User Experience and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experience and Telemetry component at the **Enhanced** telemetry level will only gather data about the events associated with the specific issue.
### Full level
The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels.
Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level.
If a device experiences problems that are difficult to identify or repeat using Microsofts internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** telemetry level and have exhibited the problem.
However, before more data is gathered, Microsofts privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
- Ability to get registry keys.
- All crash dump types, including heap dumps and full dumps.
### Manage your telemetry settings
We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
**Important**  
These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on.
The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 Technical Preview is **Enhanced.**
### Configure the operating system telemetry level
You can configure your operating system telemetry settings using the management tools youre already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any devicelevel settings.
Use the appropriate value in the table below when you configure the management policy.
| Value | Level | Data gathered |
|-------|----------|---------------------------------------------------------------------------------------------------------------------------|
| **0** | Security | Security data only. |
| **1** | Basic | Security data, and basic system and quality data. |
| **2** | Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. |
| **3** | Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. |
 
### Use Group Policy to set the telemetry level
Use a Group Policy object to set your organizations telemetry level.
1. From the Group Policy Management Console, go to **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds**.
2. Double-click **Allow Telemetry**.
3. In the **Options** box, select the level that you want to configure, and then click **OK**.
### Use MDM to set the telemetry level
Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy.
### Use Registry Editor to set the telemetry level
Use Registry Editor to manually set the registry level on each device in your organization, or write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**.
2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
3. Type **AllowTelemetry**, and then press ENTER.
4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.**
5. Click **File** &gt; **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
### Configure System Center 2016 telemetry
For System Center 2016 Technical Preview, you can turn off System Center telemetry by following these steps:
- Turn off telemetry by using the System Center UI Console settings workspace.
- For information about turning off telemetry for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505).
### Additional telemetry controls
There are a few more settings that you can turn off that may send telemetry information:
- To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** &gt; **Update & security** &gt; **Windows Defender**.
- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
- Turn off **Linguistic Data Collection** in **Settings** &gt; **Privacy**. At telemetry levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
**Note**  
Microsoft do not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
 
## Examples of how Microsoft uses the telemetry data
### Drive higher application and driver quality in the ecosystem
Telemetry plays an important role in quickly identifying and fixing critical reliability and security issues in our customers deployments and configurations. Insights into the telemetry data we gather helps us to quickly identify crashes or hangs associated with a certain application or driver on a given configuration, like a particular storage type (for example, SCSI) or a memory size. For System Center, job usages and statuses can also help us enhance the job workload and the communication between System Center and its managed products. Microsofts ability to get this data from customers and drive improvements into the ecosystem helps raise the bar for the quality of System Center, Windows Server applications, Windows apps, and drivers. Real-time data about Windows installations reduces downtime and the cost associated with troubleshooting unreliable drivers or unstable applications
### Reduce your total cost of ownership and downtime
Telemetry provides a view of which features and services customers use most. For example, the telemetry data provides us with a heat map of the most commonly deployed Windows Server roles, most used Windows features, and which ones are used the least. This helps us make informed decisions on where we should invest our engineering resources to build a leaner operating system. For System Center, understanding the customer environment for management and monitoring will help drive the support compatibilities matrix, such as host and guest OS. This can help you use existing hardware to meet your business needs and reduce your total cost of ownership, as well as reducing downtime associated with security updates.
### Build features that address our customers needs
Telemetry also helps us better understand how customers deploy components, use features, and use services to achieve their business goals. Getting insights from that information helps us prioritize our engineering investments in areas that can directly affect our customers experiences and workloads. Some examples include customer usage of containers, storage, and networking configurations associated with Windows Server roles like Clustering and Web. Another example could be to find out when is CPU hyper-threading turned off and the resulting impact. We use the insights to drive improvements and intelligence into some of our management and monitoring solutions, to help customers diagnose quality issues, and save money by making fewer help calls to Microsoft.

1809
windows/manage/disconnect-your-organization-from-microsoft.md
View File

File diff suppressed because it is too large Load Diff

BIN
windows/manage/images/settings-table.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 69 KiB

14
windows/manage/lock-down-windows-10.md
View File

@ -43,23 +43,27 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p
<td align="left"><p>Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md)</p></td>
<td align="left"><p>Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.</p></td>
<td align="left"><p>[Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)</p></td>
<td align="left"><p>Use this article to make informed decisions about how you can configure Windows telemetry in your organization.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md)</p></td>
<td align="left"><p>Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)</p></td>
<td align="left"><p>IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td align="left"><p>[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)</p></td>
<td align="left"><p>Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense.</p>
<p>The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td align="left"><p>[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)</p></td>
<td align="left"><p>Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td align="left"><p>[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)</p></td>
<td align="left"><p>There are two methods for resetting a Windows 10 Mobile device: factory reset and &quot;wipe and persist&quot; reset.</p></td>
</tr>

1
windows/plan/TOC.md
View File

@ -9,6 +9,7 @@
### [Integration with management solutions](integration-with-management-solutions-.md)
## [Guidance for education environments](windows-10-guidance-for-education-environments.md)
### [Chromebook migration guide](chromebook-migration-guide.md)
### [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
## [Windows To Go: feature overview](windows-to-go-overview.md)
### [Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
### [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)

8
windows/plan/change-history-for-plan-for-windows-10-deployment.md
View File

@ -13,13 +13,19 @@ author: TrudyHa
This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## May 2016
| New or changed topic | Description |
|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | New|
## December 2015
| New or changed topic | Description |
|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) | New |
 
## November 2015

1264
windows/plan/deploy-windows-10-in-a-school.md Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
windows/plan/images/deploy-win-10-school-figure1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
windows/plan/images/deploy-win-10-school-figure2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 60 KiB

BIN
windows/plan/images/deploy-win-10-school-figure3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 128 KiB

BIN
windows/plan/images/deploy-win-10-school-figure4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/plan/images/deploy-win-10-school-figure5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.7 KiB

BIN
windows/plan/images/deploy-win-10-school-figure6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/plan/images/deploy-win-10-school-figure7.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 79 KiB